Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: CVE-2020-19909 possibly released without curl's authors ack (yet another NVD Critical)
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 25 Aug 2023 23:38:03 +0200 (CEST)
On Fri, 25 Aug 2023, Samuel Henrique via curl-library wrote:
> I wanted to let you know that there's a recent curl CVE published and
> it doesn't look like it was acknowledged by the curl authors since
> it's not mentioned in the curl website:
> CVE-2020-19909
Thank you for this Samuel. I had no idea.
This discovery makes me sad and upset at the same time.
1. The fact that people can submit curl CVEs without us being told is a system
failure.
2. This exact bug was discussed (and dismissed) by the curl security team in
2019: https://hackerone.com/reports/661847
3. This is not a security problem, as we figured out in the curl security team
and frankly, anyone can see that who spends more than 30 seconds on the
code and think about what the integer overflow in question is controlling.
4. NVD then in their infinite wisdom goes all bananas and ranks it a 9.8
CRITICAL. It is almost as if NVD *tries* to inflate curl reports. How the
heck can anyone motivate this severity level?
Unfortunately I think I need to spend some time to write up something about
this, in blog form and on the curl site.
This is not a (curl) security problem at all. This is just silly.
Date: Fri, 25 Aug 2023 23:38:03 +0200 (CEST)
On Fri, 25 Aug 2023, Samuel Henrique via curl-library wrote:
> I wanted to let you know that there's a recent curl CVE published and
> it doesn't look like it was acknowledged by the curl authors since
> it's not mentioned in the curl website:
> CVE-2020-19909
Thank you for this Samuel. I had no idea.
This discovery makes me sad and upset at the same time.
1. The fact that people can submit curl CVEs without us being told is a system
failure.
2. This exact bug was discussed (and dismissed) by the curl security team in
2019: https://hackerone.com/reports/661847
3. This is not a security problem, as we figured out in the curl security team
and frankly, anyone can see that who spends more than 30 seconds on the
code and think about what the integer overflow in question is controlling.
4. NVD then in their infinite wisdom goes all bananas and ranks it a 9.8
CRITICAL. It is almost as if NVD *tries* to inflate curl reports. How the
heck can anyone motivate this severity level?
Unfortunately I think I need to spend some time to write up something about
this, in blog form and on the curl site.
This is not a (curl) security problem at all. This is just silly.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-08-25