On Wednesday, December 28, 2022 9:25:39 PM CET Roberto C. Sánchez via
curl-library wrote:
> I am in the process of trying to backport the fixes for CVE-2022-27774
> (commits 620ea21 and 139a54e) to some older versions of cURL,
> specifically I'm targeting some pre-7.83.0 versions (i.e., before the
> refactor of 46620b9).
>
> Because the code is somewhat different in the older versions I am
> targeting, I am also trying to implement the associated tests (973-976
> in commit 5295e8d). However, the tests also make use of some constructs
> that seem to have been introduced fairly recently. As a result of that,
> I am not able to verify my backported patch.
>
> In particular, these two lines in 620ea21 refer to struct members which
> are not present prior to 46620b9:
>
> Curl_safefree(data->state.aptr.user);
> Curl_safefree(data->state.aptr.passwd);
>
> My thought is that in the older versions of curl the same is
> accomplished by this instead:
>
> Curl_safefree(data->set.str[STRING_USERNAME]);
> Curl_safefree(data->set.str[STRING_PASSWORD]);
>
> Is someone able to confirm that this is the correct way to deal with
> CVE-2022-27774 in older curl releases?
>
> Regards,
>
> -Roberto
You can have a look how I backported the fixes, including the regression tests,
for curl-7.76.1 in CentOS Stream:
https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c9s/0013-curl-7.76.1-CVE-2022-27774.patch
Kamil
--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
