On Thu, Dec 29, 2022 at 12:12:34PM +0100, Kamil Dudka wrote: > On Thursday, December 29, 2022 11:56:59 AM CET Kamil Dudka wrote: > > > > You can have a look how I backported the fixes, including the regression > > tests, > > for curl-7.76.1 in CentOS Stream: > > > > > > https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c9s/0013-curl-7.76.1-CVE-2022-27774.patch > > ... or the more complicated backport for curl-7.61.1, which also passes > the upstream tests: > > > https://gitlab.com/redhat/centos-stream/rpms/curl/-/blob/c8s/0038-curl-7.61.1-CVE-2022-27774.patch > Kamil,
Thank you! These patches were extremely helpful in developing a working fix for CVE-2022-27774 in Debian. My first stop was 7.74.0, which looked quite close to your patch for 7.76.1, with just a small bit of teaking. The upstream unit tests were most helpful here. The next stops are 7.64.0, then 7.52.1, and 7.38.0. My hope is that your 7.61.1 patch requires little to no change for 7.64.0 and perhaps some minor tweaking for 7.52.1. It is not clear what will happen with 7.38.0, given how old it is. However, I will make an attempt. Once I have completed all the backporting and ensured that the fix works and the tests pass I will post a complete set of patches, as well as any commentary on obstacles I might not have been able to overcome, for those who are interested. Regards, -Roberto -- Roberto C. Sánchez -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
