On Fri, 25 Aug 2023, Samuel Henrique via curl-library wrote:
I wanted to let you know that there's a recent curl CVE published and
it doesn't look like it was acknowledged by the curl authors since
it's not mentioned in the curl website:
CVE-2020-19909
Thank you for this Samuel. I had no idea.
This discovery makes me sad and upset at the same time.
1. The fact that people can submit curl CVEs without us being told is a system
failure.
2. This exact bug was discussed (and dismissed) by the curl security team in
2019: https://hackerone.com/reports/661847
3. This is not a security problem, as we figured out in the curl security team
and frankly, anyone can see that who spends more than 30 seconds on the
code and think about what the integer overflow in question is controlling.
4. NVD then in their infinite wisdom goes all bananas and ranks it a 9.8
CRITICAL. It is almost as if NVD *tries* to inflate curl reports. How the
heck can anyone motivate this severity level?
Unfortunately I think I need to spend some time to write up something about
this, in blog form and on the curl site.
This is not a (curl) security problem at all. This is just silly.
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
