On Wed, 18 Dec 2024, 陈星杵 via curl-library wrote:
Sorry to bother you. I noticed that the "introduce commit" listed on the
"https://curl.se/docs/CVE-2017-7407.html"is 90030a49c7facfefeca8, but when I
checked the commit, there were no related code changes. I also found that
commit "dfec172157" is the initial commit where the vulnerability file was
introduced. So the truth introduce commit is "dfec172157"?
Thanks for checking and reporting. I think both hashes are wrong!
What could be considered the source of this (old) problem was this
condition/line:
else if('\\' == *ptr) {
At least that's the line we changed to fix the problem [1].
Tracing back through history, we can see that this line existed already back
here:
https://github.com/curl/curl/blob/curl-6_5/lib/writeout.c
That's curl 6.5 (much earlier than dfec172157), which the security advisory
says was affected.
This is before libcurl existed, but there was a lib directory because there
was already work going on toward a library. The file lib/writeout.c was
created in commit d073ec0a719bfa (introduced in 6.5) and seems to have the
vulnerable code path.
I therefore now believe d073ec0a719bfad2 [2] is the correct original commit
that introduced this problem.
Do you agree?
[1] = https://github.com/curl/curl/commit/8e65877870c1
[2] = https://github.com/curl/curl/commit/d073ec0a719bfad28
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
