On Thu, 2 Jan 2025, 陈星杵 via curl-library wrote:
Hello! Sorry to bother you. I notice that CVE-2020-8231[1] is a Expired
Pointer Dereference Vulnerability, and the patch[2] fixes 5 files. I know
the c43127414d[3] is introduced commit of the lib/connect.c. At the same
time, I find the introduced commit of the lib/multi.c is 575e885db0. So I
want to know which one is the real Vulnerability introduced commit, and why?
This is becoming a pattern. You've asked for details for serveral CVE fixes
already and so far I have only confirmed that the published information is
correct.
Figuring out the exact commit that introduced a problem is tedious work but I
always try to do that with care and accuracy so that the information to users
become as good as possible. Usually I try to track down when a specific code
pattern was introduced, which might have moved around across different sources
files over the years. Often it is hard to actually build and reproduce the
problem with the (really) old versions so I typically then make a judgement
call without actually proving it.
Details for a problem published several years ago of course now has a
shrinking importance. Spending a lot of energy to research a 2020 issues seems
like maybe not worth it anymore?
I find the introduced commit of the lib/multi.c is 575e885db0.
Please elaborate. Which exact change was done in this commit that makes you
believe it introduced the problem?
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
