On Sun, 4 Jan 2026, Samuel Henrique via curl-library wrote:
I was investigating CVE-2025-9086 for Debian
Running a git bisect on the upstream project [0], I've landed on the following
commit as introducing the ASAN failure:
https://github.com/curl/curl/commit/1aea05a6c2699e80c75936d58569851555acd603
Thanks all of you for doing this.
With your experiences and me reviewing this commit again, I am bound to agree
with you. This vulnerability was introduced in the commit mentioned above,
which was first included in curl 8.13.0.
PR to fix: https://github.com/curl/curl-www/pull/532
I believe the mistake was entirely mine and happened simply because I was
sloppy and only manually went through the cookie.c history using git blame.
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
