Re: git: a3dec5316c3e - main - security/vuxml: Document cURL vulnerability

Reply: Alexey Dokuchaev : "Re: git: a3dec5316c3e - main - security/vuxml: Document cURL vulnerability"
In reply to: Bernard Spil : "git: a3dec5316c3e - main - security/vuxml: Document cURL vulnerability"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Jason E. Hale <jhale_at_freebsd.org>
Date: Sun, 17 Sep 2023 18:23:22 UTC
On Sat, Sep 16, 2023 at 9:28 AM Bernard Spil <brnrd@freebsd.org> wrote:
>
> The branch main has been updated by brnrd:
>
> URL: https://cgit.FreeBSD.org/ports/commit/?id=a3dec5316c3e45a676eef22de283ad57ea6a3111
>
> commit a3dec5316c3e45a676eef22de283ad57ea6a3111
> Author:     Bernard Spil <brnrd@FreeBSD.org>
> AuthorDate: 2023-09-16 13:27:51 +0000
> Commit:     Bernard Spil <brnrd@FreeBSD.org>
> CommitDate: 2023-09-16 13:27:51 +0000
>
>     security/vuxml: Document cURL vulnerability
>
>     PR:             273764
>     Reported by:    yasu
> ---
>  security/vuxml/attachment.cgi?id=244811 | 57 +++++++++++++++++++++++++++++++++
>  security/vuxml/vuln/2023.xml            | 36 +++++++++++++++++++++
>  2 files changed, 93 insertions(+)
>
> diff --git a/security/vuxml/attachment.cgi?id=244811 b/security/vuxml/attachment.cgi?id=244811
> new file mode 100644
> index 000000000000..20c93ef1ae8f
> --- /dev/null
> +++ b/security/vuxml/attachment.cgi?id=244811
> @@ -0,0 +1,57 @@
> +From 7ea414f0f67c4e6e54d86d54fd639ff476d9af73 Mon Sep 17 00:00:00 2001
> +From: Yasuhiro Kimura <yasu@FreeBSD.org>
> +Date: Thu, 14 Sep 2023 00:15:37 +0900
> +Subject: [PATCH] security/vuxml: Document "eat all memory" vulnerability in
> + curl
> +
> +---
> + security/vuxml/vuln/2023.xml | 36 ++++++++++++++++++++++++++++++++++++
> + 1 file changed, 36 insertions(+)
> +
> +diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
> +index eb3c8fd68d81..862e66ee01b6 100644
> +--- a/security/vuxml/vuln/2023.xml
> ++++ b/security/vuxml/vuln/2023.xml
> +@@ -1,3 +1,39 @@
> ++  <vuln vid="833b469b-5247-11ee-9667-080027f5fec9">
> ++    <topic>curl -- HTTP headers eat all memory</topic>
> ++    <affects>
> ++      <package>
> ++      <name>curl</name>
> ++      <range><lt>8.3.0</lt></range>
> ++      </package>
> ++    </affects>
> ++    <description>
> ++      <body xmlns="http://www.w3.org/1999/xhtml">
> ++      <p>selmelc on hackerone reports:</p>
> ++      <blockquote cite="https://curl.se/docs/CVE-2023-38039.html">
> ++        <p>
> ++          When curl retrieves an HTTP response, it stores the
> ++          incoming headers so that they can be accessed later via
> ++          the libcurl headers API.
> ++        </p>
> ++        <p>
> ++          However, curl did not have a limit in how many or how
> ++          large headers it would accept in a response, allowing a
> ++          malicious server to stream an endless series of headers
> ++          and eventually cause curl to run out of heap memory.
> ++        </p>
> ++      </blockquote>
> ++      </body>
> ++    </description>
> ++    <references>
> ++      <cvename>CVE-2023-38039</cvename>
> ++      <url>https://curl.se/docs/CVE-2023-38039.html HERE</url>
> ++    </references>
> ++    <dates>
> ++      <discovery>2023-09-13</discovery>
> ++      <entry>2023-09-13</entry>
> ++    </dates>
> ++  </vuln>
> ++
> +   <vuln vid="b5508c08-547a-11ee-85eb-84a93843eb75">
> +     <topic>Roundcube -- XSS vulnerability</topic>
> +     <affects>
> +--
> +2.42.0
> +

You probably didn't mean to add this file. Could you remove it please?

- Jason

> diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
> index c3b1509b15e5..25773c90c5a5 100644
> --- a/security/vuxml/vuln/2023.xml
> +++ b/security/vuxml/vuln/2023.xml
> @@ -1,3 +1,39 @@
> +  <vuln vid="833b469b-5247-11ee-9667-080027f5fec9">
> +    <topic>curl -- HTTP headers eat all memory</topic>
> +    <affects>
> +      <package>
> +       <name>curl</name>
> +       <range><lt>8.3.0</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns="http://www.w3.org/1999/xhtml">
> +       <p>selmelc on hackerone reports:</p>
> +       <blockquote cite="https://curl.se/docs/CVE-2023-38039.html">
> +         <p>
> +           When curl retrieves an HTTP response, it stores the
> +           incoming headers so that they can be accessed later via
> +           the libcurl headers API.
> +         </p>
> +         <p>
> +           However, curl did not have a limit in how many or how
> +           large headers it would accept in a response, allowing a
> +           malicious server to stream an endless series of headers
> +           and eventually cause curl to run out of heap memory.
> +         </p>
> +       </blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <cvename>CVE-2023-38039</cvename>
> +      <url>https://curl.se/docs/CVE-2023-38039.html HERE</url>
> +    </references>
> +    <dates>
> +      <discovery>2023-09-13</discovery>
> +      <entry>2023-09-13</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid="b5508c08-547a-11ee-85eb-84a93843eb75">
>      <topic>Roundcube -- XSS vulnerability</topic>
>      <affects>