From nobody Sun Sep 17 18:23:22 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RpbsP6V6lz4tYJc; Sun, 17 Sep 2023 18:23:37 +0000 (UTC) (envelope-from bsdkaffee@gmail.com) Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RpbsN0fc3z4pNr; Sun, 17 Sep 2023 18:23:36 +0000 (UTC) (envelope-from bsdkaffee@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of bsdkaffee@gmail.com designates 209.85.208.50 as permitted sender) smtp.mailfrom=bsdkaffee@gmail.com; dmarc=none Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-523100882f2so4802730a12.2; Sun, 17 Sep 2023 11:23:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694975014; x=1695579814; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7KLSR3/KJmEk9f5+S847uZYbiq0GdhaVW6dmbtIE+YA=; b=vE7vZAlDSCIEK8tKgWjsc16u4zzjqh1zuHAXqAw6y6KcwTx7lMuVHjt7EQq9DZ8c10 umBIZAJPbi4sl+Tz1saQgYappnnyRbIzCijbMsdP4V+1iIdDzw1FSX3hRcLPQZBYMkv0 PB3bzxqGPesg+ln1vVA+1sqJaLR+luzKgg62LEodXtnhJ/mwjOEk80J/Dzgi4bk5vjNk qhJkUq9HTwsWvquQXbwsZmfjxHd0MK2PTKNTI/pgGdnF2xQKchfocpzN6XxGFeCEe96K 25PDsFHlxWGyjVmJXNPQoVgFEyOAuSN6cMKv8QYRx73SfvRf5LylBJy1nIiWfKygkWGO 2VDA== X-Gm-Message-State: AOJu0YxOGcINMsVB3SNrwx18h5jo/+Pc7DxMh88tVvuRUiYoxptQT58D jGLXuQUk8z3LSmjdFDm4HkPfk+NK4eqZLEjtwPLurSBq X-Google-Smtp-Source: AGHT+IFrxwnIh+TiWCUvFyQlErgQGW5gIaAudPIH8YArPv/TByJEIKz9vordI5ZnRRErGOhRbhztfXUPP7NGlZ6158g= X-Received: by 2002:a05:6402:2683:b0:530:9d23:9f27 with SMTP id w3-20020a056402268300b005309d239f27mr6912326edd.31.1694975013805; Sun, 17 Sep 2023 11:23:33 -0700 (PDT) List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 References: <202309161328.38GDSngf016525@gitrepo.freebsd.org> In-Reply-To: <202309161328.38GDSngf016525@gitrepo.freebsd.org> From: "Jason E. Hale" Date: Sun, 17 Sep 2023 14:23:22 -0400 Message-ID: Subject: Re: git: a3dec5316c3e - main - security/vuxml: Document cURL vulnerability To: Bernard Spil Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / X-Spamd-Result: default: False [-0.92 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.79)[-0.793]; NEURAL_SPAM_SHORT(0.58)[0.577]; FORGED_SENDER(0.30)[jhale@freebsd.org,bsdkaffee@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_HTML_ONLY(0.20)[]; MIME_TRACE(0.00)[0:~]; RCVD_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[dev-commits-ports-all@freebsd.org,dev-commits-ports-main@freebsd.org]; FREEMAIL_ENVFROM(0.00)[gmail.com]; R_DKIM_NA(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.208.50:from]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[209.85.208.50:from]; TO_DN_SOME(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[freebsd.org]; FROM_NEQ_ENVFROM(0.00)[jhale@freebsd.org,bsdkaffee@gmail.com] X-Rspamd-Queue-Id: 4RpbsN0fc3z4pNr On Sat, Sep 16, 2023 at 9:28=E2=80=AFAM Bernard Spil wr= ote: > > The branch main has been updated by brnrd: > > URL: https://cgit.FreeBSD.org/ports/commit/?id=3Da3dec5316c3e45a676eef22d= e283ad57ea6a3111 > > commit a3dec5316c3e45a676eef22de283ad57ea6a3111 > Author: Bernard Spil > AuthorDate: 2023-09-16 13:27:51 +0000 > Commit: Bernard Spil > CommitDate: 2023-09-16 13:27:51 +0000 > > security/vuxml: Document cURL vulnerability > > PR: 273764 > Reported by: yasu > --- > security/vuxml/attachment.cgi?id=3D244811 | 57 +++++++++++++++++++++++++= ++++++++ > security/vuxml/vuln/2023.xml | 36 +++++++++++++++++++++ > 2 files changed, 93 insertions(+) > > diff --git a/security/vuxml/attachment.cgi?id=3D244811 b/security/vuxml/a= ttachment.cgi?id=3D244811 > new file mode 100644 > index 000000000000..20c93ef1ae8f > --- /dev/null > +++ b/security/vuxml/attachment.cgi?id=3D244811 > @@ -0,0 +1,57 @@ > +From 7ea414f0f67c4e6e54d86d54fd639ff476d9af73 Mon Sep 17 00:00:00 2001 > +From: Yasuhiro Kimura > +Date: Thu, 14 Sep 2023 00:15:37 +0900 > +Subject: [PATCH] security/vuxml: Document "eat all memory" vulnerability= in > + curl > + > +--- > + security/vuxml/vuln/2023.xml | 36 ++++++++++++++++++++++++++++++++++++ > + 1 file changed, 36 insertions(+) > + > +diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml > +index eb3c8fd68d81..862e66ee01b6 100644 > +--- a/security/vuxml/vuln/2023.xml > ++++ b/security/vuxml/vuln/2023.xml > +@@ -1,3 +1,39 @@ > ++ > ++ curl -- HTTP headers eat all memory > ++ > ++ > ++ curl > ++ 8.3.0 > ++ > ++ > ++ > ++ > ++

selmelc on hackerone reports:

> ++
> ++

> ++ When curl retrieves an HTTP response, it stores the > ++ incoming headers so that they can be accessed later via > ++ the libcurl headers API. > ++

> ++

> ++ However, curl did not have a limit in how many or how > ++ large headers it would accept in a response, allowing a > ++ malicious server to stream an endless series of headers > ++ and eventually cause curl to run out of heap memory. > ++

> ++
> ++ > ++
> ++ > ++ CVE-2023-38039 > ++ https://curl.se/docs/CVE-2023-38039.html HERE > ++ > ++ > ++ 2023-09-13 > ++ 2023-09-13 > ++ > ++
> ++ > + > + Roundcube -- XSS vulnerability > + > +-- > +2.42.0 > + You probably didn't mean to add this file. Could you remove it please? - Jason > diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml > index c3b1509b15e5..25773c90c5a5 100644 > --- a/security/vuxml/vuln/2023.xml > +++ b/security/vuxml/vuln/2023.xml > @@ -1,3 +1,39 @@ > + > + curl -- HTTP headers eat all memory > + > + > + curl > + 8.3.0 > + > + > + > + > +

selmelc on hackerone reports:

> +
> +

> + When curl retrieves an HTTP response, it stores the > + incoming headers so that they can be accessed later via > + the libcurl headers API. > +

> +

> + However, curl did not have a limit in how many or how > + large headers it would accept in a response, allowing a > + malicious server to stream an endless series of headers > + and eventually cause curl to run out of heap memory. > +

> +
> + > +
> + > + CVE-2023-38039 > + https://curl.se/docs/CVE-2023-38039.html HERE > + > + > + 2023-09-13 > + 2023-09-13 > + > +
> + > > Roundcube -- XSS vulnerability >