Hi Ola, On Fri, Dec 23, 2016 at 11:54:11PM +0100, Ola Lundqvist wrote: > Hi > > I have looked into CVE-2016-9586 affecting curl. > What I'm trying to figure out is whether it is worth the effort to fix > it or not. > > More info here: > https://curl.haxx.se/docs/adv_20161221A.html > > 1) There are no known exploits -> minor issue (?)
This can change at any time. > 2) The functions have been documented as deprecated for a long time > 3) The problem only occur on applications without proper input > sanitizing (and using curl_mprintf) so one could even argue that this > is not really a fault in curl at all. > > Due to this I could argue that it would mean a no-dsa tag. > > However the patch is quite simple so maybe it would be worth fixing anyway. > Also it is for a library and we do not really know how libraries are > used. The curl_mvprintf functions seem to invoke dprintf_formatf so it would be time consuming to check if anythng in Debian is affected. Given the simplicity of the patch I'd rather fix it than not. Cheers, -- Guido > > So what do you think?
