@@ -44,7 +44,47 @@ SOLUTION
4444
4545Relax. Use curl as usual.
4646
47- The curl security team will work on getting this CVE rejected.
47+ The curl security team tried to get this CVE rejected. The MITRE system
48+ unfortunately makes that impossible. We can only make this CVE get marked
49+ ** DISPUTED** , which we are not satisfied with but have to accept under
50+ protest.
51+
52+ EXPLANATION
53+ -----------
54+
55+ First we of course think that the "burden of proof" would be on the person
56+ that insists that there is a problem. The one saying that this is a CVE should
57+ provide the necessary details to explain "beyond reasonable doubt" that the
58+ identified problem is a vulnerability. There are no such details or
59+ explanations provided in the existing CVE. There is nothing there that
60+ identifies a vulnerability.
61+
62+ I'm convinced someone just grepped commit messages for this and submitted a
63+ CVE and there was nothing and no one that even tried to confirm or check that
64+ this was actually legitimate. There was no filter in place and it was
65+ incorrectly let through. That's why it should be rejected. Saying it is
66+ "disputed" hints that there can be different views on this subject.
67+
68+ So, you are asking me to explain how this not identified vulnerability is
69+ actually not identifying a vulnerability.
70+
71+ Let me try:
72+
73+ The claimed issue identifies a bug in curl that
74+
75+ 1 . only existed in debug-builds (thus disqualified)
76+
77+ 2 . even in debug-builds, a bad access will at worst cause a crash, which is
78+ also what the assert itself does when triggered. Thus having the same end
79+ result. Not a vulnerability.
80+
81+ 3 . in most situations, the bad access will not cause any problems at all,
82+ even in debug-builds (because the accessed stack memory is readable)
83+
84+ My claims can easily be verified and double-checked by simply reading the
85+ code. It's not complicated.
86+
87+ / Daniel
4888
4989RECOMMENDATIONS
5090--------------
0 commit comments