CVE-2023-52071.md: another bogus curl CVE

Closes #323
curl · Jan 30, 2024 · dff09e3 · dff09e3
1 parent 32b25c0
commit dff09e3
Show file tree

Hide file tree

Showing 6 changed files with 71 additions and 1 deletion.
diff --git a/docs/CVE-2023-52071.md b/docs/CVE-2023-52071.md
@@ -0,0 +1,66 @@
+Bogus report filed by anonymous
+===============================
+
+Project curl Security Dismissal, August 26 2023 -
+[Permalink](https://curl.se/docs/CVE-2023-52071.html)
+
+VULNERABILITY
+-------------
+
+None. CVE-2023-52071 was filed and made public by an anonymous person due to
+incompetence or malice. We cannot say which and the distinction does not
+matter to us.
+
+The original description said:
+
+`tiny-curl-8_4_0`, `curl-8_4_0` and `curl-8_5_0` were discovered to contain an
+off-by-one out-of-bounds array index via the component `tool_cb_wrt`.
+
+INFO
+----
+
+CVE-2023-52071 was published on January 30 2024. Its existence was reported to
+us the same day.
+
+The CVE references a git commit that fixes an assert. The assert itself
+accesses a stack based buffer one byte out of boundary. This code is only
+included in debug builds and never in release-builds. Even in debug builds it
+is not a security problem.
+
+The referenced bug was introduced in [a
+commit](https://github.com/curl/curl/commit/af3f4e419b9f3397) done on April 4
+2023 (shipped in 8.3.0), later fixed again in [a
+commit](https://github.com/curl/curl/commit/73980f9ace6c7577e7) merged on
+September 13 2023 (shipped in 8.4.0).
+
+AFFECTED VERSIONS
+-----------------
+
+It does not affect any version. It is not a security problem. It was a bug
+that we fixed in September 2023.
+
+SOLUTION
+------------
+
+Relax. Use curl as usual.
+
+The curl security team will work on getting this CVE rejected.
+
+RECOMMENDATIONS
+--------------
+
+Do not blindly trust the CVE system. It is full of cracks and bogus reports
+such as CVE-2023-52071.
+
+TIMELINE
+--------
+
+This CVE was made public on January 30 2024. We were notified about it on
+January 30.
+
+CREDITS
+-------
+
+- Reported-by: Pedro Sampaio
+
+Thanks a lot!
diff --git a/docs/Makefile b/docs/Makefile
@@ -163,6 +163,7 @@ CVELIST = \
  CVE-2023-28322.html \
  CVE-2023-32001.html \
  CVE-2020-19909.html \
+ CVE-2023-52071.html \
  CVE-2023-38039.html \
  CVE-2023-38545.html \
  CVE-2023-38546.html \

diff --git a/docs/_security.html b/docs/_security.html
@@ -88,6 +88,7 @@
  Issues filed by others that are plain lies:
 <ul>
 <li> <a href="CVE-2020-19909.html">CVE-2020-19909</a>
+<li> <a href="CVE-2023-52071.html">CVE-2023-52071</a>
 </ul>
 
 

diff --git a/docs/cve-checker.pl b/docs/cve-checker.pl
@@ -21,6 +21,7 @@
 my %whitelist = (
  "CVE-2019-15601.md" => 1,
  "CVE-2020-19909.md" => 1,
+ "CVE-2023-52071.md" => 1,
  "CVE-2023-32001.md" => 1,
  );
 

diff --git a/docs/mk-adv-template.pl b/docs/mk-adv-template.pl
@@ -32,7 +32,7 @@
  if($issue) {
  $dissue = "#define FLAWISSUE $issue\n";
  }
- if($award) {
+ if($award > 0) {
  $daward = "#define FLAWAWARD $award\n";
  }
  print <<TEMPLATE

diff --git a/docs/novuln.pm b/docs/novuln.pm
@@ -14,6 +14,7 @@
 #
 # List of CWEs => https://cwe.mitre.org/data/definitions/658.html
 @novuln = (
+ "CVE-2023-52071.html|-|-|Bogus report filed by anonymous|CVE-2023-52071|20240130|20240130|-|-|-|-",
  "CVE-2019-15601.html|6.0|7.67.0|SMB access smuggling via FILE URL on Windows|CVE-2019-15601|20200108|20191031|CWE-20: Improper Input Validation|400",
  "CVE-2020-19909.html|-|-|Bogus report filed by anonymous|CVE-2020-19909|20230822|20230825|-|-|-|-",
  "CVE-2023-32001.html|7.84.0|8.1.2|fopen race condition|CVE-2023-32001|20230719|20230627|CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition|2400|storage|-|both|medium|https://hackerone.com/reports/2039870",