From nobody Sun Sep 17 18:23:22 2023
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RpbsP6V6lz4tYJc;
	Sun, 17 Sep 2023 18:23:37 +0000 (UTC)
	(envelope-from bsdkaffee@gmail.com)
Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4RpbsN0fc3z4pNr;
	Sun, 17 Sep 2023 18:23:36 +0000 (UTC)
	(envelope-from bsdkaffee@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of bsdkaffee@gmail.com designates 209.85.208.50 as permitted sender) smtp.mailfrom=bsdkaffee@gmail.com;
	dmarc=none
Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-523100882f2so4802730a12.2;
        Sun, 17 Sep 2023 11:23:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1694975014; x=1695579814;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=7KLSR3/KJmEk9f5+S847uZYbiq0GdhaVW6dmbtIE+YA=;
        b=vE7vZAlDSCIEK8tKgWjsc16u4zzjqh1zuHAXqAw6y6KcwTx7lMuVHjt7EQq9DZ8c10
         umBIZAJPbi4sl+Tz1saQgYappnnyRbIzCijbMsdP4V+1iIdDzw1FSX3hRcLPQZBYMkv0
         PB3bzxqGPesg+ln1vVA+1sqJaLR+luzKgg62LEodXtnhJ/mwjOEk80J/Dzgi4bk5vjNk
         qhJkUq9HTwsWvquQXbwsZmfjxHd0MK2PTKNTI/pgGdnF2xQKchfocpzN6XxGFeCEe96K
         25PDsFHlxWGyjVmJXNPQoVgFEyOAuSN6cMKv8QYRx73SfvRf5LylBJy1nIiWfKygkWGO
         2VDA==
X-Gm-Message-State: AOJu0YxOGcINMsVB3SNrwx18h5jo/+Pc7DxMh88tVvuRUiYoxptQT58D
	jGLXuQUk8z3LSmjdFDm4HkPfk+NK4eqZLEjtwPLurSBq
X-Google-Smtp-Source: AGHT+IFrxwnIh+TiWCUvFyQlErgQGW5gIaAudPIH8YArPv/TByJEIKz9vordI5ZnRRErGOhRbhztfXUPP7NGlZ6158g=
X-Received: by 2002:a05:6402:2683:b0:530:9d23:9f27 with SMTP id
 w3-20020a056402268300b005309d239f27mr6912326edd.31.1694975013805; Sun, 17 Sep
 2023 11:23:33 -0700 (PDT)
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
References: <202309161328.38GDSngf016525@gitrepo.freebsd.org>
In-Reply-To: <202309161328.38GDSngf016525@gitrepo.freebsd.org>
From: "Jason E. Hale" <jhale@freebsd.org>
Date: Sun, 17 Sep 2023 14:23:22 -0400
Message-ID: <CAJE75NFU_dEGvhW2XQrjOVtQLow=-hBA1Xz4anW0AZf9tJ-oKw@mail.gmail.com>
Subject: Re: git: a3dec5316c3e - main - security/vuxml: Document cURL vulnerability
To: Bernard Spil <brnrd@freebsd.org>
Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, 
	dev-commits-ports-main@freebsd.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: /
X-Spamd-Result: default: False [-0.92 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-0.79)[-0.793];
	NEURAL_SPAM_SHORT(0.58)[0.577];
	FORGED_SENDER(0.30)[jhale@freebsd.org,bsdkaffee@gmail.com];
	R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17];
	MIME_HTML_ONLY(0.20)[];
	MIME_TRACE(0.00)[0:~];
	RCVD_COUNT_ONE(0.00)[1];
	MLMMJ_DEST(0.00)[dev-commits-ports-all@freebsd.org,dev-commits-ports-main@freebsd.org];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	R_DKIM_NA(0.00)[];
	RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.208.50:from];
	RCVD_TLS_LAST(0.00)[];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[209.85.208.50:from];
	TO_DN_SOME(0.00)[];
	RCPT_COUNT_THREE(0.00)[4];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DMARC_NA(0.00)[freebsd.org];
	FROM_NEQ_ENVFROM(0.00)[jhale@freebsd.org,bsdkaffee@gmail.com]
X-Rspamd-Queue-Id: 4RpbsN0fc3z4pNr

On Sat, Sep 16, 2023 at 9:28=E2=80=AFAM Bernard Spil <brnrd@freebsd.org> wr=
ote:
>
> The branch main has been updated by brnrd:
>
> URL: https://cgit.FreeBSD.org/ports/commit/?id=3Da3dec5316c3e45a676eef22d=
e283ad57ea6a3111
>
> commit a3dec5316c3e45a676eef22de283ad57ea6a3111
> Author:     Bernard Spil <brnrd@FreeBSD.org>
> AuthorDate: 2023-09-16 13:27:51 +0000
> Commit:     Bernard Spil <brnrd@FreeBSD.org>
> CommitDate: 2023-09-16 13:27:51 +0000
>
>     security/vuxml: Document cURL vulnerability
>
>     PR:             273764
>     Reported by:    yasu
> ---
>  security/vuxml/attachment.cgi?id=3D244811 | 57 +++++++++++++++++++++++++=
++++++++
>  security/vuxml/vuln/2023.xml            | 36 +++++++++++++++++++++
>  2 files changed, 93 insertions(+)
>
> diff --git a/security/vuxml/attachment.cgi?id=3D244811 b/security/vuxml/a=
ttachment.cgi?id=3D244811
> new file mode 100644
> index 000000000000..20c93ef1ae8f
> --- /dev/null
> +++ b/security/vuxml/attachment.cgi?id=3D244811
> @@ -0,0 +1,57 @@
> +From 7ea414f0f67c4e6e54d86d54fd639ff476d9af73 Mon Sep 17 00:00:00 2001
> +From: Yasuhiro Kimura <yasu@FreeBSD.org>
> +Date: Thu, 14 Sep 2023 00:15:37 +0900
> +Subject: [PATCH] security/vuxml: Document "eat all memory" vulnerability=
 in
> + curl
> +
> +---
> + security/vuxml/vuln/2023.xml | 36 ++++++++++++++++++++++++++++++++++++
> + 1 file changed, 36 insertions(+)
> +
> +diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
> +index eb3c8fd68d81..862e66ee01b6 100644
> +--- a/security/vuxml/vuln/2023.xml
> ++++ b/security/vuxml/vuln/2023.xml
> +@@ -1,3 +1,39 @@
> ++  <vuln vid=3D"833b469b-5247-11ee-9667-080027f5fec9">
> ++    <topic>curl -- HTTP headers eat all memory</topic>
> ++    <affects>
> ++      <package>
> ++      <name>curl</name>
> ++      <range><lt>8.3.0</lt></range>
> ++      </package>
> ++    </affects>
> ++    <description>
> ++      <body xmlns=3D"http://www.w3.org/1999/xhtml">
> ++      <p>selmelc on hackerone reports:</p>
> ++      <blockquote cite=3D"https://curl.se/docs/CVE-2023-38039.html">
> ++        <p>
> ++          When curl retrieves an HTTP response, it stores the
> ++          incoming headers so that they can be accessed later via
> ++          the libcurl headers API.
> ++        </p>
> ++        <p>
> ++          However, curl did not have a limit in how many or how
> ++          large headers it would accept in a response, allowing a
> ++          malicious server to stream an endless series of headers
> ++          and eventually cause curl to run out of heap memory.
> ++        </p>
> ++      </blockquote>
> ++      </body>
> ++    </description>
> ++    <references>
> ++      <cvename>CVE-2023-38039</cvename>
> ++      <url>https://curl.se/docs/CVE-2023-38039.html HERE</url>
> ++    </references>
> ++    <dates>
> ++      <discovery>2023-09-13</discovery>
> ++      <entry>2023-09-13</entry>
> ++    </dates>
> ++  </vuln>
> ++
> +   <vuln vid=3D"b5508c08-547a-11ee-85eb-84a93843eb75">
> +     <topic>Roundcube -- XSS vulnerability</topic>
> +     <affects>
> +--
> +2.42.0
> +

You probably didn't mean to add this file. Could you remove it please?

- Jason

> diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
> index c3b1509b15e5..25773c90c5a5 100644
> --- a/security/vuxml/vuln/2023.xml
> +++ b/security/vuxml/vuln/2023.xml
> @@ -1,3 +1,39 @@
> +  <vuln vid=3D"833b469b-5247-11ee-9667-080027f5fec9">
> +    <topic>curl -- HTTP headers eat all memory</topic>
> +    <affects>
> +      <package>
> +       <name>curl</name>
> +       <range><lt>8.3.0</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns=3D"http://www.w3.org/1999/xhtml">
> +       <p>selmelc on hackerone reports:</p>
> +       <blockquote cite=3D"https://curl.se/docs/CVE-2023-38039.html">
> +         <p>
> +           When curl retrieves an HTTP response, it stores the
> +           incoming headers so that they can be accessed later via
> +           the libcurl headers API.
> +         </p>
> +         <p>
> +           However, curl did not have a limit in how many or how
> +           large headers it would accept in a response, allowing a
> +           malicious server to stream an endless series of headers
> +           and eventually cause curl to run out of heap memory.
> +         </p>
> +       </blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <cvename>CVE-2023-38039</cvename>
> +      <url>https://curl.se/docs/CVE-2023-38039.html HERE</url>
> +    </references>
> +    <dates>
> +      <discovery>2023-09-13</discovery>
> +      <entry>2023-09-13</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid=3D"b5508c08-547a-11ee-85eb-84a93843eb75">
>      <topic>Roundcube -- XSS vulnerability</topic>
>      <affects>