CVE: provide introduced-in/fixed-in git commit URLs

These are extracted and used to populate the JSON objects accordingly. Ref: #240
curl · May 4, 2023 · 6812da3 · 6812da3
1 parent 0ea2c27
commit 6812da3
Show file tree

Hide file tree

Showing 57 changed files with 77 additions and 109 deletions.
diff --git a/docs/CVE-2016-9594.md b/docs/CVE-2016-9594.md
@@ -18,8 +18,7 @@ operations vulnerable.
 
 This function is brand new in 7.52.0 and is the result of an overhaul to make
 sure libcurl uses strong random as much as possible - provided by the backend
-TLS crypto libraries when present. The faulty function was introduced in [this
-commit](https://github.com/curl/curl/commit/f682156a4fc6c43fb).
+TLS crypto libraries when present.
 
 INFO
 ----
@@ -47,6 +46,7 @@ This flaw exists in the following libcurl versions.
 
 - Affected versions: libcurl 7.52.0 only
 - Not affected versions: libcurl < 7.52.0 and libcurl >= 7.52.1
+- Introduced-in: https://github.com/curl/curl/commit/f682156a4fc6c43fb
 
 libcurl is used by many applications, but not always advertised as such!
 
@@ -56,8 +56,7 @@ THE SOLUTION
 In version 7.52.1, we fixed the function and we fixed the valgrind parser in
 the test suite.
 
-A [patch for CVE-2016-9594](https://curl.se/CVE-2016-9594.patch) is
-available.
+- Fixed-in: https://github.com/curl/curl/commit/f81b2277a8e7e9ce880
 
 RECOMMENDATIONS
 ---------------

diff --git a/docs/CVE-2017-1000101.md b/docs/CVE-2017-1000101.md
@@ -23,9 +23,7 @@ INFO
 ----
 
 This flaw only affects the curl command line tool, not the libcurl
-library. The bug was introduced in commit
-[5ca96cb84410270](https://github.com/curl/curl/commit/5ca96cb84410270), August
-2013. curl 7.34.0.
+library.
 
 For version 7.55.0, the parser properly stops at the end of the string and a
 test has been added to verify this.
@@ -40,14 +38,14 @@ AFFECTED VERSIONS
 
 - Affected versions: curl 7.34.0 to and including 7.54.1
 - Not affected versions: curl < 7.34.0 and >= 7.55.0
+- Introduced-in: https://github.com/curl/curl/commit/5ca96cb84410270
 
 curl is used by many applications, but not always advertised as such.
 
 THE SOLUTION
 ------------
 
-A [patch for CVE-2017-1000101](https://curl.se/CVE-2017-1000101.patch) is
-available.
+- Fixed-in: https://github.com/curl/curl/commit/453e7a7a03a2cec74
 
 RECOMMENDATIONS
 ---------------

diff --git a/docs/CVE-2017-1000254.md b/docs/CVE-2017-1000254.md
@@ -31,9 +31,6 @@ suggest that malformed PWD responses are rare in benign servers.
 INFO
 ----
 
-This bug was introduced in commit
-[415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005.
-
 In libcurl version 7.56.0, the parser always zero terminates the string but
 also rejects it if not terminated properly with a final double quote.
 
@@ -47,14 +44,14 @@ AFFECTED VERSIONS
 
 - Affected versions: libcurl 7.7 to and including 7.55.1
 - Not affected versions: libcurl < 7.7 and >= 7.56.0
+- Introduced-in: https://github.com/curl/curl/commit/415d2e7cb7
 
 curl is used by many applications, but not always advertised as such.
 
 THE SOLUTION
 ------------
 
-A [patch for CVE-2017-1000254](https://curl.se/CVE-2017-1000254.patch) is
-available.
+- Fixed-in: https://github.com/curl/curl/commit/5ff2c5ff25750aba1a8f64
 
 RECOMMENDATIONS
 ---------------

diff --git a/docs/CVE-2017-1000257.md b/docs/CVE-2017-1000257.md
@@ -23,9 +23,7 @@ deliver that to the application as if it was actually downloaded.
 INFO
 ----
 
-This bug was introduced in commit
-[ec3bb8f727](https://github.com/curl/curl/commit/ec3bb8f727), December 2009,
-when the initial support for IMAP was introduced.
+This bug was introduced when the initial support for IMAP was introduced.
 
 The Common Vulnerabilities and Exposures (CVE) project has assigned the name
 CVE-2017-1000257 to this issue.
@@ -37,6 +35,7 @@ AFFECTED VERSIONS
 
 - Affected versions: libcurl 7.20.0 to and including 7.56.0
 - Not affected versions: libcurl < 7.20.0 and >= 7.56.1
+- Introduced-in: https://github.com/curl/curl/commit/ec3bb8f727
 
 curl is used by many applications, but not always advertised as such.
 
@@ -45,8 +44,7 @@ THE SOLUTION
 
 In libcurl version 7.56.1, a zero bytes response is not passed on.
 
-A [patch for CVE-2017-1000257](https://curl.se/CVE-2017-1000257.patch) is
-available.
+- Fixed-in: https://github.com/curl/curl/commit/13c9a9ded3ae744a1e11cbc14e9146d9fa427040 
 
 RECOMMENDATIONS
 ---------------

diff --git a/docs/CVE-2017-8816.md b/docs/CVE-2017-8816.md
@@ -24,10 +24,6 @@ overrun.
 INFO
 ----
 
-This bug was introduced in commit
-[86724581b6c02d160b5](https://github.com/curl/curl/commit/86724581b6c02d160b5),
-January 2014.
-
 The Common Vulnerabilities and Exposures (CVE) project has assigned the name
 CVE-2017-8816 to this issue.
 
@@ -42,6 +38,7 @@ should be rare.
 
 - Affected versions: libcurl 7.36.0 to and including 7.56.1
 - Not affected versions: libcurl < 7.36.0 and >= 7.57.0
+- Introduced-in: https://github.com/curl/curl/commit/86724581b6c02d160b5
 
 curl is used by many applications, but not always advertised as such.
 
@@ -50,8 +47,7 @@ THE SOLUTION
 
 In libcurl version 7.57.0, the integer overflow is avoided.
 
-A [patch for CVE-2017-8816](https://curl.se/CVE-2017-8816.patch) is
-available.
+- Fixed-in: https://github.com/curl/curl/commit/7f2a1df6f5fc598750b2c
 
 RECOMMENDATIONS
 ---------------

diff --git a/docs/CVE-2017-8817.md b/docs/CVE-2017-8817.md
@@ -23,9 +23,6 @@ that can redirect clients to a URL using such a wildcard pattern.
 INFO
 ----
 
-This bug was introduced in commit
-[0825cd80a62c](https://github.com/curl/curl/commit/0825cd80a62c), May 2010.
-
 The Common Vulnerabilities and Exposures (CVE) project has assigned the name
 CVE-2017-8817 to this issue.
 
@@ -36,6 +33,7 @@ AFFECTED VERSIONS
 
 - Affected versions: libcurl 7.21.0 to and including 7.56.1
 - Not affected versions: libcurl < 7.21.0 and >= 7.57.0
+- Introduced-in: https://github.com/curl/curl/commit/0825cd80a62c
 
 curl is used by many applications, but not always advertised as such.
 
@@ -47,8 +45,7 @@ string. Additionally, the wildcard feature is turned off if the URL passed to
 libcurl is not using FTP(S), so a redirect to an FTP URL cannot trigger
 wildcard functionality.
 
-A [patch for CVE-2017-8817](https://curl.se/CVE-2017-8817.patch) is
-available.
+- Fixed-in: https://github.com/curl/curl/commit/0b664ba968437715819b
 
 RECOMMENDATIONS
 ---------------

diff --git a/docs/CVE-2017-8818.md b/docs/CVE-2017-8818.md
@@ -31,9 +31,6 @@ happens in 32-bit builds.
 INFO
 ----
 
-This bug was introduced in commit
-[70f1db321a](https://github.com/curl/curl/commit/70f1db321a), July 2017.
-
 The Common Vulnerabilities and Exposures (CVE) project has assigned the name
 CVE-2017-8818 to this issue.
 
@@ -47,6 +44,8 @@ systems where `sizeof(long long *) < sizeof(long long)`.)
 
 - Affected versions: libcurl 7.56.0 to and including 7.56.1
 - Not affected versions: libcurl < 7.56.0 and >= 7.57.0
+- Introduced-in: https://github.com/curl/curl/commit/70f1db321a
+
 
 curl is used by many applications, but not always advertised as such.
 
@@ -55,8 +54,7 @@ THE SOLUTION
 
 In libcurl version 7.57.0, the allocation size is corrected.
 
-A [patch for CVE-2017-8818](https://curl.se/CVE-2017-8818.patch) is
-available.
+- Fixed-in: https://github.com/curl/curl/commit/9b5e12a5491d2e6b68e0c
 
 RECOMMENDATIONS
 ---------------

diff --git a/docs/CVE-2017-9502.md b/docs/CVE-2017-9502.md
@@ -20,10 +20,6 @@ bytes too much.
 INFO
 ----
 
-This flaw also affects the curl command line tool. It was introduced in commit
-[1d4202ade602](https://github.com/curl/curl/commit/1d4202ade602), discussed in
-[issue #1124](https://github.com/curl/curl/pull/1124).
-
 HTTP redirects to file: URLs are not affected.
 
 For version 7.54.1, the function that cleans up the file: URLs is fixed to not
@@ -42,6 +38,7 @@ which is limited to Windows and DOS builds, including cygwin.
 
 - Affected versions: libcurl 7.53.0 to and including 7.54.0
 - Not affected versions: libcurl < 7.53.0 and >= 7.54.1
+- Introduced-in: https://github.com/curl/curl/commit/1d4202ade602
 
 libcurl is used by many applications, but not always advertised as such!
 
@@ -51,8 +48,7 @@ THE SOLUTION
 The function now takes better care to allocate memory enough to store what's
 copied and to copy the strings to the correct output offsets.
 
-A [patch for CVE-2017-9502](https://curl.se/CVE-2017-9502.patch) is
-available.
+- Fixed-in: https://github.com/curl/curl/commit/5d7952f52e410e1d4a8
 
 RECOMMENDATIONS
 ---------------

diff --git a/docs/CVE-2018-0500.md b/docs/CVE-2018-0500.md
@@ -62,11 +62,9 @@ PHP code:
 INFO
 ----
 
-This bug was introduced in April 2017 in [this
-commit](https://github.com/curl/curl/commit/e40e9d7f0decc79) when we
-introduced support for buffer resize. The scratch buffer was mistakenly made
-to use the dynamic size when it should kept using the fixed upload buffer
-size.
+This bug was introduced in April 2017 when we introduced support for buffer
+resize. The scratch buffer was mistakenly made to use the dynamic size when it
+should kept using the fixed upload buffer size.
 
 The Common Vulnerabilities and Exposures (CVE) project has assigned the name
 CVE-2018-0500 to this issue.
@@ -80,6 +78,7 @@ AFFECTED VERSIONS
 
 - Affected versions: curl 7.54.1 to and including curl 7.60.0
 - Not affected versions: curl < 7.54.1 and curl >= 7.61.0
+- Introduced-in: https://github.com/curl/curl/commit/e40e9d7f0decc7
 
 libcurl is used by many applications, but not always advertised as such.
 
@@ -89,8 +88,7 @@ THE SOLUTION
 In curl version 7.61.0, curl will use the upload buffer size as base for the
 scratch area allocation.
 
-A [patch for CVE-2018-0500](https://github.com/curl/curl/commit/ba1dbd78e5f1e.patch) is
-available.
+- Fixed-in: https://github.com/curl/curl/commit/ba1dbd78e5f1e
 
 RECOMMENDATIONS
 ---------------

diff --git a/docs/CVE-2019-15601.md b/docs/CVE-2019-15601.md
@@ -60,7 +60,7 @@ libcurl is used by many applications, but not always advertised as such.
 THE SOLUTION
 ------------
 
-A [fix for CVE-2019-15601](https://github.com/curl/curl/commit/1b71bc532bde8621fd3260843f8197182a467ff2)
+- Fixed-in: https://github.com/curl/curl/commit/1b71bc532bde8621fd32608
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2019-5435.md b/docs/CVE-2019-5435.md
@@ -47,7 +47,7 @@ libcurl is used by many applications, but not always advertised as such.
 THE SOLUTION
 ------------
 
-A [fix for CVE-2019-5435](https://github.com/curl/curl/commit/5fc28510a4664f4) is already merged.
+- Fixed-in: https://github.com/curl/curl/commit/5fc28510a4664f4
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2019-5436.md b/docs/CVE-2019-5436.md
@@ -47,7 +47,7 @@ libcurl is used by many applications, but not always advertised as such.
 THE SOLUTION
 ------------
 
-A [fix for CVE-2019-5436](https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275)
+- Fixed-in: https://github.com/curl/curl/commit/2576003415625d7b5f0e3909
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2019-5481.md b/docs/CVE-2019-5481.md
@@ -49,7 +49,7 @@ libcurl is used by many applications, but not always advertised as such.
 THE SOLUTION
 ------------
 
-A [fix for CVE-2019-5481](https://github.com/curl/curl/commit/9069838b30fb3b48af0123e39f664cea683254a5)
+- Fixed-in: https://github.com/curl/curl/commit/9069838b30fb3b48af0123e3
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2019-5482.md b/docs/CVE-2019-5482.md
@@ -51,7 +51,7 @@ libcurl is used by many applications, but not always advertised as such.
 THE SOLUTION
 ------------
 
-A [fix for CVE-2019-5482](https://github.com/curl/curl/commit/facb0e4662415b5f28163e853dc6742ac5fafb3d)
+- Fixed-in: https://github.com/curl/curl/commit/facb0e4662415b5f28163
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2020-8169.md b/docs/CVE-2020-8169.md
@@ -108,7 +108,7 @@ libcurl is used by many applications, but not always advertised as such.
 THE SOLUTION
 ------------
 
-A [fix for CVE-2020-8169](https://github.com/curl/curl/commit/600a8cded447cd)
+- Fixed-in: https://github.com/curl/curl/commit/600a8cded447c
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2020-8177.md b/docs/CVE-2020-8177.md
@@ -66,7 +66,7 @@ AFFECTED VERSIONS
 THE SOLUTION
 ------------
 
-A [fix for CVE-2020-8177](https://github.com/curl/curl/commit/8236aba58542c5f.patch)
+- Fixed-in: https://github.com/curl/curl/commit/8236aba58542c5
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2020-8231.md b/docs/CVE-2020-8231.md
@@ -63,7 +63,7 @@ AFFECTED VERSIONS
 THE SOLUTION
 ------------
 
-A [fix for CVE-2020-8231](https://github.com/curl/curl/commit/3c9e021f86872baae412a427e807fbfa2f3e8)
+- Fixed-in: https://github.com/curl/curl/commit/3c9e021f86872baae412
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2020-8284.md b/docs/CVE-2020-8284.md
@@ -76,7 +76,7 @@ The same goes for the command line tool, which then might need
 `--no-ftp-skip-pasv-ip` set to prevent curl from ignoring the address in the
 server response.
 
-A [fix for CVE-2020-8284](https://github.com/curl/curl/commit/ec9cc725d598ac)
+- Fixed-in: https://github.com/curl/curl/commit/ec9cc725d598ac
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2020-8285.md b/docs/CVE-2020-8285.md
@@ -65,7 +65,7 @@ The internal function is rewritten to instead and more appropriately use an
 ordinary loop instead of the recursive approach. This way, the stack use will
 remain the same no matter how many files that are skipped.
 
-A [fix for CVE-2020-8285](https://github.com/curl/curl/commit/69a358f2186e04)
+- Fixed-in: https://github.com/curl/curl/commit/69a358f2186e04
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2020-8286.md b/docs/CVE-2020-8286.md
@@ -57,7 +57,7 @@ THE SOLUTION
 The OCSP response checker function now also verifies that the certificate id
 is the correct one.
 
-A [fix for CVE-2020-8286](https://github.com/curl/curl/commit/d9d01672785b)
+- Fixed-in: https://github.com/curl/curl/commit/d9d01672785b
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2021-22876.md b/docs/CVE-2021-22876.md
@@ -45,7 +45,7 @@ THE SOLUTION
 If a provided URL contains credentials, they will be blanked out before the
 URL is used to populate the header field.
 
-A [fix for CVE-2021-22876](https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c)
+- Fixed-in: https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2021-22890.md b/docs/CVE-2021-22890.md
@@ -66,7 +66,7 @@ THE SOLUTION
 
 Make sure the proxy/host distinction is done correctly.
 
-A [fix for CVE-2021-22890](https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844)
+- Fixed-in: https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac89
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2021-22897.md b/docs/CVE-2021-22897.md
@@ -52,7 +52,7 @@ THE SOLUTION
 
 Store the cipher selection in data associated with the connection.
 
-A [fix for CVE-2021-22897](https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511)
+- Fixed-in: https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880b
 
 RECOMMENDATIONS
 --------------

diff --git a/docs/CVE-2021-22898.md b/docs/CVE-2021-22898.md
@@ -63,7 +63,7 @@ THE SOLUTION
 
 Use sscanf() properly and only use properly filled-in buffers.
 
-A [fix for CVE-2021-22898](https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde)
+- Fixed-in: https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe
 
 RECOMMENDATIONS
 --------------