CVE-2023-52071.md: another bogus curl CVE

docs/CVE-2023-52071.md

@@ -0,0 +1,66 @@
+Bogus report filed by anonymous
+===============================
+
+Project curl Security Dismissal, August 26 2023 -
+[Permalink](https://curl.se/docs/CVE-2023-52071.html)
+
+VULNERABILITY
+-------------
+
+None. CVE-2023-52071 was filed and made public by an anonymous person due to
+incompetence or malice. We cannot say which and the distinction does not
+matter to us.
+
+The original description said:
+
+`tiny-curl-8_4_0`, `curl-8_4_0` and `curl-8_5_0` were discovered to contain an
+off-by-one out-of-bounds array index via the component `tool_cb_wrt`.
+
+INFO
+----
+
+CVE-2023-52071 was published on January 30 2024. Its existence was reported to
+us the same day.
+
+The CVE references a git commit that fixes an assert. The assert itself
+accesses a stack based buffer one byte out of boundary. This code is only
+included in debug builds and never in release-builds. Even in debug builds it
+is not a security problem.
+
+The bug in question was introduced in
+[af3f4e419b9f3397](https://github.com/curl/curl/commit/af3f4e419b9f3397)
+(April 4 2023, shipped in 8.3.0), fixed in
+[73980f9ace6c7577e7](https://github.com/curl/curl/commit/73980f9ace6c7577e7)
+(September 13 2023, shipped in 8.4.0).
+
+AFFECTED VERSIONS
+-----------------
+
+It does not affect any version. It is not a security problem. It was a bug
+that we fixed in September 2023.
+
+SOLUTION
+------------
+
+Relax. Use curl as usual.
+
+The curl security team will work on getting this CVE rejected.
+
+RECOMMENDATIONS
+--------------
+
+Do not blindly trust the CVE system. It is full of cracks and bogus reports
+such as CVE-2023-52071.
+
+TIMELINE
+--------
+
+This CVE was made public on January 30 2024. We were notified about it on
+January 30.
+
+CREDITS
+-------
+
+- Reported-by: Pedro Sampaio
+
+Thanks a lot!

docs/Makefile

@@ -163,6 +163,7 @@ CVELIST = \
  CVE-2023-28322.html \
  CVE-2023-32001.html \
  CVE-2020-19909.html \
+ CVE-2023-52071.html \
  CVE-2023-38039.html \
  CVE-2023-38545.html \
  CVE-2023-38546.html \

docs/_security.html

@@ -88,6 +88,7 @@
   Issues filed by others that are plain lies:
 <ul>
 <li> <a href="CVE-2020-19909.html">CVE-2020-19909</a>
+<li> <a href="CVE-2023-52071.html">CVE-2023-52071</a>
 </ul>
 
 

docs/cve-checker.pl

@@ -21,6 +21,7 @@
 my %whitelist = (
     "CVE-2019-15601.md" => 1,
     "CVE-2020-19909.md" => 1,
+    "CVE-2023-52071.md" => 1,
     "CVE-2023-32001.md" => 1,
     );
 

docs/mk-adv-template.pl

@@ -32,7 +32,7 @@
         if($issue) {
             $dissue = "#define FLAWISSUE $issue\n";
         }
-        if($award) {
+        if($award > 0) {
             $daward = "#define FLAWAWARD $award\n";
         }
         print <<TEMPLATE

docs/novuln.pm

@@ -14,6 +14,7 @@
 #
 # List of CWEs => https://cwe.mitre.org/data/definitions/658.html
 @novuln = (
+    "CVE-2023-52071.html|-|-|Bogus report filed by anonymous|CVE-2023-52071|20240130|20240130|-|-|-|-",
     "CVE-2019-15601.html|6.0|7.67.0|SMB access smuggling via FILE URL on Windows|CVE-2019-15601|20200108|20191031|CWE-20: Improper Input Validation|400",
     "CVE-2020-19909.html|-|-|Bogus report filed by anonymous|CVE-2020-19909|20230822|20230825|-|-|-|-",
     "CVE-2023-32001.html|7.84.0|8.1.2|fopen race condition|CVE-2023-32001|20230719|20230627|CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition|2400|storage|-|both|medium|https://hackerone.com/reports/2039870",