From: Daniel Stenberg Date: Wed, 19 Jun 2024 09:47:26 +0000 (+0200) Subject: VULN-DISCLOSURE-POLICY: NULL dereferences and crashes X-Git-Tag: curl-8_9_0~218 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b715bb371ca1b953db0357a587cd5ebaf24ca3b9;p=thirdparty%2Fcurl.git VULN-DISCLOSURE-POLICY: NULL dereferences and crashes If a malicious server can trigger a NULL dereference in curl or otherwise cause curl to crash (and nothing worse), chances are big that we do not consider that a security problem. Closes #13974 --- diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words index 869d588ea1..41609d896c 100644 --- a/.github/scripts/spellcheck.words +++ b/.github/scripts/spellcheck.words @@ -174,6 +174,8 @@ decrypting deepcode DELE DER +dereference +dereferences deselectable deserialization Deserialized @@ -508,8 +510,8 @@ monospace MorphOS MPE MPL -MPTCP mprintf +MPTCP MQTT mqtt mqtts diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md index 0f89816e01..e6d6f34509 100644 --- a/docs/VULN-DISCLOSURE-POLICY.md +++ b/docs/VULN-DISCLOSURE-POLICY.md @@ -298,3 +298,18 @@ is curl working as designed and is not a curl security problem. Escape sequences, moving cursor, changing color etc, is also frequently used for good. To reduce the risk of getting fooled, save files and browse them after download using a display method that minimizes risks. + +## NULL dereferences and crashes + +If a malicious server can trigger a NULL dereference in curl or otherwise +cause curl to crash (and nothing worse), chances are big that we do not +consider that a security problem. + +Malicious servers can already cause considerable harm and denial of service +like scenarios without having to trigger such code paths. For example by +stalling, being terribly slow or by delivering enormous amounts of data. +Additionally, applications are expected to handle "normal" crashes without +that being the end of the world. + +There need to be more and special circumstances to treat such problems as +security issues.