From b715bb371ca1b953db0357a587cd5ebaf24ca3b9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 19 Jun 2024 11:47:26 +0200 Subject: [PATCH] VULN-DISCLOSURE-POLICY: NULL dereferences and crashes If a malicious server can trigger a NULL dereference in curl or otherwise cause curl to crash (and nothing worse), chances are big that we do not consider that a security problem. Closes #13974 --- .github/scripts/spellcheck.words | 4 +++- docs/VULN-DISCLOSURE-POLICY.md | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words index 869d588ea1..41609d896c 100644 --- a/.github/scripts/spellcheck.words +++ b/.github/scripts/spellcheck.words @@ -174,6 +174,8 @@ decrypting deepcode DELE DER +dereference +dereferences deselectable deserialization Deserialized @@ -508,8 +510,8 @@ monospace MorphOS MPE MPL -MPTCP mprintf +MPTCP MQTT mqtt mqtts diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md index 0f89816e01..e6d6f34509 100644 --- a/docs/VULN-DISCLOSURE-POLICY.md +++ b/docs/VULN-DISCLOSURE-POLICY.md @@ -298,3 +298,18 @@ is curl working as designed and is not a curl security problem. Escape sequences, moving cursor, changing color etc, is also frequently used for good. To reduce the risk of getting fooled, save files and browse them after download using a display method that minimizes risks. + +## NULL dereferences and crashes + +If a malicious server can trigger a NULL dereference in curl or otherwise +cause curl to crash (and nothing worse), chances are big that we do not +consider that a security problem. + +Malicious servers can already cause considerable harm and denial of service +like scenarios without having to trigger such code paths. For example by +stalling, being terribly slow or by delivering enormous amounts of data. +Additionally, applications are expected to handle "normal" crashes without +that being the end of the world. + +There need to be more and special circumstances to treat such problems as +security issues. -- 2.47.3