Bug 1219273

Summary: VUL-0: curl: missing regression fix for CVE-2023-27534
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, pgajdos
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/392405/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2023-27534.patch

Description Marcus Meissner 2024-01-29 09:58:40 UTC 
received via email

Hi,

I could not get the fix CVE-2023-27534 for curl from your side (I do not found a public srpm repository*)

Nevertheless due to the date of the fix it seems that you forget a regression fix
upstream commit are here
origin:  https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6
origin-fix: https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325

I join my patch if you could check

Can you cross check with my patch ?

Thanks
Comment 1 Marcus Meissner 2024-01-29 09:59:38 UTC 
Created attachment 872248 [details]
CVE-2023-27534.patch

incremental patch CVE-2023-27534.patch
Comment 2 Marcus Meissner 2024-04-15 15:24:54 UTC 
did we ever address this?
Comment 3 Petr Gajdos 2024-06-07 07:56:12 UTC 
As far as I can tell, the regression fix is needed only for
15sp2
https://build.suse.de/request/show/333371
12
https://build.suse.de/request/show/333372

12sp5,15sp4+ have newer curl and 15/curl is not supported anymore.
Comment 4 Maintenance Automation 2024-06-12 12:32:13 UTC 
SUSE-SU-2024:2009-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219273
CVE References: CVE-2023-27534
Maintenance Incident: [SUSE:Maintenance:34220](https://smelt.suse.de/incident/34220/)
Sources used:
SUSE Linux Enterprise Micro 5.1 (src):
 curl-7.66.0-150200.4.72.1
SUSE Linux Enterprise Micro 5.2 (src):
 curl-7.66.0-150200.4.72.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 curl-7.66.0-150200.4.72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.