919889 – (CVE-2023-46219) <net-misc/curl-8.5.0: removes HSTS contents

Bug 919889 (CVE-2023-46219) - <net-misc/curl-8.5.0: removes HSTS contents

Summary: <net-misc/curl-8.5.0: removes HSTS contents

Status:	CONFIRMED

Alias:	CVE-2023-46219

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://hackerone.com/reports/2236133
Whiteboard:	A4 [stable?]
Keywords:

Depends on:
Blocks:

Reported:	2023-12-14 15:28 UTC by Christopher Fore
Modified:	2023-12-14 15:30 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2023-12-14 15:28:37 UTC

CVE-2023-46219 (https://hackerone.com/reports/2236133):

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.