quickjs-tart

quickjs-based runtime for wallet-core logic
Log | Files | Refs | README | LICENSE

SECURITY-ADVISORY.md (4776B)

      1 <!--
      2 Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
      3 
      4 SPDX-License-Identifier: curl
      5 -->
      6 
      7 # Anatomy of a curl security advisory
      8 
      9 As described in the [Security Process](https://curl.se/dev/secprocess.html)
     10 document, when a security vulnerability has been reported to the project and
     11 confirmed, we author an advisory document for the issue. It should ideally
     12 be written in cooperation with the reporter to make sure all the angles and
     13 details of the problem are gathered and described correctly and succinctly.
     14 
     15 ## New document
     16 
     17 A security advisory for curl is created in the `docs/` folder in the
     18 [curl-www](https://github.com/curl/curl-www) repository. It should be named
     19 `$CVEID.md` where `$CVEID` is the full CVE Id that has been registered for the
     20 flaw. Like `CVE-2016-0755`. The `.md` extension of course means that the
     21 document is written using markdown.
     22 
     23 The standard way to go about this is to first write the `VULNERABILITY`
     24 section for the document, so that there is description of the flaw available,
     25 then paste this description into the CVE Id request.
     26 
     27 ### `vuln.pm`
     28 
     29 The new issue should be entered at the top of the list in the file `vuln.pm`
     30 in the same directory. It holds a large array with all published curl
     31 vulnerabilities. All fields should be filled in accordingly, separated by a
     32 pipe character (`|`).
     33 
     34 The eleven fields for each CVE in `vuln.pm` are, in order:
     35 
     36  HTML page name, first vulnerable version, last vulnerable version, name of
     37  the issue, CVE Id, announce date (`YYYYMMDD`), report to the project date
     38  (`YYYYMMDD`), CWE, awarded reward amount (USD), area (single word), C-issue
     39  (`-` if not a C issue at all, `OVERFLOW` , `OVERREAD`, `DOUBLE_FREE`,
     40  `USE_AFTER_FREE`, `NULL_MISTAKE`, `UNINIT`)
     41 
     42 ### `Makefile`
     43 
     44 The new CVE webpage filename needs to be added in the `Makefile`'s `CVELIST`
     45 macro.
     46 
     47 When the markdown is in place and the `Makefile` and `vuln.pm` are updated,
     48 all other files and metadata for all curl advisories and versions get
     49 generated automatically using those files.
     50 
     51 ## Document format
     52 
     53 The easy way is to start with a recent previously published advisory and just
     54 blank out old texts and save it using a new name. Save the subtitles and
     55 general layout.
     56 
     57 Some details and metadata are extracted from this document so it is important
     58 to stick to the existing format.
     59 
     60 The first list must be the title of the issue.
     61 
     62 ### VULNERABILITY
     63 
     64 The first subtitle should be `VULNERABILITY`. That should then include a
     65 through and detailed description of the flaw. Including how it can be
     66 triggered and maybe something about what might happen if triggered or
     67 exploited.
     68 
     69 ### INFO
     70 
     71 The next section is `INFO` which adds meta data information about the flaw. It
     72 specifically mentions the official CVE Id for the issue and it must list the
     73 CWE Id, starting on its own line. We write CWE identifiers in advisories with
     74 the full (official) explanation on the right side of a colon. Like this:
     75 
     76 `CWE-305: Authentication Bypass by Primary Weakness`
     77 
     78 ### AFFECTED VERSIONS
     79 
     80 The third section first lists what versions that are affected, then adds
     81 clarity by stressing what versions that are *not* affected. A third line adds
     82 information about which specific git commit that introduced the vulnerability.
     83 
     84 The `Introduced-in` commit should be a full URL that displays the commit, but
     85 should work as a stand-alone commit hash if everything up to the last slash is
     86 cut out.
     87 
     88 An example using the correct syntax:
     89 
     90 ~~~
     91 - Affected versions: curl 7.16.1 to and including 7.88.1
     92 - Not affected versions: curl < 7.16.1 and curl >= 8.0.0
     93 - Introduced-in: https://github.com/curl/curl/commit/2147284cad
     94 ~~~
     95 
     96 ### THE SOLUTION
     97 
     98 This section describes and discusses the fix. The only mandatory information
     99 here is the link to the git commit that fixes the problem.
    100 
    101 The `Fixed-in` value should be a full URL that displays the commit, but should
    102 work as a stand-alone commit hash if everything up to the last slash is cut
    103 out.
    104 
    105 Example:
    106 
    107 `- Fixed-in: https://github.com/curl/curl/commit/af369db4d3833272b8ed`
    108 
    109 ### RECOMMENDATIONS
    110 
    111 This section lists the recommended actions for the users in a top to bottom
    112 priority order and should ideally contain three items but no less than two.
    113 
    114 The top two are almost always `upgrade curl to version XXX` and `apply the
    115 patch to your local version`.
    116 
    117 ### TIMELINE
    118 
    119 Detail when this report was received in the project. When package distributors
    120 were notified (via the distros mailing list or similar)
    121 
    122 When the advisory and fixed version are released.
    123 
    124 ### CREDITS
    125 
    126 Mention the reporter and patch author at least, then everyone else involved
    127 you think deserves a mention.
    128 
    129 If you want to mention more than one name, separate the names with comma
    130 (`,`).
    131 
    132 ~~~
    133 - Reported-by: Full Name
    134 - Patched-by: Full Name
    135 ~~~