1<!-- 2Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3 4SPDX-License-Identifier: curl 5--> 6 7# Anatomy of a curl security advisory 8 9As described in the [Security Process](https://curl.se/dev/secprocess.html) 10document, when a security vulnerability has been reported to the project and 11confirmed, we author an advisory document for the issue. It should ideally 12be written in cooperation with the reporter to make sure all the angles and 13details of the problem are gathered and described correctly and succinctly. 14 15## New document 16 17A security advisory for curl is created in the `docs/` folder in the 18[curl-www](https://github.com/curl/curl-www) repository. It should be named 19`$CVEID.md` where `$CVEID` is the full CVE Id that has been registered for the 20flaw. Like `CVE-2016-0755`. The `.md` extension of course means that the 21document is written using markdown. 22 23The standard way to go about this is to first write the `VULNERABILITY` 24section for the document, so that there is description of the flaw available, 25then paste this description into the CVE Id request. 26 27### `vuln.pm` 28 29The new issue should be entered at the top of the list in the file `vuln.pm` 30in the same directory. It holds a large array with all published curl 31vulnerabilities. All fields should be filled in accordingly, separated by a 32pipe character (`|`). 33 34The eleven fields for each CVE in `vuln.pm` are, in order: 35 36 HTML page name, first vulnerable version, last vulnerable version, name of 37 the issue, CVE Id, announce date (`YYYYMMDD`), report to the project date 38 (`YYYYMMDD`), CWE, awarded reward amount (USD), area (single word), C-issue 39 (`-` if not a C issue at all, `OVERFLOW` , `OVERREAD`, `DOUBLE_FREE`, 40 `USE_AFTER_FREE`, `NULL_MISTAKE`, `UNINIT`) 41 42### `Makefile` 43 44The new CVE webpage filename needs to be added in the `Makefile`'s `CVELIST` 45macro. 46 47When the markdown is in place and the `Makefile` and `vuln.pm` are updated, 48all other files and metadata for all curl advisories and versions get 49generated automatically using those files. 50 51## Document format 52 53The easy way is to start with a recent previously published advisory and just 54blank out old texts and save it using a new name. Save the subtitles and 55general layout. 56 57Some details and metadata are extracted from this document so it is important 58to stick to the existing format. 59 60The first list must be the title of the issue. 61 62### VULNERABILITY 63 64The first subtitle should be `VULNERABILITY`. That should then include a 65through and detailed description of the flaw. Including how it can be 66triggered and maybe something about what might happen if triggered or 67exploited. 68 69### INFO 70 71The next section is `INFO` which adds meta data information about the flaw. It 72specifically mentions the official CVE Id for the issue and it must list the 73CWE Id, starting on its own line. We write CWE identifiers in advisories with 74the full (official) explanation on the right side of a colon. Like this: 75 76`CWE-305: Authentication Bypass by Primary Weakness` 77 78### AFFECTED VERSIONS 79 80The third section first lists what versions that are affected, then adds 81clarity by stressing what versions that are *not* affected. A third line adds 82information about which specific git commit that introduced the vulnerability. 83 84The `Introduced-in` commit should be a full URL that displays the commit, but 85should work as a stand-alone commit hash if everything up to the last slash is 86cut out. 87 88An example using the correct syntax: 89 90~~~ 91- Affected versions: curl 7.16.1 to and including 7.88.1 92- Not affected versions: curl < 7.16.1 and curl >= 8.0.0 93- Introduced-in: https://github.com/curl/curl/commit/2147284cad 94~~~ 95 96### THE SOLUTION 97 98This section describes and discusses the fix. The only mandatory information 99here is the link to the git commit that fixes the problem. 100 101The `Fixed-in` value should be a full URL that displays the commit, but should 102work as a stand-alone commit hash if everything up to the last slash is cut 103out. 104 105Example: 106 107`- Fixed-in: https://github.com/curl/curl/commit/af369db4d3833272b8ed` 108 109### RECOMMENDATIONS 110 111This section lists the recommended actions for the users in a top to bottom 112priority order and should ideally contain three items but no less than two. 113 114The top two are almost always `upgrade curl to version XXX` and `apply the 115patch to your local version`. 116 117### TIMELINE 118 119Detail when this report was received in the project. When package distributors 120were notified (via the distros mailing list or similar) 121 122When the advisory and fixed version are released. 123 124### CREDITS 125 126Mention the reporter and patch author at least, then everyone else involved 127you think deserves a mention. 128 129If you want to mention more than one name, separate the names with comma 130(`,`). 131 132~~~ 133- Reported-by: Full Name 134- Patched-by: Full Name 135~~~ 136