1# Anatomy of a curl security advisory 2 3As described in the [Security Process](https://curl.se/dev/secprocess.html) 4document, when a security vulnerability has been reported to the project and 5confirmed, we author an advisory document for the issue. It should ideally 6be written in cooperation with the reporter to make sure all the angles and 7details of the problem are gathered and described correctly and succinctly. 8 9## New document 10 11A security advisory for curl is created in the `docs/` folder in the 12[curl-www](https://github.com/curl/curl-www) repository. It should be named 13`$CVEID.md` where `$CVEID` is the full CVE Id that has been registered for the 14flaw. Like `CVE-2016-0755`. The `.md` extension of course means that the 15document is written using markdown. 16 17The standard way to go about this is to first write the `VULNERABILITY` 18section for the document, so that there is description of the flaw available, 19then paste this description into the CVE Id request. 20 21### `vuln.pm` 22 23The new issue should be entered at the top of the list in the file `vuln.pm` 24in the same directory. It holds a large array with all published curl 25vulnerabilities. All fields should be filled in accordingly, separated by a 26pipe character (`|`). 27 28The eleven fields for each CVE in `vuln.pm` are, in order: 29 30 HTML page name, first vulnerable version, last vulnerable version, name of 31 the issue, CVE Id, announce date (`YYYYMMDD`), report to the project date 32 (`YYYYMMDD`), CWE, awarded reward amount (USD), area (single word), C-issue 33 (`-` if not a C issue at all, `OVERFLOW` , `OVERREAD`, `DOUBLE_FREE`, 34 `USE_AFTER_FREE`, `NULL_MISTAKE`, `UNINIT`) 35 36### `Makefile` 37 38The new CVE webpage filename needs to be added in the `Makefile`'s `CVELIST` 39macro. 40 41When the markdown is in place and the `Makefile` and `vuln.pm` are updated, 42all other files and metadata for all curl advisories and versions get 43generated automatically using those files. 44 45## Document format 46 47The easy way is to start with a recent previously published advisory and just 48blank out old texts and save it using a new name. Save the subtitles and 49general layout. 50 51Some details and metadata will be extracted from this document so it is 52important to stick to the existing format. 53 54The first list must be the title of the issue. 55 56### VULNERABILITY 57 58The first subtitle should be `VULNERABILITY`. That should then include a 59through and detailed description of the flaw. Including how it can be 60triggered and maybe something about what might happen if triggered or 61exploited. 62 63### INFO 64 65The next section is `INFO` which adds meta data information about the flaw. It 66specifically mentions the official CVE Id for the issue and it must list the 67CWE Id, starting on its own line. We write CWE identifiers in advisories with 68the full (official) explanation on the right side of a colon. Like this: 69 70`CWE-305: Authentication Bypass by Primary Weakness` 71 72### AFFECTED VERSIONS 73 74The third section first lists what versions that are affected, then adds 75clarity by stressing what versions that are *not* affected. A third line adds 76information about which specific git commit that introduced the vulnerability. 77 78The `Introduced-in` commit should be a full URL that displays the commit, but 79should work as a stand-alone commit hash if everything up to the last slash is 80cut out. 81 82An example using the correct syntax: 83 84~~~ 85- Affected versions: curl 7.16.1 to and including 7.88.1 86- Not affected versions: curl < 7.16.1 and curl >= 8.0.0 87- Introduced-in: https://github.com/curl/curl/commit/2147284cad 88~~~ 89 90### THE SOLUTION 91 92This section describes and discusses the fix. The only mandatory information 93here is the link to the git commit that fixes the problem. 94 95The `Fixed-in` value should be a full URL that displays the commit, but should 96work as a stand-alone commit hash if everything up to the last slash is cut 97out. 98 99Example: 100 101`- Fixed-in: https://github.com/curl/curl/commit/af369db4d3833272b8ed` 102 103### RECOMMENDATIONS 104 105This section lists the recommended actions for the users in a top to bottom 106priority order and should ideally contain three items but no less than two. 107 108The top two are almost always `upgrade curl to version XXX` and `apply the 109patch to your local version`. 110 111### TIMELINE 112 113Detail when this report was received in the project. When package distributors 114were notified (via the distros mailing list or similar) 115 116When the advisory and fixed version are released. 117 118### CREDITS 119 120Mention the reporter and patch author at least, then everyone else involved 121you think deserves a mention. 122 123If you want to mention more than one name, separate the names with comma 124(`,`). 125 126~~~ 127- Reported-by: Full Name 128- Patched-by: Full Name 129~~~ 130