cve-checker: make sure affected/not affected lines are consistent

Update several CVE*md files accordingly to please the checker. Also corrected the version ranges somewhat on a few.
curl · May 8, 2023 · 6530ffa · 6530ffa
1 parent 4a08360
commit 6530ffa
Show file tree

Hide file tree

Showing 36 changed files with 67 additions and 47 deletions.
diff --git a/docs/CVE-2009-0037.md b/docs/CVE-2009-0037.md
@@ -42,8 +42,8 @@ CWE-142: Improper Neutralization of Value Delimiters
 AFFECTED VERSIONS
 -----------------
 
-- Affected versions: curl and libcurl 5.11(!) to and including 7.19.3
-- Not affected versions: curl and libcurl < 5.10 and curl >= 7.19.4
+- Affected versions: curl 5.11 to and including 7.19.3
+- Not affected versions: curl < 5.10 and curl >= 7.19.4
 - Introduced-in: https://github.com/curl/curl/commit/ae1912cb0d494b48d514d
 
 Also note that (lib)curl is used by many applications, and not always

diff --git a/docs/CVE-2010-0734.md b/docs/CVE-2010-0734.md
@@ -40,7 +40,7 @@ AFFECTED VERSIONS
 -----------------
 
 - Affected versions: curl and libcurl 7.10.5 to and including 7.19.7
-- Not affected versions: curl and libcurl <= 7.10.4 and >= 7.20.0
+- Not affected versions: curl < 7.10.5 and curl >= 7.20.0
 
 If you build curl or libcurl to not use zlib or make your app not tell libcurl
 to do this magic, you are not affected.

diff --git a/docs/CVE-2010-3842.md b/docs/CVE-2010-3842.md
@@ -39,7 +39,7 @@ AFFECTED VERSIONS
 -----------------
 
 - Affected versions: curl 7.20.0 to and including 7.21.1
-- Not affected versions: curl < 7.20.0 and >= 7.21.2
+- Not affected versions: curl < 7.20.0 and curl >= 7.21.2
 - Introduced-in: https://github.com/curl/curl/commit/80675818e0417be8c99151
 
 Also note that curl is used by many applications, and not always advertised as

diff --git a/docs/CVE-2013-1944.md b/docs/CVE-2013-1944.md
@@ -33,8 +33,8 @@ INFO
 AFFECTED VERSIONS
 -----------------
 
-- Affected versions: all versions to and including 7.29.0
-- Not affected versions: curl >= 7.30.0
+- Affected versions: curl 4.7 to and including 7.29.0
+- Not affected versions: curl < 4.7 and curl >= 7.30.0
 
   libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2013-2174.md b/docs/CVE-2013-2174.md
@@ -49,7 +49,7 @@ AFFECTED VERSIONS
 -----------------
 
 - Affected versions: from libcurl 7.7 to and including 7.30.0
-- Not affected versions: libcurl before 7.7 and >= 7.31.0
+- Not affected versions: libcurl < 7.7 and >= 7.31.0
 
   libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2013-4545.md b/docs/CVE-2013-4545.md
@@ -41,7 +41,7 @@ AFFECTED VERSIONS
   built with another TLS backend, it isn't affected.
 
 - Affected versions: from libcurl 7.18.0 to and including 7.32.0
-- Not affected versions: libcurl before 7.18.0 and >= 7.33.0
+- Not affected versions: libcurl < 7.18.0 and >= 7.33.0
 
   libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2013-6422.md b/docs/CVE-2013-6422.md
@@ -45,7 +45,7 @@ This flaw only exists in the TLS backend that uses GnuTLS. If libcurl is built
 with another TLS backend, it isn't affected.
 
 - Affected versions: from libcurl 7.21.4 to and including 7.33.0
-- Not affected versions: libcurl before 7.21.4 and >= 7.34.0
+- Not affected versions: libcurl < 7.21.4 and >= 7.34.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2014-0015.md b/docs/CVE-2014-0015.md
@@ -57,7 +57,7 @@ the code has been restructured a few times over the years so the mistake has
 altered shape over the years.
 
 - Affected versions: from libcurl 7.10.6 to and including 7.34.0
-- Not affected versions: libcurl before 7.10.6 and >= 7.35.0
+- Not affected versions: libcurl < 7.10.6 and >= 7.35.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2014-0138.md b/docs/CVE-2014-0138.md
@@ -50,7 +50,7 @@ protocols, although the code has been restructured a few times over the
 years so the mistake has altered shape.
 
 - Affected versions: from libcurl 7.10.6 to and including 7.35.0
-- Not affected versions: libcurl before 7.10.6 and >= 7.36.0
+- Not affected versions: libcurl < 7.10.6 and >= 7.36.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2014-1263.md b/docs/CVE-2014-1263.md
@@ -41,7 +41,7 @@ This flaw has existed ever since libcurl started to support the
 SecureTransport/Darwinssl backend.
 
 - Affected versions: from libcurl 7.27.0 to and including 7.35.0
-- Not affected versions: libcurl >= 7.36.0
+- Not affected versions: libcurl < 7.26.0 and >= 7.36.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2014-2522.md b/docs/CVE-2014-2522.md
@@ -35,7 +35,7 @@ This flaw has existed ever since libcurl started to support the
 SChannel/Winssl backend.
 
 - Affected versions: from libcurl 7.27.0 to and including 7.35.0
-- Not affected versions: libcurl >= 7.36.0
+- Not affected versions: libcurl < 7.27.0 and >= 7.36.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2014-3613.md b/docs/CVE-2014-3613.md
@@ -46,7 +46,7 @@ AFFECTED VERSIONS
 The IP address flaw has existed ever since libcurl started to support
  cookies.
 
-- Affected versions: from curl 4.0 to and including 7.37.1
+- Affected versions: curl 4.0 to and including 7.37.1
 - Not affected versions: curl >= 7.38.0
 
 libcurl is used by many applications, but not always advertised as such!

diff --git a/docs/CVE-2014-3707.md b/docs/CVE-2014-3707.md
@@ -72,7 +72,7 @@ AFFECTED VERSIONS
 This bug has existed since `CURLOPT_COPYPOSTFIELDS` was introduced.
 
 - Affected versions: from libcurl 7.17.1 to and including 7.38.0
-- Not affected versions: libcurl >= 7.39.0
+- Not affected versions: libcurl < 7.17.1 and libcurl >= 7.39.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2014-8150.md b/docs/CVE-2014-8150.md
@@ -35,7 +35,7 @@ AFFECTED VERSIONS
 -----------------
 
 - Affected versions: from curl 6.0 to and including 7.39.0
-- Not affected versions: libcurl >= 7.40.0
+- Not affected versions: curl < 6.0 and curl >= 7.40.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2014-8151.md b/docs/CVE-2014-8151.md
@@ -45,8 +45,8 @@ CWE-297: Improper Validation of Certificate with Host Mismatch
 AFFECTED VERSIONS
 -----------------
 
-- Affected versions: from libcurl 7.31.0 to and including 7.39.0
-- Not affected versions: libcurl < 7.31.0 or >= 7.40.0
+- Affected versions: libcurl 7.31.0 to and including 7.39.0
+- Not affected versions: libcurl < 7.31.0 and libcurl >= 7.40.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2015-3143.md b/docs/CVE-2015-3143.md
@@ -48,7 +48,7 @@ AFFECTED VERSIONS
 -----------------
 
 - Affected versions: from libcurl 7.10.6 to and including 7.41.0
-- Not affected versions: libcurl >= 7.42.0
+- Not affected versions: libcurl < 7.10.6 and libcurl >= 7.42.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2015-3144.md b/docs/CVE-2015-3144.md
@@ -33,7 +33,7 @@ AFFECTED VERSIONS
 -----------------
 
 - Affected versions: from libcurl 7.37.0 to and including 7.41.0
-- Not affected versions: libcurl >= 7.42.0
+- Not affected versions: libcurl < 7.37.0 and libcurl >= 7.42.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2015-3145.md b/docs/CVE-2015-3145.md
@@ -41,7 +41,7 @@ AFFECTED VERSIONS
 -----------------
 
 - Affected versions: from libcurl 7.31.0 to and including 7.41.0
-- Not affected versions: libcurl >= 7.42.0
+- Not affected versions: libcurl < 7.31.0 and libcurl >= 7.42.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2015-3148.md b/docs/CVE-2015-3148.md
@@ -37,7 +37,7 @@ AFFECTED VERSIONS
 -----------------
 
 - Affected versions: from libcurl 7.10.6 to and including 7.41.0
-- Not affected versions: libcurl >= 7.42.0
+- Not affected versions: libcurl < 7.10.6 and libcurl >= 7.42.0
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2015-3153.md b/docs/CVE-2015-3153.md
@@ -52,7 +52,7 @@ This flaw is relevant for applications that use `CURLOPT_HTTPHEADER` to set
 headers with sensitive values and make HTTPS connections to the server via an
 HTTP proxy.
 
-- Affected versions: curl 4.0 to and include 7.42.0
+- Affected versions: curl 4.0 to and including 7.42.0
 - Not affected versions: curl >= 7.42.1
 
 SOLUTION

diff --git a/docs/CVE-2016-0754.md b/docs/CVE-2016-0754.md
@@ -55,15 +55,12 @@ AFFECTED VERSIONS
 In the case of using a remote file name provided by the user (-O without -J),
 the feature has existed since inception.
 
-- Affected versions (-O): curl <= 7.46.0
-- Not affected versions (-O): curl >= 7.47.0
+- Affected versions: curl 4.0 to and including 7.46.0
+- Not affected versions: curl >= 7.47.0
 
 In the case of using a remote file name provided by the server (-OJ), the
 feature was added in 7.20.0 and didn't exist before then.
 
-- Affected versions (-OJ): curl 7.20.0 to and including 7.46.0
-- Not affected versions (-OJ): curl < 7.20.0 and curl >= 7.47.0
-
 curl built for Cygwin is partially affected (-O): curl <= 7.47.0. Please refer
 to the CYGWIN addendum at the end of this advisory. (Added 2016-02-07)
 

diff --git a/docs/CVE-2016-5421.md b/docs/CVE-2016-5421.md
@@ -76,7 +76,7 @@ AFFECTED VERSIONS
 -----------------
 
 - Affected versions: libcurl 7.32.0 to and including 7.50.0
-- Not affected versions: libcurl >= 7.50.1
+- Not affected versions: libcurl < 7.32.0 and libcurl >= 7.50.1
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2016-7141.md b/docs/CVE-2016-7141.md
@@ -32,7 +32,7 @@ This flaw is present in curl and libcurl only if they are built with the
 support for NSS and only if the libnsspem.so library is available at run-time.
 
 - Affected versions: libcurl 7.19.6 to and including 7.50.1
-- Not affected versions: libcurl >= 7.50.2
+- Not affected versions: libcurl < 7.19.6 and libcurl >= 7.50.2
 
 libcurl is used by many applications, but not always advertised as such!
 

diff --git a/docs/CVE-2016-9594.md b/docs/CVE-2016-9594.md
@@ -44,7 +44,7 @@ AFFECTED VERSIONS
 
 This flaw exists in the following libcurl versions.
 
-- Affected versions: libcurl 7.52.0 only
+- Affected versions: libcurl 7.52.0 to and including libcurl 7.52.0
 - Not affected versions: libcurl < 7.52.0 and libcurl >= 7.52.1
 - Introduced-in: https://github.com/curl/curl/commit/f682156a4fc6c43fb
 

diff --git a/docs/CVE-2016-9952.md b/docs/CVE-2016-9952.md
@@ -38,7 +38,7 @@ AFFECTED VERSIONS
 This flaw exists in the following libcurl versions.
 
 - Affected versions: libcurl 7.27.0 to and including 7.51.0
-- Not affected versions: libcurl >= 7.52.0
+- Not affected versions: libcurl < 7.27.0 and libcurl >= 7.52.0
 - Introduced-in: https://github.com/curl/curl/commit/4ab2d26cb83dfbb74ba9eeaaa4835b4dd12883d4
 
 libcurl is used by many applications, but not always advertised as such!

diff --git a/docs/CVE-2016-9953.md b/docs/CVE-2016-9953.md
@@ -37,7 +37,7 @@ AFFECTED VERSIONS
 This flaw exists in the following libcurl versions.
 
 - Affected versions: libcurl 7.27.0 to and including 7.51.0
-- Not affected versions: libcurl >= 7.52.0
+- Not affected versions: libcurl < 7.27.0 and >= 7.52.0
 - Introduced-in: https://github.com/curl/curl/commit/4ab2d26cb83dfbb74ba9eeaaa4835b4dd12883d4
 
 libcurl is used by many applications, but not always advertised as such!

diff --git a/docs/CVE-2017-1000099.md b/docs/CVE-2017-1000099.md
@@ -31,7 +31,7 @@ CWE-170: Improper Null Termination
 AFFECTED VERSIONS
 -----------------
 
-- Affected versions: libcurl 7.54.1
+- Affected versions: libcurl 7.54.1 to and including 7.54.1
 - Not affected versions: libcurl < 7.54.1 and >= 7.55.0
 - Introduced-in: https://github.com/curl/curl/commit/7c312f84ea930d8
 

diff --git a/docs/CVE-2017-2629.md b/docs/CVE-2017-2629.md
@@ -44,8 +44,8 @@ curl has supported this option since version 7.41.0.
 
 This flaw exists in the following curl and libcurl versions.
 
-- Affected versions: 7.52.0 to and including 7.52.1
-- Not affected versions: < 7.52.0 and >= 7.53.0
+- Affected versions: curl 7.52.0 to and including 7.52.1
+- Not affected versions: curl < 7.52.0 and >= 7.53.0
 - Introduced-in: https://github.com/curl/curl/commit/cb4e2be7c6d42ca0780
 
 libcurl is used by many applications, but not always advertised as such!

diff --git a/docs/CVE-2017-7407.md b/docs/CVE-2017-7407.md
@@ -41,8 +41,8 @@ curl has supported this option since version 6.5 (released March 13, 2000).
 
 This flaw exists in the following curl versions.
 
-- Affected versions: 6.5 to and including 7.53.1
-- Not affected versions: < 6.5 and >= 7.54.0
+- Affected versions: curl 6.5 to and including 7.53.1
+- Not affected versions: curl < 6.5 and >= 7.54.0
 - Introduced-in: https://github.com/curl/curl/commit/90030a49c7facfefeca8
 
 SOLUTION

diff --git a/docs/CVE-2018-1000007.md b/docs/CVE-2018-1000007.md
@@ -36,7 +36,7 @@ AFFECTED VERSIONS
 -----------------
 
 - Affected versions: curl 6.0 to and including 7.57.0
-- Not affected versions: curl >= 7.58.0
+- Not affected versions: curl < 6.0 and curl >= 7.58.0
 - Introduced-in: https://github.com/curl/curl/commit/ae1912cb0d494b48d514d
 
 libcurl is used by many applications, but not always advertised as such.

diff --git a/docs/CVE-2019-15601.md b/docs/CVE-2019-15601.md
@@ -52,7 +52,7 @@ Severity: Low
 AFFECTED VERSIONS
 -----------------
 
-- Affected versions: all versions to and including 7.67.0
+- Affected versions: curl 4.0 to and including 7.67.0
 - Not affected versions: libcurl >= 7.68.0
 - Introduced-in: https://github.com/curl/curl/commit/ae1912cb0d494b48d
 

diff --git a/docs/CVE-2019-5443.md b/docs/CVE-2019-5443.md
@@ -43,8 +43,8 @@ Severity: High
 AFFECTED VERSIONS
 -----------------
 
-- Affected versions: all curl-for-windows downloads before **7.65.1_2**.
-- Not affected versions: libcurl >= 7.66.0
+- Affected versions: curl-for-windows 7.44.0 to and including 7.65.1_2
+- Not affected versions: curl < 7.44.0 and >= 7.66.0
 
 SOLUTION
 ------------

diff --git a/docs/CVE-2019-5482.md b/docs/CVE-2019-5482.md
@@ -41,7 +41,7 @@ AFFECTED VERSIONS
 -----------------
 
 - Affected versions: libcurl >= 7.19.4 to and including 7.65.3
-- Not affected versions: libcurl < 7.19.4 annd libcurl >= 7.66.0
+- Not affected versions: libcurl < 7.19.4 and libcurl >= 7.66.0
 - Introduced-in: https://github.com/curl/curl/commit/0516ce7786e9500c2e44
 
 libcurl is used by many applications, but not always advertised as such.

diff --git a/docs/CVE-2022-27778.md b/docs/CVE-2022-27778.md
@@ -39,7 +39,7 @@ Severity: Medium
 AFFECTED VERSIONS
 -----------------
 
-- Affected versions: curl 7.83.0
+- Affected versions: curl 7.83.0 to and including 7.83.0
 - Not affected versions: curl < 7.83.0 and curl >= 7.83.1
 - Introduced-in: https://github.com/curl/curl/commit/08a96c6e4e6cf6a1917a1
 

diff --git a/docs/cve-checker.pl b/docs/cve-checker.pl
@@ -17,7 +17,7 @@ sub checkfile {
     open(F, "<$file");
     my $i = 0;
     my $line = 0;
-    my $cwefound = 0;
+    my ($cwefound, $affected, $notaffected, $firstaff);
     my @secline;
     while(<F>) {
         my $l = $_;
@@ -30,6 +30,19 @@ sub checkfile {
         if($l =~ /^ *CWE-(\d+):/) {
             $cwefound = 1;
         }
+        if($l =~ /^- Affected versions: [^0-9]*([0-9.]+) to and including .*/) {
+            $firstaff = $1;
+            $affected = 1;
+        }
+        if($firstaff eq "4.0") {
+            # special case if existing from 4.0
+            if($l =~ /^- Not affected versions: .* >= /) {
+                $notaffected = 1;
+            }
+        }
+        elsif($l =~ /^- Not affected versions: .* < .* and .*>= /) {
+            $notaffected = 1;
+        }
     }
     close(F);
     if($i != 6) {
@@ -43,6 +56,16 @@ sub checkfile {
             $secline[2];
         return 1;
     }
+    elsif(!$affected) {
+        printf STDERR "$file:%d:error: \"affected versions\" not found in AFFECTED VERSIONS\n",
+            $secline[3];
+        return 1;
+    }
+    elsif(!$notaffected) {
+        printf STDERR "$file:%d:error: \"not affected versions\" not found in AFFECTED VERSIONS [$firstaff]\n",
+            $secline[3];
+        return 1;
+    }
     return 0;
 }
 

diff --git a/docs/vuln.pm b/docs/vuln.pm
@@ -66,7 +66,7 @@
     # be listed here: https://daniel.haxx.se/blog/2020/03/16/warning-curl-users-on-windows-using-file/
     "CVE-2019-5481.html|7.52.0|7.65.3|FTP-KRB double-free|CVE-2019-5481|20190911|20190903|CWE-415: Double Free|200|FTP|DOUBLE_FREE",
     "CVE-2019-5482.html|7.19.4|7.65.3|TFTP small blocksize heap buffer overflow|CVE-2019-5482|20190911|20190829|CWE-122: Heap-based Buffer Overflow|250|TFTP|OVERFLOW",
-    "CVE-2019-5443.html|7.61.0|7.65.1|Windows OpenSSL engine code injection|CVE-2019-5443|20190624|20190612|CWE-94: Code Injection|200|TLS|-",
+    "CVE-2019-5443.html|7.44.0|7.65.1|Windows OpenSSL engine code injection|CVE-2019-5443|20190624|20190612|CWE-94: Code Injection|200|TLS|-",
     "CVE-2019-5436.html|7.19.4|7.64.1|TFTP receive buffer overflow|CVE-2019-5436|20190522|20190429|CWE-122: Heap-based Buffer Overflow|200|TFTP|OVERFLOW",
     "CVE-2019-5435.html|7.62.0|7.64.1|Integer overflows in curl_url_set|CVE-2019-5435|20190522|20190424|CWE-131: Incorrect Calculation of Buffer Size|150|URL|OVERFLOW",
     "CVE-2018-16890.html|7.36.0|7.63.0|NTLM type-2 out-of-bounds buffer read|CVE-2018-16890|20190206|20181230|CWE-125: Out-of-bounds Read|0|HTTP|OVERREAD",
@@ -140,7 +140,7 @@
     "CVE-2013-6422.html|7.21.4|7.33.0|cert name check ignore GnuTLS|CVE-2013-6422|20131217|20131129|CWE-297: Improper Validation of Certificate with Host Mismatch|0|TLS|-",
     "CVE-2013-4545.html|7.18.0|7.32.0|cert name check ignore OpenSSL|CVE-2013-4545|20131115|20131106|CWE-297: Improper Validation of Certificate with Host Mismatch|0|TLS|-",
     "CVE-2013-2174.html|7.7|7.30.0|URL decode buffer boundary flaw|CVE-2013-2174|20130622|20130519|CWE-126: Buffer Over-read|0|URL|OVERREAD",
-    "CVE-2013-1944.html|6.0|7.29.0|cookie domain tailmatch|CVE-2013-1944|20130412|20130409|CWE-201: Information Exposure Through Sent Data|0|HTTP|-",
+    "CVE-2013-1944.html|4.7|7.29.0|cookie domain tailmatch|CVE-2013-1944|20130412|20130409|CWE-201: Information Exposure Through Sent Data|0|HTTP|-",
     "CVE-2013-0249.html|7.26.0|7.28.1|SASL buffer overflow|CVE-2013-0249|20130206|20130130|CWE-121: Stack-based Buffer Overflow|0|mail|OVERFLOW",
     "CVE-2011-3389.html|7.10.6|7.23.1|SSL CBC IV vulnerability|CVE-2011-3389|20120124|20120119|CWE-924: Improper Enforcement of Message Integrity|0|TLS|-",
     "CVE-2012-0036.html|7.20.0|7.23.1|URL sanitization vulnerability|CVE-2012-0036|20120124|20111222|CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')|0|URL|-",