CVE-2023-38545.md: add additional info

RyotaK found a way to exploit the bug by crafting a hostname so that the
SOCKS connection completes successfully but to a different hostname and
port, and possibly arbitrary data is sent to that different host before
the "expected" request is sent on that same connection.

The impact is limited because control characters and null are not
allowed in the hostname.

Ref: https://hackerone.com/ryotak?type=user

Closes #308

.github/scripts/spellcheck.words

@@ -175,6 +175,7 @@ DNS
 dns
 dnsop
 DoH
+DoS
 doxygen
 drftpd
 dsa
@@ -652,6 +653,7 @@ runtime
 Ruslan
 rustc
 rustls
+RyotaK
 Sagula
 SanDisk
 SAS

docs/CVE-2023-38545.md

@@ -91,6 +91,22 @@ Severity: High
 
 HackerOne: https://hackerone.com/reports/2187833
 
+ADDITIONAL INFO
+---------------
+
+Since the posting of this advisory, security researcher
+[RyotaK](https://hackerone.com/ryotak?type=user) has
+[notified](https://github.com/curl/curl-www/pull/308) that even if the buffer
+size is large enough to prevent heap overflow an attacker can still use the
+integer overflow of hostname length in conjunction with a crafted hostname
+longer than 255 characters to make the handshake complete successfully.
+
+In this scenario the crafted hostname contains a destination hostname, port and
+arbitrary data. The SOCKS server successfully connects to that host, sends the
+arbitrary data and then curl sends the "expected" request data on that same
+connection. The impact is limited because curl does not allow control
+characters and null in the hostname.
+
 AFFECTED VERSIONS
 -----------------