October 11, 2023 at 06:09AM
The latest version of the curl command line transfer tool was released today, addressing two separate vulnerabilities. The first vulnerability is a heap-based buffer overflow flaw that affects both libcurl and the curl tool. The second vulnerability is a less-severe cookie injection flaw that only affects libcurl. Users are advised to upgrade to the latest version to mitigate these vulnerabilities. The patches were released earlier than scheduled due to an early leak. There are calls to rewrite applications in memory-safe languages like Rust and Go, but there are currently no plans to switch curl from C to a memory-safe language.
Key Takeaways from the Meeting Notes:
1. The latest version of the curl command line transfer tool was released today, addressing two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546.
2. CVE-2023-38545 is a heap-based buffer overflow flaw that affects both libcurl and the curl tool, with a severity rating of “high.” It can be triggered during a slow SOCKS5 proxy handshake, due to mishandling of hostnames longer than 255 bytes. It can lead to data corruption and arbitrary code execution.
3. CVE-2023-38546 is a less-severe cookie injection flaw that only affects libcurl. It involves the cloning of “easy handles” and can potentially result in cookie injection if specific conditions are met.
4. Applications using libcurl 7.69.0 up to and including 8.3.0 are advised to upgrade to version 8.4.0. Applications that haven’t set the preferred receive buffer size or have set it to less than 65541 bytes are particularly vulnerable.
5. The default configuration of the curl tool protects against CVE-2023-38545, but applications using libcurl may need to make changes.
6. The patch for CVE-2023-38545 returns an error when encountering hostnames longer than 255 bytes.
7. The vulnerabilities were initially due to be disclosed at 0600 UTC but were prematurely released by Red Hat’s CentOS Stream project on GitLab.
8. Coordinated vulnerability disclosures can be challenging, especially when time zones are involved.
9. There have been calls to rewrite applications in newer languages like Rust and Go to address memory safety issues. Although curl acknowledges the benefits of memory-safe languages, there are currently no plans to switch from C, but the possibility of replacing the HTTP backend with Rust-coded Hyper is being considered.