October 12, 2023 at 10:34AM
Curl 8.4.0 has been released to address a high-severity security vulnerability (CVE-2023-38546), which caused concerns about its impact. The release includes fixes for two vulnerabilities: a high-severity heap buffer overflow bug and a low-severity cookie injection flaw. The exploit for the heap buffer overflow bug requires specific configurations and timing, making it less dangerous than expected. Nonetheless, users are advised to upgrade to the new version for safety.
Key takeaways from the meeting notes:
1. Curl 8.4.0 has been released to address two security vulnerabilities: a high-severity heap buffer overflow bug (CVE-2023-38545) and a low-severity cookie injection flaw (CVE-2023-38546).
2. The heap buffer overflow bug is considered the worst security problem found in curl in a long time, but it is less dangerous than initially feared. Exploiting the vulnerability requires the curl client to be configured to use a SOCKS5 proxy and for automatic redirections to be enabled. A slow SOCKS5 connection to the remote site is also necessary.
3. The heap buffer overflow bug, while fairly easy to exploit, currently only leads to a denial of service attack, causing curl to crash rather than allowing code execution.
4. Most people using curl are not connecting through SOCKS5, so the bug would not affect them. However, cybersecurity researchers and developers who commonly use SOCKS5 proxies for testing and debugging may be more vulnerable.
5. Upgrading to the new version of curl (8.4.0) is recommended to patch the vulnerabilities and ensure security. More sophisticated exploits could potentially be developed in the future.