Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to libcurl >= 8.4.0 #72

Closed
copperlight opened this issue Oct 9, 2023 · 4 comments
Closed

Upgrade to libcurl >= 8.4.0 #72

copperlight opened this issue Oct 9, 2023 · 4 comments

Comments

@copperlight
Copy link
Collaborator

curl/curl#12026

We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl security flaw in a long time.

The new version and details about the two CVEs will be published around 06:00 UTC on the release day.

CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)
CVE-2023-38546: severity LOW (affects libcurl only, not the tool)

There is no API nor ABI change in the coming curl release.

I cannot disclose any information about which version range that is affected, as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time. The "last several years" of versions is as specific as I can get.

We have notified the distros mailing list allowing the member distributions to prepare patches. (No one else gets details about these problems before October 11 without a support contract and a good reason.)

Now you know. Plan accordingly.
@copperlight
Copy link
Collaborator Author

Since we use Conan, we'll have to wait for the new release to percolate through, sometime after Oct 11 - hopefully it is quick. Version 8.2.1 is currently the latest available recipe.

https://conan.io/center/recipes/libcurl?version=8.2.1

@copperlight
Copy link
Collaborator Author

https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/

An attacker that controls an HTTPS server that a libcurl using client accesses over a SOCKS5 proxy (using the proxy-resolver-mode) can make it return a crafted redirect to the application via a HTTP 30x response.

If the libcurl using client has automatic redirect-following enabled, and the SOCKS5 proxy is “slow enough” to trigger the local variable bug, it will copy the crafted host name into the too small allocated buffer and into the adjacent heap memory.

A heap buffer overflow has then occurred.

Since we do not use the SOCKS5 protocol in this project, we are not affected by this vulnerability, but we should still update to the latest anyways.

Conancenter does not yet have the latest version.

@copperlight
Copy link
Collaborator Author

There is an open PR to bump the libcurl version in Conancenter:

conan-io/conan-center-index#19769

@copperlight
Copy link
Collaborator Author

Fixed with the following dependency update:

#82

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@copperlight