Curl 8.4 Released For Addressing A Big Security Vulnerability

Written by Michael Larabel in Linux Networking on 11 October 2023 at 06:46 AM EDT. 22 Comments
LINUX NETWORKING
Following the news from a few days ago that Curl was prepping for its worst security flaw in a long time affecting the project, Curl 8.4 is now available and with new light on this issue.

Curl 8.4 was released with this "high" level security fix, another "low" security issue is also resolved, and then the usual bug fixing and feature work to this widely-used downloading library and curl command-line utility for downloading files via various network protocols.

CVE-2023-38545 is the "high" security issue resolved in CVE 8.4. The Curl security page notes:
"This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.

When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes.

If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.
...
If the used hostname is longer than the target buffer, there is a memcpy() that overwrites the buffer into the heap. The URL parser and possibly an IDN library (if curl is built with one) have to accept the hostname, which somewhat limits the set of available byte sequences that can be used in the copy.

For an overflow to happen it needs a slow enough SOCKS5 handshake to trigger the local variable bug, and the client using a hostname longer than the download buffer. Perhaps with a malicious HTTPS server doing a redirect to an especially crafted URL.

Typical server latency is likely "slow" enough to trigger this bug without an attacker needing to influence it by DoS or SOCKS server control."

The other security issue pertains to just having cookie injection with none file.

Meanwhile on the feature side, Curl 8.4 adds support for IPFS protocols via HTTP gateways. Curl 8.4 also drops support for legacy MinGW.org toolchains.

curl logo


More details on all of the Curl 8.4 changes via curl.se.
22 Comments
Related News
Samba 4.20 Released With WSP Search Client, Service Witness Protocol
Many Networking Improvements & New Wired/Wireless Devices For Linux 6.9
Cloudflare Makes Pingora Rust Framework Open-Source
NetworkManager 1.46 Can Now Manage Ethtool EEE Settings, IPv4 DAD Default & 2FA VPNs
Linux 6.8 Network Optimizations Can Boost TCP Performance For Many Concurrent Connections By ~40%
The First Rust-Written Network PHY Driver Set To Land In Linux 6.8
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
systemd Rolling Out "run0" As sudo Alternative
Fedora Linux 40 Available For Download As A Wonderful Upgrade
Microsoft Open-Sources MS-DOS 4.0 Under MIT License
Systemd 256-rc1 Brings A Huge Number Of New Features
NVIDIA Developer Opens Feature Pull Request For Open-Source NVK Driver
Rust-Based Coreutils 0.0.26 Increases Compatibility With GNU Coreutils
Ubuntu 24.04 LTS Downloads Now Available
Proton 9.0 RC2 Makes More Windows Games Playable On Linux, Other Fixes