Curl/libcurl HIGH CVE-2023-38545 leaked early? (opens in new tab)

(gitlab.com)

56 pointsatyvr2y ago29 comments

29 comments

cURL's own tracker had a banner stating severity High to be released October 11.

It's October 11 and was already October 11 for a lot of the world 13 hours ago (as of writing) when this patch was posted. Nothing was early, nothing was leaked.

EDIT: Why the downvotes? People don't like timezones or something?

qwertox2y ago

> The new version and details about the two CVEs will be published around 06:00 UTC on the release day.

https://github.com/curl/curl/discussions/12026 (2023-10-04T06:17:44Z)

junon2y ago

That has to do with curl itself, redhat isn't necessarily bound to that schedule and we don't know the discussion that happened privately prior to disclosure date.

2 more replies

1una2y ago

The patch was supposed to be published around 06:00 UTC on October 11. The commit is 13 hours early.

junon2y ago

Perhaps, but to be honest trying to coordinate times on a specific disclosure day is futile. I would imagine Daniel is aware of this phenomenon.

1 more reply

jo-m2y ago

The CVE page on curl.se is also online as of now: https://curl.se/docs/CVE-2023-38545.html

royce2y ago

"[PATCH] socks: return error if hostname too long for remote resolve

Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than 255 characters. Unfortunately that did not work as intended and caused a security issue."

andersa2y ago

Will people stop messing with unsafe buffers in C already? Even just using C++ with the most basic buffer/dynamic array template would have prevented this issue.

hyperman12y ago

While I agree with the general thrust of your comment, note that a) this is specifically adressed in Daniel's blog post b) He stated the reason why it's not happening right now multiple times already, and they seem well thought out. (Basically, the code base is huge and not easily converted, and there is no compiler support for some of the platforms libcurl supports).

Engineering is based on trade offs. In this specific case, the answer is no, unfortunately. This does of course not absolve new or smaller projects of this critique, but let's give curl a pass on this one.

andersa2y ago

Yeah, it was more of a general "old man yells at cloud" comment not aimed at anything in particular. It's just frustrating that we shouldn't have 99% of these vulnerabilities. Don't even have to go all the way with the borrow checking and rust, just basic bounds checks on all containers through templates would be a massive improvement over using C. Yes, the performance will degrade by some single digit %, but nobody cares.

> and there is no compiler support for some of the platforms libcurl supports

I feel like there are no serious platforms that don't have at least a C++ compiler for it. Or am I wrong there?

1 more reply

kramerger2y ago

While this is a double screw up, I really like how the patch corrected the original issue but also removed this complex and unlikely path.

badrabbit2y ago

The drama and suspense around this has been crazy lol. It's pretty bad but they hyped it up like it was the next log4j.

junon2y ago

KirillPanov2y ago

Wat.

So you can only be attacked if you're using a socks5 proxy, and even then you can only be attacked by your own proxy? Which rules out things like torsocks where you're running the proxy too.

Does this really merit all of last week's antics?

CGamesPlay2y ago

I don't totally think so? A malicious HTTPS server can redirect you to a fake URL with shell code in it. So it's applicable to everyone using SOCKSv5 proxies, and the attacker is not "your own proxy".

Maxious2y ago

You need to have a proxy running and configured to get to this codepath but the actual payload comes from a malicious URL/https server https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-ove...

kramerger2y ago

There are tons of shady open or semi-open proxies out there.

Ao7bei3s2y ago

There's also PAC/WPAD (https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Proto...). Together with some DHCP/ARP/DNS spoofing this might allow escalating from layer 2 connectivity (e.g. on a public wifi) to local root.

2 more replies

j / k navigate · click thread line to collapse

29 comments

junon2y ago

cURL's own tracker had a banner stating severity High to be released October 11.

It's October 11 and was already October 11 for a lot of the world 13 hours ago (as of writing) when this patch was posted. Nothing was early, nothing was leaked.

EDIT: Why the downvotes? People don't like timezones or something?

qwertox2y ago

> The new version and details about the two CVEs will be published around 06:00 UTC on the release day.

https://github.com/curl/curl/discussions/12026 (2023-10-04T06:17:44Z)

junon2y ago

That has to do with curl itself, redhat isn't necessarily bound to that schedule and we don't know the discussion that happened privately prior to disclosure date.

2 more replies

1una2y ago

The patch was supposed to be published around 06:00 UTC on October 11. The commit is 13 hours early.

junon2y ago

Perhaps, but to be honest trying to coordinate times on a specific disclosure day is futile. I would imagine Daniel is aware of this phenomenon.

1 more reply

jo-m2y ago

The CVE page on curl.se is also online as of now: https://curl.se/docs/CVE-2023-38545.html

royce2y ago

"[PATCH] socks: return error if hostname too long for remote resolve

andersa2y ago

Will people stop messing with unsafe buffers in C already? Even just using C++ with the most basic buffer/dynamic array template would have prevented this issue.

hyperman12y ago

andersa2y ago

> and there is no compiler support for some of the platforms libcurl supports

I feel like there are no serious platforms that don't have at least a C++ compiler for it. Or am I wrong there?

1 more reply

kramerger2y ago

While this is a double screw up, I really like how the patch corrected the original issue but also removed this complex and unlikely path.

badrabbit2y ago

The drama and suspense around this has been crazy lol. It's pretty bad but they hyped it up like it was the next log4j.

junon2y ago

KirillPanov2y ago

Wat.

So you can only be attacked if you're using a socks5 proxy, and even then you can only be attacked by your own proxy? Which rules out things like torsocks where you're running the proxy too.

Does this really merit all of last week's antics?

CGamesPlay2y ago

Maxious2y ago

You need to have a proxy running and configured to get to this codepath but the actual payload comes from a malicious URL/https server https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-ove...

kramerger2y ago

There are tons of shady open or semi-open proxies out there.

Ao7bei3s2y ago

2 more replies

j / k navigate · click thread line to collapse