Announcement

Collapse
No announcement yet.

Curl Preps For "Probably The Worst Curl Security Flaw In A Long Time"

Collapse
X
Collapse
 
  • Page of 6
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 5 6 template Next
  • #11
    Originally posted by EphemeralEft View Post

    There it is. We can all go home, folks.
    Rewrite it in php. Sure, it will be a security hell scape, but odds of you being able to run it are slim as nothing will run unless using the version from yesterday, I mean, today, I mean from two minutes ago.
    • Likes 10

    Comment

    • #12
      Originally posted by Danny3 View Post
      Cool that Most Linux distros / package managers use the dependency system and once the library is updated all programs that use it are good.

      Not sure I can say the same thing about programs distributed in the Flatpak or Snap format.
      I assume that there if the program's developer / maintainer doesn't update its program with the new version of the dependency, you are stuck with the old insecure one.
      Absolutely true. Same with docker and statically built programs (like many go apps) too.

      Otoh, an OS that doesn't update or can't immediately is also vulnerable too like most androids more that a couple of years old.
      • Likes 3

      Comment

      • #13
        Originally posted by juxuanu View Post
        Rewrite it in Rust.
        I know you were just yanking people's chains, but, sadly, curl isn't part of coreutils which already has a Rust counterpart. The approach for Rust seems to be to simply wrap libcurl: https://docs.rs/curl/latest/curl/
        • Likes 3

        Comment

        • #14
          What's the nature of these security flaws? Memory? Or what?

          The article is not informative at all.
          • Likes 1

          Comment

          • #15
            Originally posted by timofonic View Post
            What's the nature of these security flaws? Memory? Or what?

            The article is not informative at all.
            They are still working at releasing a update, so for now (as stated in the article) the information is limited to avoid immediate exploitation.
            • Likes 5

            Comment

            • #16
              Originally posted by peterdk View Post

              They are still working at releasing a update, so for now (as stated in the article) the information is limited to avoid immediate exploitation.
              Smart hackers are already making use of it, anyway...

              Security by obscurity is retarded!
              • Likes 1

              Comment

              • #17
                Originally posted by bug77 View Post

                I know you were just yanking people's chains, but, sadly, curl isn't part of coreutils which already has a Rust counterpart. The approach for Rust seems to be to simply wrap libcurl: https://docs.rs/curl/latest/curl/
                That's simply a wrapper around C library. Any language has that.

                What most of the people here don't know is that libcurl started looking into Rust quite a long time ago - https://daniel.haxx.se/blog/2020/10/...rl-with-hyper/
                • Likes 13

                Comment

                • #18
                  Originally posted by Danny3 View Post
                  Cool that Most Linux distros / package managers use the dependency system and once the library is updated all programs that use it are good.

                  Not sure I can say the same thing about programs distributed in the Flatpak or Snap format.
                  I assume that there if the program's developer / maintainer doesn't update its program with the new version of the dependency, you are stuck with the old insecure one.
                  Also every single Windows/macOS application that uses libcurl (in this example), which would be quite a lot, exhibits the exact same problem, and yet there are people complaining about how distros works and that we should more adopt the way Windows and macOS distributes software...

                  Originally posted by timofonic View Post
                  What's the nature of these security flaws? Memory? Or what?

                  The article is not informative at all.
                  That is all the information that Daniel have released even to us curl devs so he is keeping the info for this one quite close and only to a select internal group of selected devs.
                  Last edited by F.Ultra; 09 October 2023, 11:18 AM.
                  • Likes 5

                  Comment

                  • #19
                    I'm curlious what that vulnerability is. See what i did there? ^_^

                    I'm guessing it's a leak that either directly or indirectly allows code execution. Directly could for example be that data fetched through curl is also executed in some probably easy to trigger "facepalm" situation. Indirectly could be that there's a curl leak that isn't directly a security issue for curl itself but that other applications can abuse.

                    Just guesswork, could also be something different.
                    • Likes 1

                    Comment

                    • #20
                      Originally posted by NotMine999 View Post

                      Oh please. Just stop it. The retort of "Rewrite it in Rust" is getting older faster than all of my old girlfriends.
                      Oh please. Just stop it. The retort of responding like this to a post that is obviously meant as a joke is getting older faster than all of my old girlfriends.
                      • Likes 8

                      Comment

                      Previous 1 2 3 4 5 6 template Next
                      Working...
                      X