Curl 8.4 Released For Addressing A Big Security Vulnerability

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • wswartzendruber
    replied
    Originally posted by ClosedSource View Post
    Rust is an obvious solution to several issues. But it does have some handicaps. C's advantage is that it's essentially frozen in time. You'll rarely come across code that your C compiler is too old to compile. Then different versions of your C compiler will behave relatively similarly.
    Languages like C++ and Rust are a moving target. It would be difficult for an LTS solution to find a compromise between keeping up with Rust releases to allow even backported Curl patches to compile while making sure all their stable (which might be old) software still compiles.
    IIRC, old Rust projects are supposed to build on new SDKs. This is why we're supposedly never going to see a Rust 2.0 or some such.

    New language features that break compatibility are added via language editions. But a binary can contain object code built from multiple language editions.

    Leave a comment:


  • AlanTuring69
    replied
    Big shocker that it wouldn't have happened by using a memory safe language. Looking at all of the clowns who continually hate on rust because they're too old or too bad at their job to learn new programming languages.

    I wonder if they are the type to complain about a new hard hat comes out that reduces risk of injury due to falling objects by 10% with literally no consequences. "If you just don't get hit then you don't have to worry!!!!!!!!!!!!!"
    Last edited by AlanTuring69; 11 October 2023, 04:31 PM.

    Leave a comment:


  • stormcrow
    replied
    Originally posted by willmore View Post

    Agreed, this is really niche. SOCKS proxy? Do people still use proxies?
    Proxies are common in environments where the traffic is being monitored for information security purposes (ex. large corporations, governments, etc.) But this is a pretty specific set of circumstances that must all be true before the overflow is triggered. Not saying there's not any, because libcurl is used by a huge number of 3rd party software and people do silly things, but by default curl-the-tool requires passing additional arguments to make it cause the overflow + a socks proxy + a URL with more than 255 bytes. Third party tools are an unknown. (And obviously the URL can be contrived by the attacker)
    Last edited by stormcrow; 11 October 2023, 02:32 PM.

    Leave a comment:


  • willmore
    replied
    Originally posted by stormcrow View Post
    From the way the alert was written last week, I was anticipating some form of easily exploitable RCE in curl-the-tool or something much bigger than what this vulnerability actually is.
    Agreed, this is really niche. SOCKS proxy? Do people still use proxies?

    Leave a comment:


  • stormcrow
    replied
    From the way the alert was written last week, I was anticipating some form of easily exploitable RCE in curl-the-tool or something much bigger than what this vulnerability actually is.

    Leave a comment:


  • ClosedSource
    replied
    Rust is an obvious solution to several issues. But it does have some handicaps. C's advantage is that it's essentially frozen in time. You'll rarely come across code that your C compiler is too old to compile. Then different versions of your C compiler will behave relatively similarly.
    Languages like C++ and Rust are a moving target. It would be difficult for an LTS solution to find a compromise between keeping up with Rust releases to allow even backported Curl patches to compile while making sure all their stable (which might be old) software still compiles.

    Leave a comment:


  • moltonel
    replied
    Originally posted by caligula View Post
    The only problem is, people often prefer curl in minimal Docker images because it's only ~210 kB while wget is ~460 kB.
    Code:
    -rwxr-xr-x 1 root root 478K Jun 22 09:30 /usr/bin/wget
    ​-rwxr-xr-x 1 root root 296K Oct 11 09:25 /usr/bin/curl
    -rwxr-xr-x 1 root root 727K Oct 11 09:25 /usr/lib64/libcurl.so.4.8.0
    Wget is smaller than curl.

    A rust alternative probably would use 2 to 10 MB of space.
    There are ways to keep rust binaries size in check. And if you want to reduce docker image size, you probably only want a curl-like tool in your builder image anyway.

    Leave a comment:


  • moltonel
    replied
    Originally posted by colejohnson66 View Post
    Daniel even manages to say so without mentioning Rust (or any other memory-safe language):
    He does name Rust as the obvious rewrite language. And mentions that a partial/gradual rewrite is already kinda-sort-of very slowly happening.

    Kudos for tirelessly working on a tool that we all depend on.

    Leave a comment:


  • Chewi
    replied
    Don't forget to include libcurl. That's a further 580kb on my Ubuntu system.

    Leave a comment:


  • reba
    replied
    Originally posted by caligula View Post

    The only problem is, people often prefer curl in minimal Docker images because it's only ~210 kB while wget is ~460 kB. A rust alternative probably would use 2 to 10 MB of space. Not that much these days, but the size of the binaries also matters. They could also use Java instead, but a jlinked Java distribution would probably use 50 to 100 MB.
    Smaller rust executables

    Leave a comment:

Working...
X