Announcement

Collapse
No announcement yet.

Curl 8.4 Released For Addressing A Big Security Vulnerability

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Curl 8.4 Released For Addressing A Big Security Vulnerability

    Phoronix: Curl 8.4 Released For Addressing A Big Security Vulnerability

    Following the news from a few days ago that Curl was prepping for its worst security flaw in a long time affecting the project, Curl 8.4 is now available and with new light on this issue...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    Obligatory "Rust wouldn't've had a buffer overflow" comment

    Daniel even manages to say so without mentioning Rust (or any other memory-safe language):
    Yes, this family of flaws would have been impossible if curl had been written in a memory-safe language instead of C, [...]

    Comment


    • #3
      Originally posted by colejohnson66 View Post
      Obligatory "Rust wouldn't've had a buffer overflow" comment

      Daniel even manages to say so without mentioning Rust (or any other memory-safe language):
      The only problem is, people often prefer curl in minimal Docker images because it's only ~210 kB while wget is ~460 kB. A rust alternative probably would use 2 to 10 MB of space. Not that much these days, but the size of the binaries also matters. They could also use Java instead, but a jlinked Java distribution would probably use 50 to 100 MB.

      Comment


      • #4
        Originally posted by caligula View Post

        The only problem is, people often prefer curl in minimal Docker images because it's only ~210 kB while wget is ~460 kB. A rust alternative probably would use 2 to 10 MB of space. Not that much these days, but the size of the binaries also matters. They could also use Java instead, but a jlinked Java distribution would probably use 50 to 100 MB.
        Smaller rust executables

        Comment


        • #5
          Don't forget to include libcurl. That's a further 580kb on my Ubuntu system.

          Comment


          • #6
            Originally posted by colejohnson66 View Post
            Daniel even manages to say so without mentioning Rust (or any other memory-safe language):
            He does name Rust as the obvious rewrite language. And mentions that a partial/gradual rewrite is already kinda-sort-of very slowly happening.

            Kudos for tirelessly working on a tool that we all depend on.

            Comment


            • #7
              Originally posted by caligula View Post
              The only problem is, people often prefer curl in minimal Docker images because it's only ~210 kB while wget is ~460 kB.
              Code:
              -rwxr-xr-x 1 root root 478K Jun 22 09:30 /usr/bin/wget
              ​-rwxr-xr-x 1 root root 296K Oct 11 09:25 /usr/bin/curl
              -rwxr-xr-x 1 root root 727K Oct 11 09:25 /usr/lib64/libcurl.so.4.8.0
              Wget is smaller than curl.

              A rust alternative probably would use 2 to 10 MB of space.
              There are ways to keep rust binaries size in check. And if you want to reduce docker image size, you probably only want a curl-like tool in your builder image anyway.

              Comment


              • #8
                Rust is an obvious solution to several issues. But it does have some handicaps. C's advantage is that it's essentially frozen in time. You'll rarely come across code that your C compiler is too old to compile. Then different versions of your C compiler will behave relatively similarly.
                Languages like C++ and Rust are a moving target. It would be difficult for an LTS solution to find a compromise between keeping up with Rust releases to allow even backported Curl patches to compile while making sure all their stable (which might be old) software still compiles.

                Comment


                • #9
                  From the way the alert was written last week, I was anticipating some form of easily exploitable RCE in curl-the-tool or something much bigger than what this vulnerability actually is.

                  Comment


                  • #10
                    Originally posted by stormcrow View Post
                    From the way the alert was written last week, I was anticipating some form of easily exploitable RCE in curl-the-tool or something much bigger than what this vulnerability actually is.
                    Agreed, this is really niche. SOCKS proxy? Do people still use proxies?

                    Comment

                    Working...
                    X