Curl 8.4 Released For Addressing A Big Security Vulnerability
Following the news from a few days ago that Curl was prepping for its worst security flaw in a long time affecting the project, Curl 8.4 is now available and with new light on this issue.
Curl 8.4 was released with this "high" level security fix, another "low" security issue is also resolved, and then the usual bug fixing and feature work to this widely-used downloading library and curl command-line utility for downloading files via various network protocols.
CVE-2023-38545 is the "high" security issue resolved in CVE 8.4. The Curl security page notes:
The other security issue pertains to just having cookie injection with none file.
Meanwhile on the feature side, Curl 8.4 adds support for IPFS protocols via HTTP gateways. Curl 8.4 also drops support for legacy MinGW.org toolchains.
More details on all of the Curl 8.4 changes via curl.se.
Curl 8.4 was released with this "high" level security fix, another "low" security issue is also resolved, and then the usual bug fixing and feature work to this widely-used downloading library and curl command-line utility for downloading files via various network protocols.
CVE-2023-38545 is the "high" security issue resolved in CVE 8.4. The Curl security page notes:
"This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.
When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes.
If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.
...
If the used hostname is longer than the target buffer, there is a memcpy() that overwrites the buffer into the heap. The URL parser and possibly an IDN library (if curl is built with one) have to accept the hostname, which somewhat limits the set of available byte sequences that can be used in the copy.
For an overflow to happen it needs a slow enough SOCKS5 handshake to trigger the local variable bug, and the client using a hostname longer than the download buffer. Perhaps with a malicious HTTPS server doing a redirect to an especially crafted URL.
Typical server latency is likely "slow" enough to trigger this bug without an attacker needing to influence it by DoS or SOCKS server control."
The other security issue pertains to just having cookie injection with none file.
Meanwhile on the feature side, Curl 8.4 adds support for IPFS protocols via HTTP gateways. Curl 8.4 also drops support for legacy MinGW.org toolchains.
More details on all of the Curl 8.4 changes via curl.se.
22 Comments