Skip to main content


#curl 8.9.0 is out: daniel.haxx.se/blog/2024/07/24…

2 CVEs fixed
11 changes
260 bugfixes

by 80 contributors, out of which 47 authored commits

in 63 days since the previous release

#curl

Bubu reshared this.

in reply to daniel:// stenberg://

CVE-2024-6197: freeing stack buffer in utf8asn1str. (severity medium) libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. It can detect an invalid field and return error. Unfortunately, when doing so it also invokes free() on a 4 byte local stack buffer.

curl.se/docs/CVE-2024-6197.htm…

in reply to daniel:// stenberg://

CVE-2024-6874: macidn punycode buffer overread. (severity low) libcurl’s URL API function curl_url_get() offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the macidn IDN backend. The conversion function then fills up the provided buffer exactly – but does not null terminate the string.

curl.se/docs/CVE-2024-6874.htm…

in reply to daniel:// stenberg://

#curl 8.9.0 release video live-streams at 08:00 UTC twitch.tv/curlhacker
#curl
in reply to daniel:// stenberg://

the original macidn #curl report is now disclosed on hackerone: hackerone.com/reports/2604391
#curl
in reply to daniel:// stenberg://

The original #curl free-stack report is now disclosed on hackerone: hackerone.com/reports/2559516
#curl
in reply to daniel:// stenberg://

I'm curious about this bug. From the description it seems that any time that free(buf) was called, the process will crash. So if it hasn't occurred in curl CI tests, we should see this line was not covered (assuming we have some coverage reports). I don't think that 100% coverage is a must, but maybe we can look at uncovered lines for sensitive operations?

(Thank you for all your work on curl. It's awesome.)

in reply to Dov Murik

@dubek many libc versions actually just refuse it, most cases will crash but there can be cases where it does more harm.

The line was (quite obviously) not reached in our tests and yes it would be awesome if it did. We'd welcome help to increase test coverage.

Test coverage in highly portable code with billions of build combinations is a challenge.

in reply to daniel:// stenberg://

Thank you. I'll go look for the coverage reports to see what I can learn.
in reply to daniel:// stenberg://

and (finally) official curl container 8.9.0 is available, try it out > podman run docker.io/curlimages/curl:8.9.0 -V

daniel:// stenberg:// reshared this.