daniel:// stenberg://

2 weeks ago • •

daniel:// stenberg://
2 weeks ago • •

strcpy can cause a buffer overflow

user finds strcpy in #curl code

user files a CRITICAL security report against #curl for using strcpy in source code. Proof? Well he did grep the code and it shows that it does indeed use strcpy...

Never a dull moment.

#curl

This entry was edited (2 weeks ago)

in reply to daniel:// stenberg://

Troed Sångberg

in reply to daniel:// stenberg:// • 2 weeks ago • •

At this moment I guess having your own CNA pays off though :D

in reply to daniel:// stenberg://

Ben Hardill

in reply to daniel:// stenberg:// • 2 weeks ago • •

This being the same one with the explicit bounds check just 1 line before that the AI was arguing about?

This entry was edited (2 weeks ago)

in reply to Ben Hardill

daniel:// stenberg://

in reply to Ben Hardill • 2 weeks ago • •

@ben it is certainly in the same spirit

@Ben Hardill

in reply to daniel:// stenberg://

Gary "grim" Kramlich

in reply to daniel:// stenberg:// • 2 weeks ago • •

this reminds me of reports of missing spf records for pidgin domains we weren't running email on.. Or the lack of DNSSEC on pidgin.im when .im domains don't support DNSSEC...

in reply to daniel:// stenberg://

ruffy

in reply to daniel:// stenberg:// • 2 weeks ago • •

now you have to pay a 10.000€ bug bounty! /s

in reply to daniel:// stenberg://

Aurimas Černius

in reply to daniel:// stenberg:// • 2 weeks ago • •

socket() function can cause security vulnerabilities, maybe need to scan for that too?

in reply to daniel:// stenberg://

Janek Bevendorff

in reply to daniel:// stenberg:// • 2 weeks ago • •

I hope he's directly reserved a CVE and already wrote a Medium post about his discovery which he will release in two weeks after the responsible disclosure period.

in reply to Janek Bevendorff

daniel:// stenberg://

in reply to Janek Bevendorff • 2 weeks ago • •

@phoerious we are a CNA now, we can reject any such shenanigans. We can filter on the ingress.

@Janek Bevendorff

in reply to daniel:// stenberg://

Janek Bevendorff

in reply to daniel:// stenberg:// • 2 weeks ago • •

I’ve considered doing the same, but so far it was too much of a hassle. But it would definitely cut back on Curriculum Vitae Enhancers.

in reply to daniel:// stenberg://

Julien

in reply to daniel:// stenberg:// • 2 weeks ago • •

free() can cause double free issues so why you using it ?

in reply to daniel:// stenberg://

Zehka

in reply to daniel:// stenberg:// • 2 weeks ago • •

coming up next: Writing data to memory can cause buffer overflows. CVE 10/10 critical.

in reply to daniel:// stenberg://

dtomvan

in reply to daniel:// stenberg:// • 2 weeks ago • •

Let me guess, the overflow can be triggered if the user specifies a ridiculously long option?

in reply to dtomvan

daniel:// stenberg://

in reply to dtomvan • 2 weeks ago • •

@dtomvan I don't think it can be triggered at all. The user also has not bothered to check...

@dtomvan

in reply to daniel:// stenberg://

yhukeee986

in reply to daniel:// stenberg:// • 2 weeks ago • •

tophomewarranty.online/manage.…

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// • 1 week ago • •

for educational purposes: hackerone.com/reports/2823554

curl disclosed on HackerOne: Buffer overflow in strcpy

**Buffer Overflow Exploit Analysis** The vulnerability in the program is a classic case of a buffer overflow, triggered by the unsafe use of the `strcpy()` function, which lacks bounds checking....

^HackerOne