A twenty-five years old #curl bug
daniel.haxx.se/blog/2024/12/12…
A twenty-five years old curl bug
I have talked about old curl bugs before, but now we have a new curl record. When we announced the security flaw CVE-2024-11053 on December 11, 2024 together with the release of curl 8.11.daniel.haxx.se
This entry was edited (9 months ago)
SpaceLifeForm
in reply to daniel:// stenberg:// • • •Kudos for admitting that it was your coding mistake.
So, this bug could have gotten it's drivers license 9 years ago.
Was it found via fuzzing?
And no one actually ran into it?
daniel:// stenberg://
in reply to SpaceLifeForm • • •SpaceLifeForm
in reply to daniel:// stenberg:// • • •@harrysintonen
Debugging the old fashioned way.
Some of the craziest bugs are found by studying the code because otherwise no one may run into them for a very long time.
Harry Sintonen
in reply to daniel:// stenberg:// • • •Indeed, it was all manual code review. Fuzzing can only go so far in detecting logic flaws (since logic flaws rarely result in a crash, they're quite difficult to instrument).
As background: I spotted some unrelated commit to the .netrc parsing code and that brought this ancient code to my attention. Fairly quickly I could see that *something* was off but couldn't put a pin on it immediately. After some pondering, I could figure out a scenario that would show demonstrable information leak.