@bsi As a Federal Office it's not easy to do cherry-picking - even for system critical projects like #curl if the tools developed are not agnostic. A OSV-CSAF converter would be possible, but OSV is lacking Information mandatory for CSAF. On a personal note: my last perl-programming was 1998 - therefore I won't make any promises what I might or might not be able to contribute in my spare time or how long it would take.
The number of lines of code in #curl has of course exploded over time, from 100 in late 1996 to almost 180,000 today, but interestingly our tests seem to generally keep up. Number of tests per KLOC is now over 12. (and yes, a single test can be very simple or very complex, it's not a very precise measurement)
One way we work on making #curl code safer (with fewer mistakes) is by using more helper functions and fewer direct calls to *alloc() and mem/strcpy().
Since reported vulnerabilities generally are really old, we can't know yet for several years if it actually has the desired effect.
I plot the memory call density to see how it goes.
However, it's the classic chicken-egg problem: Why should I start? The answer is: #curl is a mature project and can lead the way. We are happy to help you and others getting started. Feel free to reach out to our #CSAF team at csaf@bsi.bund.de.
Hello people involved in distros and/or CVEs! Is CSAF something you care about? Should projects such as #curl bother about it and perhaps even provide CVE data in this format?
The other day we celebrated everything curl turning 5 years old, and not too long after that I got myself this printed copy of the Chinese translation in my hands! This version of the book is available for sale on Amazon and the translation was done โฆ
Recognition - with Daniel Stenberg. A walk-through of awards, recognition and the medals Daniel has received during the years doing #curl and Open Source.
A common AI slop pattern in #curl reports we see is when the AI finds an internal function somewhere in libcurl and then generates a POC for the user that uses this internal function in a way that makes it misbehave/crash. But internally we don't use the function like that, and wouldn't, because then it fails.
Fixes #19228
The current code checks if a line starts with . which doesn't match the RFC spec. Per RFC 2449, the CAPA response terminator is a line containing only a single dot (plus CRLF).
Whi...
๐ง Summary
Fixes a double free in free_config_fields() .
๐ Details
Double free bug in src/tool_cfgable.c.
At lines 104โ105 and 187โ188, config->proto_str and config->proto_redir_str are each ...
Curl is one of the last callers of PKCS12_PBE_add(). It has been a noop since OpenSSL 0.9.8k (2006) stubbed it out when moving the built-in PBE algorithms to a static table:
openssl/openssl@b8f702a
I have had multiple persons tell me recently that they truly hesitated and made really sure they didn't submit slop before they filed their first security reports to #curl.
Meaning: public shaming seems to at least partially work. Banning, taunting and ridiculing the fools works as a reminder for people to maybe think again and make sure.
In November 2022, after I had been keeping track and adding names to this slide for a few years already, we could boast about curl having run on 89 different operating systems and only one year later we celebrated having reached 100 operating systemsโฆ
#curl gets some of the worst #AIslop "vulnerabilities" reported to it via Hackerone: Here we have a fake 90s exploit assuming executable stack and x86 arch. Someone seriously passing this as their own research is stupid beyond belief.
#curl binary builds at curl.se/windows/ started using a fresh public suffix list, and will bump them regularly. (no longer relying on the copy bundled with libpsl, which is almost 2 years old) github.com/curl/curl-for-win/cโฆ
Replacing the public suffix list bundled with libpsl.
The original promise / expectation was that libpsl sees regular updates,
and a psl update with it, but the latest release is soon to be 2 year...
At the AIxCC competition at DEF CON 33 earlier this year, teams competed against each other to find vulnerabilities in provided Open Source projects by using (their own) AI powered tools.
## Summary:
Buffer overflow vulnerability in curl's WebSocket implementation due to unsafe use of strcpy() in the handshake process. The vulnerability is located at lib/ws.c:1287 where...
The Royal Swedish Academy of Sciences (IVA, the same org that selects winners for three of the Nobel prize categories) awards me a gold medal 2025 for my work on curl.
