Curl/libcurl HIGH CVE-2023-38545 leaked early?(gitlab.com) |
Curl/libcurl HIGH CVE-2023-38545 leaked early?(gitlab.com) |
It's October 11 and was already October 11 for a lot of the world 13 hours ago (as of writing) when this patch was posted. Nothing was early, nothing was leaked.
EDIT: Why the downvotes? People don't like timezones or something?
https://github.com/curl/curl/discussions/12026 (2023-10-04T06:17:44Z)
Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than 255 characters. Unfortunately that did not work as intended and caused a security issue."
Engineering is based on trade offs. In this specific case, the answer is no, unfortunately. This does of course not absolve new or smaller projects of this critique, but let's give curl a pass on this one.
> and there is no compiler support for some of the platforms libcurl supports
I feel like there are no serious platforms that don't have at least a C++ compiler for it. Or am I wrong there?
So you can only be attacked if you're using a socks5 proxy, and even then you can only be attacked by your own proxy? Which rules out things like torsocks where you're running the proxy too.
Does this really merit all of last week's antics?
It's a valid question.
Usually ubiquitous projects like this will privately distribute patches to large distros or corps so they can push security updates or at least prepare to push them on the disclosure date so that risk of exploit is lower by the date of disclosure. Otherwise there would be a lag and people would be more exposed for a period after disclosure.
Edit: To answer your response, @Ao7bei3s, all great and well theoretically.. I am looking forward to being wrong, and I am eager to see what you can come up with to root or exfiltrate my MacOS with this.
* Buffer overflows tend to lead to remote code execution which is the most serious outcome and should always be treated as serious by default.
* libcurl is absolutely everywhere, not only in corporate networks.
* There is no such things as a trustworthy network; corporations are moving away from that model as it just doesn't work (zero trust). I can think of plenty of ways a motivated attacker might get L2 access to a corporate network if they aren't too picky about what they get access to, when and how long.
* Users can connect work devices to non-corporate networks. The generic example used to be coffee shops, now there's WFH.
* Non-corporate users matter too.
* Horizontal privilege escalation. Chaining multiple exploits into a successful attack is table stakes for modern attackers.
* It was only an example. There is a long history of people (especially those employed by companies with vulnerable products, though that's not the case here) being dismissive about exploitability and wrong about it.
If you want to critique my comment, point out that libcurl didn't actually merge libproxy which would've brought WPAD support... but my real point is that one should not dismiss a buffer overflow in libcurl.
Along the lines of "they've proven they can't be trusted", kind of thing.