Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 (CVE-2023-38545) · curl/curl · Discussion #12026
Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 (CVE-2023-38545) · curl/curl · Discussion #12026
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl securit...
Posted on twitter by Curl author Daniel Stenberg - https://nitter.cz/bagder/status/1709103920914526525
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including a fix for a severity HIGH CVE. Buckle up.
... But this time actually the worst security problem found in curl in a long time
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545
Who also guesses buffer overflow or use-after-free?
14ReplyBuffer overflows are like Lupus in House M.D.
12ReplyIt’s not overflow. It’s never overflow.
5Reply
Why don't they just rewrite it in rust? It would be much safer right?
-5ReplyI think that's been asked before. That'd be a massive undertaking, and they also support architectures that I don't think Rust does (yet).
16ReplyYou can already use experimental hyper backend (written in rust) for http stuff in curl https://aws.amazon.com/blogs/opensource/how-using-hyper-in-curl-can-help-make-the-internet-safer/ I wonder if the vulnerability touches this use case as well
2ReplyThe lead developer's view: https://daniel.haxx.se/blog/2021/05/20/i-could-rewrite-curl/
1Reply
I want to thank the
curl
developers for taking security issues seriously to keep me safe.Now I'm going to go pipe another
curl
script output directly into asudo bash
command. /sWe need a version of
/s
for "I'm not actually doing this right now... but we know I still will..." 12Reply