Mastodawn

vally Oct 11, 2023

Our beloved cURL utility is afflicted with a heap buffer overflow (CVE-2023-38545) that looks like it requires a few separate conditions to be successful. Super interesting work by Ray Satiro, one day I might understand most of what he's written.

Have a look and then go check if your applications using libcurl are setting CURLOPT_BUFFERSIZE to smaller than 65541 or unset.

https://hackerone.com/reports/2187833

curl disclosed on HackerOne: CVE-2023-38545: socks5 heap buffer...

# Summary: The SOCKS5 state machine can be manipulated by a remote attacker to overflow heap memory if four conditions are met: 1. The request is made via socks5h. 2. The state machine's negotiation buffer is smaller than ~65k. 3. The SOCKS server's "hello" reply is delayed. 4. The attacker sets a final destination hostname larger than the negotiation buffer. libcurl is supposed to disable...

HackerOne

Show thread

vally Oct 9, 2023

Some context from the maintainer here. Not much here but it might be worth dusting off your notes on the Log4j response, especially around getting a handle on software inventory.

https://github.com/curl/curl/discussions/12026

Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 · curl/curl · Discussion #12026

We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl securit...

GitHub

vally Oct 9, 2023

Can anyone add some sanity to the discussion around cURL CVE's (CVE-2023-38545 and CVE-2023-38546) being published soon.

I've hit my quota for statements like "this WILL impact MILLIONS of devices in our org" and "we will literally need a new vulnerability severity tier to address this"

#curl #CVE202338545 #CVE202338546 #vulnerability