Skip to main content

#curl 8.9.0 is out: https://daniel.haxx.se/blog/2024/07/24/curl-8-9-0/

2 CVEs fixed
11 changes
260 bugfixes

by 80 contributors, out of which 47 authored commits

in 63 days since the previous release

curl 8.9.0 | daniel.haxx.se

daniel.haxx.se
#curl
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://

CVE-2024-6197: freeing stack buffer in utf8asn1str. (severity medium) libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. It can detect an invalid field and return error. Unfortunately, when doing so it also invokes free() on a 4 byte local stack buffer.

https://curl.se/docs/CVE-2024-6197.html

curl - freeing stack buffer in utf8asn1str - CVE-2024-6197

curl.se
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://

CVE-2024-6874: macidn punycode buffer overread. (severity low) libcurl’s URL API function curl_url_get() offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the macidn IDN backend. The conversion function then fills up the provided buffer exactly – but does not null terminate the string.

https://curl.se/docs/CVE-2024-6874.html

curl - macidn punycode buffer overread - CVE-2024-6874

curl.se
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
#curl 8.9.0 release video live-streams at 08:00 UTC https://www.twitch.tv/curlhacker

curlhacker - Twitch

I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.
Twitch
#curl
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
the original macidn #curl report is now disclosed on hackerone: https://hackerone.com/reports/2604391

curl disclosed on HackerOne: CVE-2024-6874: macidn punycode buffer...

libcurl at commit [58772b0e082eda333e0a5fc8fb0bc7f17a3cd99c](https://github.com/curl/curl/tree/58772b0e082eda333e0a5fc8fb0bc7f17a3cd99c) contains a stack-buffer overread in...
HackerOne
#curl
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
The original #curl free-stack report is now disclosed on hackerone: https://hackerone.com/reports/2559516

curl disclosed on HackerOne: CVE-2024-6197: freeing stack buffer in...

Libcurl at commit [04739054cdac5a0614fb94e3655e313c03399f35](https://github.com/curl/curl/tree/04739054cdac5a0614fb94e3655e313c03399f35) contains an invalid invocation of `free()` in the function...
HackerOne
#curl
in reply to daniel:// stenberg://

Dov Murik
Dov Murik

I'm curious about this bug. From the description it seems that any time that free(buf) was called, the process will crash. So if it hasn't occurred in curl CI tests, we should see this line was not covered (assuming we have some coverage reports). I don't think that 100% coverage is a must, but maybe we can look at uncovered lines for sensitive operations?

(Thank you for all your work on curl. It's awesome.)

in reply to Dov Murik

daniel:// stenberg://
daniel:// stenberg://

@dubek many libc versions actually just refuse it, most cases will crash but there can be cases where it does more harm.

The line was (quite obviously) not reached in our tests and yes it would be awesome if it did. We'd welcome help to increase test coverage.

Test coverage in highly portable code with billions of build combinations is a challenge.

@Dov Murik
in reply to daniel:// stenberg://

Jim Fuller
Jim Fuller
and (finally) official curl container 8.9.0 is available, try it out > podman run docker.io/curlimages/curl:8.9.0 -V

daniel:// stenberg:// reshared this.