How I made a heap overflow in #curl
Let me talk CVE-2023-38545 a bit
https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
How I made a heap overflow in #curl Let me talk CVE-2023-38545 a bit https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/ "we are a monster-sized US tech firm with almost a trillion dollar market cap.We are a bureaucratic nightmare so please give us the info for free instead of us having to help your open source project financially and we can keep using it for free in all eternity. kthxbye"
Show previous comments
Today we got what must be the most alarming first line in a newly file sec issue to #curl: "To replicate the issue, I have searched in the Bard about this vulnerability" ... followed by a complete AI hallucination where Bard has dreamed up a new issue by combining snippets from several past flaws. Creative, but hardly productive. Closed as bogus.
Show previous comments
"CVE-2020-19909 is everything that is wrong with CVEs" A claimed "9.8 CRITICAL" flaw in #curl that does not exist. https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/
Show previous comments
@bagder As a way of saying how old I am without saying how old I am. Mitre used to have a mechanism that potential issues were assigned a CAN-number. Then the elite would vote if it was indeed a vulnerability. If so, a CAN would become a CVE. Of course this soon became a mess as the CANs piled up and checking if a CAN ended up as CVE just for reference became a dreadful chore. I guess you’re on the accepted risk end of the choice made to end the CAN/CVE naming and stick with CVE. Today in 2000, 23 years ago, we introduced #libcurl into the world. #curl 7.1 was the first release featuring a separate library for Internet transfers, that curl was then made to use. PHP adopted it almost instantly to become their default built-in transfer engine, which greatly helped the library "take off". libcurl was not an instant success but has gradually grown more popular over time. Over 23 years. Today we estimate 20 BILLION installations worldwide.
Show previous comments
@bagder Happy b'day! 🎉 The modern internet/devops would not be the same without your tools... @bagder also #curl is way more versatile and useful than #wget and is available as a #standalone #binary: No need to fiddle with shit: #ItJustWorks! #curl no longer supports the NSS TLS library: https://github.com/curl/curl/pull/11459 @bagder@mastodon.social for the uninitiated, what is the NSS TLS library and why was it removed? The #Gemini protocol seen by this #HTTP client person https://daniel.haxx.se/blog/2023/05/28/the-gemini-protocol-seen-by-this-http-client-person/ - tldr: I think they have some improvements left to do. Hi [name], I certainly am a lead developer of libcurl, but I have no contractual agreement with either XXXX or YYYY so I do not think I can be qualified as a provider or a vendor to you. In this context, I'm but an individual. We could arrange for a curl support contract to make me/us a provider. @bagder What kind of requests do you get? I have a feeling a large number of them has to do with certifying various aspects of the security of the software? How about questions about whether your developers are trained? #trurl turns 6 days old and reaches 1500 GitHub stars: https://github.com/curl/trurl Twenty-five years of curl: https://daniel.haxx.se/blog/2023/03/20/twenty-five-years-of-curl/ - 3600 words on the biggest events in #curl history, year by year.
Show previous comments
Thank you for curl! It's served me quite well over the years, and also served as proof to my engineer colleagues that this Technical Project Manager is no slouch, technically. 😸 I argue we (#curl) should NOT pay docker. Not give in to extortion. This might mean that someone else soon suddenly will register our name and can serve whatever image they want there. 5 *billion* pulls indicate there's a user or two that might fall victim for this. That's on docker, not us.
Show previous comments
This slide is from the #FOSDEM keynote by Dr. Steve Crawford of NASA from a few hours ago.
Show previous comments
Anyone know where I can watch the NASA #fosdem keynote online? Will it be on the fosdem website at some point? I frankly turned my head around and thought you'll be out there in the room btw Steve is at @crawfordsm here
Show previous comments
@bagder A shame that they haven't added support for rel="me" in markdown yet though. @bagder Couldn't get that to work with my Mastodon account; is this restricted to specific instances? I think naming projects prefixed with your programming language of choice is silly. I would never name my project... oh wait.
Show previous comments
When shown the huge list of operating systems curl runs on, people often ask me which is the strangest, or hardest, operating system to keep curl support for. The answer is always, and will probably always remain: Windows. No other operating system has so many custom, special, weird and quirky ways that require special-case solutions in the code.
Show previous comments
@bagder This has also been my experience. Linux and BSD, and anything POSIX-y is usually super-easy to support. Amiga OS is so-and-so. But Windows is terrible. And it says something that Windows is worse than Amiga OS. Sonic Frontiers is the brand new addition to my collection of screenshotted curl credits: https://daniel.haxx.se/blog/2016/10/03/screenshotted-curl-credits/
Show previous comments
@bagder Congrats! curl -H "Content-Type: application/fika" --data-url-encode "☕ 🍰 " https://curl.se
Show previous comments
|
@bagder Tell the truth, you actually found it in the Bard
@bagder I wonder if the upcoming bounds checked c rfc features from Apple in clang would be helpful at the very least as a defensive measure. but they also seem to be moving fairly slowly :(