89
How I made a heap overflow in curl (daniel.haxx.se)
submitted 8 months ago by pnutzh4x0r@lemmy.ndlug.org to c/opensource@lemmy.ml
6 comments fedilink hide all child comments

In association with the release of curl 8.4.0, we publish a security advisory and all the details for CVE-2023-38545. This problem is the worst security problem found in curl in a long time. We set it to severity HIGH.

While the advisory contains all the necessary details. I figured I would use a few additional words and expand the explanations for anyone who cares to understand how this flaw works and how it happened.

top 6 comments
sorted by: hot top controversial new old
[-] onlinepersona@programming.dev 8 points 8 months ago

He brings up the "just rewrite in rust" argument. Curious as I am, I had a look and only found a single project that actually tried it https://github.com/TogarashiPepper/curl

It didn't get very far.

[-] the_ocs@lemmy.world 6 points 8 months ago

The argument for rust is memory safety, which allows you to avoid these very common, often serious, issues.

It's an argument that goes far beyond curl, and some random curl clone written in rust.

[-] Pantherina@feddit.de -1 points 8 months ago

Lol true thats a pretty small app

[-] makeasnek@lemmy.ml 5 points 8 months ago

These things happen, best you can do is fix them when they do and accept responsibility. Cheers to the devs. Memory-safe languages are the future

[-] macallik@kbin.social 3 points 8 months ago

Hmmmm. Maybe this is why Debian pushed a curl update today even though it was also upgraded in 12.2 four days ago

[-] 7heo@lemmy.ml 4 points 8 months ago* (last edited 8 months ago)

expired

this post was submitted on 11 Oct 2023
89 points (95.9% liked)

Open Source

28889 readers
148 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 4 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml