cURL's own tracker had a banner stating severity High to be released October 11.
It's October 11 and was already October 11 for a lot of the world 13 hours ago (as of writing) when this patch was posted. Nothing was early, nothing was leaked.
EDIT: Why the downvotes? People don't like timezones or something?
"[PATCH] socks: return error if hostname too long for remote resolve
Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than 255 characters. Unfortunately that did not work as intended and caused a security issue."
Will people stop messing with unsafe buffers in C already? Even just using C++ with the most basic buffer/dynamic array template would have prevented this issue.
While I agree with the general thrust of your comment, note that a) this is specifically adressed in Daniel's blog post b) He stated the reason why it's not happening right now multiple times already, and they seem well thought out. (Basically, the code base is huge and not easily converted, and there is no compiler support for some of the platforms libcurl supports).
Engineering is based on trade offs. In this specific case, the answer is no, unfortunately. This does of course not absolve new or smaller projects of this critique, but let's give curl a pass on this one.
So you can only be attacked if you're using a socks5 proxy, and even then you can only be attacked by your own proxy? Which rules out things like torsocks where you're running the proxy too.
I don't totally think so? A malicious HTTPS server can redirect you to a fake URL with shell code in it. So it's applicable to everyone using SOCKSv5 proxies, and the attacker is not "your own proxy".
junon|2 years ago
It's October 11 and was already October 11 for a lot of the world 13 hours ago (as of writing) when this patch was posted. Nothing was early, nothing was leaked.
EDIT: Why the downvotes? People don't like timezones or something?
qwertox|2 years ago
https://github.com/curl/curl/discussions/12026 (2023-10-04T06:17:44Z)
1una|2 years ago
jo-m|2 years ago
royce|2 years ago
Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than 255 characters. Unfortunately that did not work as intended and caused a security issue."
andersa|2 years ago
hyperman1|2 years ago
Engineering is based on trade offs. In this specific case, the answer is no, unfortunately. This does of course not absolve new or smaller projects of this critique, but let's give curl a pass on this one.
kramerger|2 years ago
badrabbit|2 years ago
unknown|2 years ago
[deleted]
junon|2 years ago
unknown|2 years ago
[deleted]
KirillPanov|2 years ago
So you can only be attacked if you're using a socks5 proxy, and even then you can only be attacked by your own proxy? Which rules out things like torsocks where you're running the proxy too.
Does this really merit all of last week's antics?
CGamesPlay|2 years ago
Maxious|2 years ago
kramerger|2 years ago