bagder

GitHub Security Advisory wishlist from the curl project

1. GitHub sends the whole report over email/notification with no way to disable this. SMTP and email is known for being insecure and cannot assure end to end protection. This risks leaking secrets early to the entire email chain.

2. can't properly disclose invalid ones (and make them clearly marked as such)

3. Per-repo default collaborators on GitHub Security Advisories is annoying as we now have to manually add the security team for each advisory or have a rather quirky workflow scripting it.

bagder

Slop

This collection is limited to only include the reports that were submitted as security vulnerabilities to the curl bug-bounty program on Hackerone.

Several other issues not included here are highly suspcious as well.

Reports

1. [Critical] Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet. #2199174

bagder

==450632== 
==450632== HEAP SUMMARY:
==450632==     in use at exit: 13,496 bytes in 331 blocks
==450632==   total heap usage: 5,306 allocs, 4,975 frees, 581,992 bytes allocated
==450632== 
==450632== 24 bytes in 1 blocks are definitely lost in loss record 12 of 81
==450632==    at 0x4844818: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==450632==    by 0x153E93: curl_dbg_malloc (memdebug.c:145)
==450632==    by 0x174753: Curl_memdup (strdup.c:93)
==450632==    by 0x1E7CD9: Curl_httpsrr_set (httpsrr.c:103)

bagder

#!/usr/bin/env perl
# Copyright (C) Daniel Stenberg, <[email protected]>, et al.
#
# SPDX-License-Identifier: curl
#
# 1. Figure out all existing configure --disable-* options
# 2. Generate random command line using supported options
# 3. Run configure (exit if problem)
# 4. run "b" to build (exit if problem)
# 5. sleep a second

bagder

diff --git a/lib/url.c b/lib/url.c
index 3b1ce3568..9f4716ed0 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3337,10 +3337,13 @@ static void reuse_conn(struct Curl_easy *data,
   temp->hostname_resolve = NULL;
 
   /* reuse init */
   existing->bits.reuse = TRUE; /* yes, we are reusing here */
 

bagder

/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) Daniel Stenberg, <[email protected]>, et al.
 *
 * This software is licensed as described in the file COPYING, which

bagder

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <errno.h>

/* curl stuff */
#include <curl/curl.h>
#include <curl/mprintf.h>

bagder

python3 tests/http/scorecard.py --httpd --caddy -d --download=100mb h1

master

Downloads
  Server       Size  single(1x1) [cpu/rss]         serial(50x1) [cpu/rss]         parallel(50x50) [cpu/rss]                Errors       
  httpd       100MB    1239 MB/s [89.0%/14MB]         1414 MB/s [88.5%/14MB]         1781 MB/s [100.2%/18MB]              -          
  caddy       100MB    2007 MB/s [74.2%/14MB]         2573 MB/s [82.8%/15MB]         3425 MB/s [100.3%/18MB]              -          

bagder

icing-cw-part5+h2

scoring h2
TLS Handshake
  curl.se...ipv4...ipv6...ok.
  google.com...ipv4...ipv6...ok.
  cloudflare.com...ipv4...ipv6...ok.
  nghttp2.org...ipv4...ipv6...ok.
httpd downloads

bagder

Compare

Generate URLs to parse

urlgen: https://gist.github.com/bagder/50ca185c73a9d4d38a1d21271f7f2d59

I made 100000 URLs with it:

./urlgen.pl 100000 > URLs