Fresh curl tomorrow will patch 'worst' security flaw in ages

Updated Start your patch engines – a new version of curl is due tomorrow that addresses a pair of flaws, one of which lead developer Daniel Stenberg describes as "probably the worst curl security flaw in a long time."

Curl 8.4.0 will hit at around 0600 UTC (0800 CEST, 0700 BST, 0200 EST, 2300 PDT) on October 11 and deal with CVE-2023-38545, which affects both libcurl and the curl tool, and CVE-2023-38546, which only affects libcurl.

The release has no API or ABI changes, so the update should slot in without too much aggravation.

CVE-2023-38545 is rated as a high-severity CVE. Stenberg did not disclose any information about either flaw other than to note that the normal development process had to be cut short to get the fixes out as quickly as possible.

curl is used daily by virtually every internet-using human on the globe

Stenberg said: "I cannot disclose any information about which version range is affected, as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time.

"The 'last several years' of versions is as specific as I can get."

Curl is one of those tools that forms the backbone of the internet and is a command line file transfer tool. According to the project team, the service is used in command lines and scripts to transfer data and is found in a range of connected devices, from printers to cars. The team claims it is "the internet transfer engine for thousands of software applications in over twenty billion installations," adding: "curl is used daily by virtually every internet-using human on the globe."

It first emerged in 1998, according to Stenberg, although its predecessors, urlget and httpget, date back to 1996. Stenberg adopted the cURL name because "the word contains URL and already then the tool worked primarily with URLs, and I thought that it was fun to partly make it a real English word 'curl' but also that you could pronounce it 'see URL' as the tool would display the contents of a URL."

Later, a backronym was coined: "Curl URL Request Library."

An urgent fix is probably not the best 25th anniversary gift for the curl team, but here we are.

Ax Sharma, a security researcher at Sonatype, noted the concern around the vulnerability and said: "This isn't Log4j reloaded as some are painting it."

He went on: "Most usage of curl is as a command-line utility, distributed as an operating system package and used as a system level service provider or utility, which means normal OS updates should automatically take care of this. It's very different from Log4j, which is embedded as a dependency, many layers deep, with no direct update capability."

• Curl, the URL fetcher that can, marks 25 years of transfers
• CLI-beautifying ANSI escape sequences can also make your log files a security threat
• OpenAI opens ChatGPT floodgates with dirt-cheap API
• Memory safety is the new black, fashionable and fit for any occasion

That said, Sharma emphasized that this is still a nasty vulnerability – that HIGH severity classification is a handy clue – and warned: "The most likely attack surface people should watch for when it comes to vulnerabilities is docker base images that aren't receiving updates and which happen to have an application that leverages the vulnerable libcurl."

He went on: "Overall, the best thing to do here is to not panic, but to install the patched packages ASAP, and don't forget that containers can also contain operating systems – so keep them in mind."

As for Stenberg, he said: "Now you know. Plan accordingly." ®

Updated to add

The update is now out. See here for details.