GopherProxy

#[1]daniel.haxx.se » Feed [2]daniel.haxx.se » Comments Feed
[3]daniel.haxx.se » The 2022 curl security audit Comments Feed
[4]alternate [5]alternate [6]alternate

[7]daniel.haxx.se

[8]daniel.haxx.se

[9]Search

(BUTTON) Primary Menu [10]Skip to content
* [11]About
* [12]Contact

Search for: ____________________ Search

[13]cURL and libcurl, [14]Security

The 2022 curl security audit

[15]December 21, 2022 [16]Daniel Stenberg [17]Leave a comment

tldr: several hundred hours of dedicated scrutinizing of curl by a team
of security experts resulted in two CVEs and a set of less serious
remarks. The link to the reports is at the bottom of this article.

Thanks to an [18]OpenSSF grant, [19]OSTIF helped us set up a curl
security audit, which the excellent [20]Trail of Bits was selected to
perform in September 2022. We are most grateful to OpenSSF for doing
this for us, and I hope all users who use and rely on curl recognize
this extraordinary gift. [21]OSTIF posted about this separately.

We previously had an [22]audit performed on curl back in 2016 by
[23]Cure53 (sponsored by Mozilla) but I like to think that we (curl)
have traveled quite far and matured a lot since those days. The fixes
from the discoveries reported in that old previous audit were all
merged and shipped in the 7.51.0 release, in November 2016. Now over
six years ago.

Changes since previous audit

We have done a lot in the project that have improved our general
security situation over the last six years. I believe we are in a much
better place than the last time around. But we have also grown and
developed a lot more features since then.

curl is now at150,000 lines of C code. This count is for "product code"
only and excludes blank lines but includes 19% comments.

71 additional vulnerabilities have been reported and fixed since then.
(42 of those even existed in the version that was audited in 2016 but
were obviously not detected)

We have 30,000 additional lines of code today (+27%), and we have done
over 8,000 commits since.

We have 50% more test cases (now 1550).

We have done 47 releases featuring more than 4,200 documented bugfixes
and 150 changes/new features.

We have 25 times the number of CI jobs: up from 5 in 2016 to 127 today.

The OSS-Fuzz project started fuzzing curl in 2017, and it has been
fuzzing curl non-stop since.

We [24]introduced our "dynbuf" system internally in 2020 for managing
growing buffers to maybe avoid common C mistakes around those.

Audit

The Trail of Bits team was assigned this as a three-part project:
1. Create a Threat Model document
2. Testing Analysis and Improvements
3. Secure code Review

The project was setup to use a total of 380 man hours and most of the
time two Trail of Bits engineers worked in parallel on the different
tasks. The Trail of Bits team themselves eventually also voluntarily
extended the program with about a week. They had no problems finding
people who wanted to join in and look into curl. We can safely say that
they spent a significant amount of time and effort scrutinizing curl.

The curl security team members had frequent status meetings and
assisted with details and could help answer questions. We would also
get updates and reports on how they progressed.

Two security vulnerabilities were confirmed

The first vulnerability they found ended up known as the
[25]CVE-2022-42915: HTTP proxy double-free issue.

The second vulnerability was found after Trail of Bits had actually
ended their work and their report, while they were still running a
fuzzer that triggered a separate flaw. This second vulnerability is not
covered in the report but was disclosed earlier today in sync with the
curl 7.87.0 release announcement: [26]CVE-2022-43552: HTTP Proxy deny
use-after-free.

Minor frictions detected

Discoveries and remarks highlighted through their work that were not
consider security sensitive we could handle on the fly. Some examples
include:
* Using --ssl now outputs a warning saying it is unsafe and instead
recommending --ssl-reqd to be used.
* The Alt-svc: header parser did not deal with illegal port numbers
correctly
* The URL parser accepted "illegal" characters in the host name part.
* Harmless memory leaks

You should of course read the full reports to learn about all the
twenty something issues with all details, including feedback from the
curl security team.

Actions

The curl team acted on all reported issues that we think we could act
on. We disagree with the Trail of Bits team on a few issues and there
are some that are "good ideas" that we should probably work on getting
addressed going forward but that can't be fixed immediately - but also
don't leave any immediate problem or danger in the code.

Conclusions

Security is not something that can be checked off as done once and for
all nor can it ever be considered complete. It is a process that needs
to blend in and affect everything we do when we develop software. Now
and forever going forward.

This team of security professionals spent more time and effort in this
security auditing and poking on curl with fuzzers than probably anyone
else has ever done before. Personally, I am thrilled that they only
managed to uncovered two actual security problems. I think this shows
that a lot of curl code has been written the right way. The CVEs they
found were not even that terrible.

Lessons

Twenty something issues were detected, and while the report includes
advice from the auditors on how we should improve things going forward,
they are of the kind we all already know we should do and paths we
should follow. I could not really find any real lessons as in obvious
things or patterns we should stop or new paradigms och styles to adapt.

I think we learned or more correctly we got these things reconfirmed:
* we seem to be doing things mostly correct
* we can and should do more and better fuzzing
* adding more tests to increase coverage is good

Security is hard

To show how hard security can be, we received no less than three
additional security reports to the project during the actual life-time
when this audit was being done. Those additional security reports of
course came from other people and identified security problems this
team of experts did not find.

My comments on the reports

The term Unresolved is used for a few issues in the report and I have a
minor qualm with the use of that particular word in this context for
all cases. While it is correct that we in several cases did not act on
the advice in the report, we saw some cases where we distinctly
disagree with the recommendations and some issues that mentioned things
we might work on and address in the future. They are all just marked as
unresolved in the reports, but they are not all unresolved to us in the
curl project.

In particular I am not overly pleased with how the issue called
TOB-CURLTM-6 is labeled severity high and status unresolved as I
believe this wrongly gives the impression that curl has issues with
high severity left unresolved in the code.

If you want to read the specific responses for each and every reported
issue from the curl project, they are stored in this [27]separate
GitHub gist.

The reports

You find the two reports linked to from the [28]curl security page. A
total of almost 100 pages in two PDF documents.

[29]audit[30]cURL and libcurl[31]Security

Post navigation

[32]Previous Postcurl 7.87.0

Leave a Reply [33]Cancel reply

Your email address will not be published. Required fields are marked *

Comment *
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________

Name * ______________________________

Email * ______________________________

Website ______________________________

Time limit is exhausted. Please reload CAPTCHA. eight64eight1 _____

Post Comment

D
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________

This site uses Akismet to reduce spam. [34]Learn how your comment data
is processed.

Recent Posts

* [35]The 2022 curl security audit December 21, 2022
* [36]curl 7.87.0 December 21, 2022
* [37]curl sighting: Tschugger December 19, 2022
* [38]IDN is crazy December 14, 2022
* [39]curl sighting: Silk Road December 10, 2022
* [40]Faster base64 in curl December 6, 2022

Recent Comments

* kleiner on [41]curl sighting: Tschugger
* Pavel Dostál on [42]89 operating systems
* [43]Fazal Majid on [44]IDN is crazy
* [45]Alex Kirk on [46]IDN is crazy
* Kjetil T. on [47]IDN is crazy
* [48]Tux on [49]IDN is crazy
* Christian Mäder on [50]IDN is crazy
* Sam Mason on [51]IDN is crazy
* Eric Skoglund on [52]IDN is crazy
* [53]Daniel Stenberg on [54]IDN is crazy

tech, open source and networking

Daniel Stenberg

Swedish open source developer and curl maintainer.

Sponsor me:[55] on GitHub
Follow me: [56]@bagder
Keep up: [57]RSS-feed

CAPTION: December 2022

M T W T F S S
1 2 3 4
5 [58]6 7 8 9 [59]10 11
12 13 [60]14 15 16 17 18
[61]19 20 [62]21 22 23 24 25
26 27 28 29 30 31

[63]« Nov

[64]Proudly powered by WordPress

References

1. https://daniel.haxx.se/blog/feed/
2. https://daniel.haxx.se/blog/comments/feed/
3. https://daniel.haxx.se/blog/2022/12/21/the-2022-curl-security-audit/feed/
4. https://daniel.haxx.se/blog/wp-json/wp/v2/posts/19480
5. https://daniel.haxx.se/blog/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fdaniel.haxx.se%2Fblog%2F2022%2F12%2F21%2Fthe-2022-curl-security-audit%2F
6. https://daniel.haxx.se/blog/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fdaniel.haxx.se%2Fblog%2F2022%2F12%2F21%2Fthe-2022-curl-security-audit%2F&format=xml
7. https://daniel.haxx.se/blog/
8. https://daniel.haxx.se/blog/
9. https://daniel.haxx.se/blog/2022/12/21/the-2022-curl-security-audit/#search-container
10. https://daniel.haxx.se/blog/2022/12/21/the-2022-curl-security-audit/#content
11. https://daniel.haxx.se/blog/about/
12. https://daniel.haxx.se/blog/contact/
13. https://daniel.haxx.se/blog/category/floss/curl/
14. https://daniel.haxx.se/blog/category/tech/security/
15. https://daniel.haxx.se/blog/2022/12/21/the-2022-curl-security-audit/
16. https://daniel.haxx.se/blog/author/daniel/
17. https://daniel.haxx.se/blog/2022/12/21/the-2022-curl-security-audit/#respond
18. https://openssf.org/
19. https://ostif.org/
20. https://www.trailofbits.com/
21. https://ostif.org/the-ostif-audit-of-curl-with-trail-of-bits-is-complete/
22. https://daniel.haxx.se/blog/2016/11/23/curl-security-audit/
23. https://cure53.de/
24. https://daniel.haxx.se/blog/2020/09/23/a-google-grant-for-libcurl-work/
25. https://curl.se/docs/CVE-2022-42915.html
26. https://curl.se/docs/CVE-2022-43552.html
27. https://gist.github.com/bagder/6be7df7ea5ce17ca7f6ab0981de12f13
28. https://curl.se/docs/security.html
29. https://daniel.haxx.se/blog/tag/audit/
30. https://daniel.haxx.se/blog/tag/curl-and-libcurl/
31. https://daniel.haxx.se/blog/tag/security/
32. https://daniel.haxx.se/blog/2022/12/21/curl-7-87-0/
33. https://daniel.haxx.se/blog/2022/12/21/the-2022-curl-security-audit/#respond
34. https://akismet.com/privacy/
35. https://daniel.haxx.se/blog/2022/12/21/the-2022-curl-security-audit/
36. https://daniel.haxx.se/blog/2022/12/21/curl-7-87-0/
37. https://daniel.haxx.se/blog/2022/12/19/curl-sighting-tschugger/
38. https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/
39. https://daniel.haxx.se/blog/2022/12/10/curl-sighting-silk-road/
40. https://daniel.haxx.se/blog/2022/12/06/faster-base64-in-curl/
41. https://daniel.haxx.se/blog/2022/12/19/curl-sighting-tschugger/comment-page-1/#comment-26534
42. https://daniel.haxx.se/blog/2022/11/25/89-operating-systems/comment-page-1/#comment-26533
43. https://majid.info/
44. https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/comment-page-1/#comment-26532
45. https://alex.kirk.at/
46. https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/comment-page-1/#comment-26531
47. https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/comment-page-1/#comment-26530
48. https://readtexts.org/
49. https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/comment-page-1/#comment-26529
50. https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/comment-page-1/#comment-26528
51. https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/comment-page-1/#comment-26527
52. https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/comment-page-1/#comment-26525
53. https://daniel.haxx.se/
54. https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/comment-page-1/#comment-26524
55. https://github.com/users/bagder/sponsorship
56. https://twitter.com/bagder
57. https://daniel.haxx.se/blog/feed/
58. https://daniel.haxx.se/blog/2022/12/06/
59. https://daniel.haxx.se/blog/2022/12/10/
60. https://daniel.haxx.se/blog/2022/12/14/
61. https://daniel.haxx.se/blog/2022/12/19/
62. https://daniel.haxx.se/blog/2022/12/21/
63. https://daniel.haxx.se/blog/2022/11/
64. https://wordpress.org/