Security News > 2023 > October > Curl project squashes high-severity bug in omnipresent libcurl library (CVE-2023-38545)
Since curl is used by a wide variety of operating systems, applications and IoT devices, the pre-announcement makes sense, as it allows organizations to audit their own systems, find all instances of curl and libcurl in use, and make a plan for enterprise-wide patching.
The curl project has also simultaneously shared the info about the flaws with developers of a variety of Linux, Unix and Unix-like distributions, so they can prepare patches/updated packages in advance of the curl v8.4.0 release.
CVE-2023-38545, reported by Jay Satiro, affects the curl command-line tool and the libcurl library.
"When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes. If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy," the associated advisory explains.
CVE-2023-38545 affects curl and libcurl from version 7.69.0 to v8.3.0.
The curl project advises users to update curl/libcurl to version 8.4.0 or to patch older versions, and has shared additional/alternative mitigations in the advisories.
News URL
https://www.helpnetsecurity.com/2023/10/11/cve-2023-38545-socks5/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-18 | CVE-2023-38545 | Out-of-bounds Write vulnerability in multiple products This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. | 9.8 |