Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities.

Of those found in the free security review were four high severity vulnerabilities leading to potential remote code execution, and the same number of medium risk bugs. One low risk man-in-the-middle TLS flaw was also uncovered.

A medium case insensitivity credential flaw in ConnectionExists() comparing passwords with strequal() was not fixed given the obscurity and difficulty of the attack.

The remaining bugs were shuttered in seven patches after two vulnerabilities were combined in the largest cURL fix to date.

More fixes are on the way, cURL lead developer and Mozilla engineer Daniel Stenberg says.

"While working on the issues one-by-one to have them fixed we also ended up getting an additional four security issues to add to the set [from] three independent individuals," Stenberg says.

"All these issues [made for] a really busy period and … I could get a short period of relief until the next tsunami hits."

Five Mozilla engineers from the Berlin-based Cure53 team which conducted the 20-day source code audit.

"Sources covering authentication, various protocols, and, partly, SSL/TLS, were analysed in considerable detail. A rationale behind this type of scoping pointed to these parts of the cURL tool that were most likely to be prone and exposed to real-life attack scenarios," the team wrote in the [PDF].

"At the same time, the overall impression of the state of security and robustness of the cURL library was positive."

Stenberg says he applied for the audit fearing a recent run of security vulnerability reports may have pointed to undiscovered underlying problems.

The report was finished 23 September and fixes produced over the ensuing months.

The developer says fewer checks and possible borked patches may result from the decision to audit in secret.

"One of the primary [downsides] is that we get much fewer eyes on the fixes and there aren’t that many people involved when discussing solutions or approaches to the issues at hand," Stenberg says.

"Another is that our test infrastructure is made for and runs only public code [which] can’t really be fully tested until it is merged into the public git repository." ®

Audit vulnerabilities:

  • CRL -01-021 UAF via insufficient locking for shared cookies ( High)
  • CRL -01-005 OOB write via unchecked multiplication in base 64_ encode () ( High)
  • CRL -01-009 Double - free in krb 5 read _ data () due to missing realloc () check ( High)
  • CRL -01-014 Negative array index via integer overflow in unescape _ word () ( High)
  • CRL -01-001 Malicious server can inject cookies for other servers ( Medium)
  • CRL -01-007 Double - free in aprintf () via unsafe size _t multiplication ( Medium)
  • CRL -01-013 Heap overflow via integer truncation ( Medium)
  • CRL -01-002 ConnectionExists () compares passwords with strequal () ( Medium)
  • CRL -01-011 FTPS TLS session reuse ( Low)

Sponsored: The state of mobile security maturity

The Register - Security

Hash: SHA1

[slackware-security] curl (SSA:2016-259-01)

New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix a security issue.

Here are the details from the Slackware 14.2 ChangeLog:
patches/packages/curl-7.50.3-i586-1_slack14.2.txz: Upgraded.
Fixed heap overflows in four libcurl functions: curl_escape(),
curl_easy_escape(), curl_unescape() and curl_easy_unescape().
For more information, see:
(* Security fix *)

Where to find the new packages:

Thanks to the friendly folks at the OSU Open Source Lab
( for donating FTP and rsync hosting
to the Slackware project! 🙂

Also see the "Get Slack" section on for
additional mirror sites near you.

Updated package for Slackware 13.0:

Updated package for Slackware x86_64 13.0:

Updated package for Slackware 13.1:

Updated package for Slackware x86_64 13.1:

Updated package for Slackware 13.37:

Updated package for Slackware x86_64 13.37:

Updated package for Slackware 14.0:

Updated package for Slackware x86_64 14.0:

Updated package for Slackware 14.1:

Updated package for Slackware x86_64 14.1:

Updated package for Slackware 14.2:

Updated package for Slackware x86_64 14.2:

Updated package for Slackware -current:

Updated package for Slackware x86_64 -current:

MD5 signatures:

Slackware 13.0 package:
14421c446c83e8067ee99051f0ea8609 curl-7.50.3-i486-1_slack13.0.txz

Slackware x86_64 13.0 package:
62830f5888c0fba626ad29f82b0fef3e curl-7.50.3-x86_64-1_slack13.0.txz

Slackware 13.1 package:
72ebdfcb792ea6efd7730a6fd9edba23 curl-7.50.3-i486-1_slack13.1.txz

Slackware x86_64 13.1 package:
a61c692091c2b46fcf365ca63e0abad4 curl-7.50.3-x86_64-1_slack13.1.txz

Slackware 13.37 package:
490fb0de5ce5440f67e7aa7a6dd56bd3 curl-7.50.3-i486-1_slack13.37.txz

Slackware x86_64 13.37 package:
d5ec25d07d5daaf0c99387d449c01968 curl-7.50.3-x86_64-1_slack13.37.txz

Slackware 14.0 package:
28f4d698e11368b795efcf5af7a92dc0 curl-7.50.3-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
a3b13d4a41e59a2b0572d513a6c55f88 curl-7.50.3-x86_64-1_slack14.0.txz

Slackware 14.1 package:
9f3f2d8c03bc821f23cacb116ed47feb curl-7.50.3-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
c7df6f381c212fe86d1f182db6c2976c curl-7.50.3-x86_64-1_slack14.1.txz

Slackware 14.2 package:
d4fc39f22c3e8d50b563df71da58bd58 curl-7.50.3-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
aac11d7c1780f14f7d45c9a3f6ee1874 curl-7.50.3-x86_64-1_slack14.2.txz

Slackware -current package:
23023b11dd5301bcb6329a9d77d8630c n/curl-7.50.3-i586-1.txz

Slackware x86_64 -current package:
560b459c9b76eea9cceead3fdf109657 n/curl-7.50.3-x86_64-1.txz

Installation instructions:

Upgrade the package as root:
# upgradepkg curl-7.50.3-i586-1_slack14.2.txz


Slackware Linux Security Team
security (at) slackware (dot) com [email concealed]

| To leave the slackware-security mailing list: |
| Send an email to majordomo (at) slackware (dot) com [email concealed] with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |


[ reply ]

SecurityFocus Vulnerabilities