Curl 8.4 has been released with a focus on addressing a major security vulnerability. Following the recent announcement that Curl was preparing for one of its worst security flaws in a long time, the latest version of Curl aims to fix this issue and provide additional security improvements.
In addition to the “high” level security fix, Curl 8.4 also resolves a “low” security issue. Alongside these security updates, the release includes bug fixes and feature enhancements for the widely-used downloading library and curl command-line utility.
The main security issue addressed in Curl 8.4 is CVE-2023-38545. This vulnerability involves a heap-based buffer overflow in the SOCKS5 proxy handshake. When Curl is requested to pass the hostname to the SOCKS5 proxy for address resolution, a maximum length of 255 bytes is allowed. However, due to a bug, if the hostname exceeds this length, the buffer can be overwritten into the heap. This issue requires a slow SOCKS5 handshake and a client using a hostname longer than the download buffer to be triggered.
The other security issue resolved in this release pertains to cookie injection without a file.
On the feature side, Curl 8.4 introduces support for IPFS (InterPlanetary File System) protocols via HTTP gateways. Additionally, support for legacy MinGW.org toolchains has been dropped in this release.
For more information on all the changes in Curl 8.4, you can visit the official curl.se website.
Source: Phoronix.