0x0@programming.dev to

Technology@lemmy.worldEnglish · 7 hours ago

A twenty-five years old curl bug

5

114

A twenty-five years old curl bug

0x0@programming.dev to

Technology@lemmy.worldEnglish · 7 hours ago

5

I have talked about old curl bugs before, but now we have a new curl record. When we announced the security flaw CVE-2024-11053 on December 11, 2024 together with the release of curl 8.11.1 we fixed a security bug that was introduced in a curl release 9039 days ago. That is close to twenty-five years. … Continue reading A twenty-five years old curl bug →

I like the clarification:

Let me also touch this subject while talking security problems. This bug, the oldest so far in curl history, was a plain logic error and would not have been avoided had we used another language than C.

Otherwise, about 40% of all security problems in curl can be blamed on us using C instead of a memory-safe language. 50% of the high/critical severity ones.

Almost all of those C mistakes were done before there even existed a viable alternative language – if that even exists now.

Chat

solrize@lemmy.world
link
fedilink
English
arrow-up
4
arrow-down
1·
6 hours ago
I wonder whether some careful specifications and model checking could have found this.
- Blue_Morpho@lemmy.world
  link
  fedilink
  English
  arrow-up
  4·
  3 hours ago
  As the article says, the problem was the logic. They had thousands of hours of model checking.
  - solrize@lemmy.world
    link
    fedilink
    English
    arrow-up
    3·
    52 minutes ago
    They had 1000s of hours of fuzz testing. Model checking means something different.

Technology@lemmy.world

technology@lemmy.world

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@lemmy.world

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

2.4K users / day
6.89K users / week
6.95K users / month
6.99K users / 6 months
1 local subscriber
59.9K subscribers
281 Posts
3.91K Comments
Modlog