Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities.
Of those found in the free security review were four high severity vulnerabilities leading to potential remote code execution, and the same number of medium risk bugs. One low risk man-in-the-middle TLS flaw was also uncovered.
A medium case insensitivity credential flaw in ConnectionExists() comparing passwords with strequal() was not fixed given the obscurity and difficulty of the attack.
The remaining bugs were shuttered in seven patches after two vulnerabilities were combined in the largest cURL fix to date.
More fixes are on the way, cURL lead developer and Mozilla engineer Daniel Stenberg says.
"While working on the issues one-by-one to have them fixed we also ended up getting an additional four security issues to add to the set [from] three independent individuals," Stenberg says.
"All these issues [made for] a really busy period and … I could get a short period of relief until the next tsunami hits."
Five Mozilla engineers from the Berlin-based Cure53 team which conducted the 20-day source code audit.
"Sources covering authentication, various protocols, and, partly, SSL/TLS, were analysed in considerable detail. A rationale behind this type of scoping pointed to these parts of the cURL tool that were most likely to be prone and exposed to real-life attack scenarios," the team wrote in the [PDF].
"At the same time, the overall impression of the state of security and robustness of the cURL library was positive."
Stenberg says he applied for the audit fearing a recent run of security vulnerability reports may have pointed to undiscovered underlying problems.
The report was finished 23 September and fixes produced over the ensuing months.
The developer says fewer checks and possible borked patches may result from the decision to audit in secret.
"One of the primary [downsides] is that we get much fewer eyes on the fixes and there aren’t that many people involved when discussing solutions or approaches to the issues at hand," Stenberg says.
"Another is that our test infrastructure is made for and runs only public code [which] can’t really be fully tested until it is merged into the public git repository." ®
- CRL -01-021 UAF via insufficient locking for shared cookies ( High)
- CRL -01-005 OOB write via unchecked multiplication in base 64_ encode () ( High)
- CRL -01-009 Double - free in krb 5 read _ data () due to missing realloc () check ( High)
- CRL -01-014 Negative array index via integer overflow in unescape _ word () ( High)
- CRL -01-001 Malicious server can inject cookies for other servers ( Medium)
- CRL -01-007 Double - free in aprintf () via unsafe size _t multiplication ( Medium)
- CRL -01-013 Heap overflow via integer truncation ( Medium)
- CRL -01-002 ConnectionExists () compares passwords with strequal () ( Medium)
- CRL -01-011 FTPS TLS session reuse ( Low)