An gano wani rauni (CVE-2023-38545) a cikin kayan amfani don karɓa da aikawa da bayanai akan hanyar sadarwar curl da ɗakin karatu na libcurl, wanda ake haɓakawa a layi daya, wanda zai iya haifar da cikar buffer da yuwuwar aiwatar da lambar maharan akan. gefen abokin ciniki lokacin da aka shiga ta amfani da curl utility ko aikace-aikace ta amfani da libcurl, zuwa sabar HTTPS da maharin ke sarrafawa. Matsalar tana bayyana kawai idan an kunna dama ta hanyar wakili na SOCKS5 a cikin curl. Lokacin samun dama kai tsaye ba tare da wakili ba, raunin ba ya bayyana. An daidaita raunin a cikin sakin curl 8.4.0. Mai binciken tsaro wanda ya gano kwaro ya sami kyautar $4660 a matsayin wani bangare na shirin Hackerone's Internet Bug Bounty.
Rashin lahani yana faruwa ta hanyar kuskure a lambar ƙudurin sunan mai masauki kafin samun dama ga wakili na SOCKS5. Idan sunan mai masaukin yana da tsayi har haruffa 256, nan da nan curl ya ba da sunan ga wakilin SOCKS5 don ƙuduri a gefensa, kuma idan sunan ya fi haruffa 255, ya canza zuwa mai warwarewar gida kuma ya wuce adireshin da aka riga aka ƙayyade zuwa SOCKS5. . Saboda kuskure a cikin lambar, za a iya saita tutar da ke nuna buƙatar ƙuduri na gida zuwa ƙimar da ba daidai ba yayin jinkirin tattaunawar haɗin gwiwa ta hanyar SOCKS5, wanda ya haifar da rikodin sunan mai tsawo a cikin buffer da aka keɓe tare da tsammanin. na adana adireshin IP ko suna, bai wuce haruffa 255 ba.
Ma'abucin rukunin yanar gizon da aka samu ta hanyar curl ta hanyar wakili na SOCKS5 na iya haifar da cikar buffer gefen abokin ciniki ta hanyar dawo da buƙatun tura lambar (HTTP 30x) da saita "Location:" taken zuwa URL tare da sunan mai masauki a cikin kewayon 16 sama. zuwa 64 KB (16 KB shine mafi ƙarancin girman da ake buƙata don zubar da buffer ɗin da aka keɓe, kuma 65 KB shine matsakaicin izinin izinin izinin tsawo a cikin URL). Idan an kunna sake jujjuya buƙatun a cikin saitunan libcurl kuma wakili na SOCKS5 da aka yi amfani da shi yana jinkiri sosai, to, dogon sunan mai watsa shiri za a rubuta shi zuwa ƙaramin buffer, a fili yana da ƙarami.
Lalacewar galibi yana shafar aikace-aikacen da ke kan libcurl kuma yana bayyana a cikin kayan aikin curl kawai lokacin amfani da zaɓin "--limit-rate" tare da ƙimar ƙasa da 65541 - libcurl ta tsohuwa yana ba da buffer na 16 KB a girman, kuma a cikin kayan aikin curl. yana da 100 KB, amma wannan girman yana canzawa dangane da ƙimar ma'aunin "-limit-rate".
Daniel Stenberg, marubucin aikin, ya ambata cewa raunin ya kasance ba a gano shi ba har tsawon kwanaki 1315. Har ila yau, ya ce kashi 41% na raunin da aka gano a baya a cikin curl za a iya kaucewa idan an rubuta curl a cikin yare mai aminci, amma babu wani shiri na sake rubuta curl zuwa wani harshe a nan gaba. A matsayin matakan inganta tsaro na tushen lambar, an ba da shawarar fadada kayan aikin don lambar gwaji da kuma yin amfani da abubuwan dogaro da aka rubuta cikin yarukan shirye-shirye waɗanda ke tabbatar da amintaccen aiki tare da ƙwaƙwalwa. Hakanan ana la'akari da yuwuwar a hankali maye gurbin sassan curl tare da bambance-bambancen da aka rubuta cikin amintattun harsuna, kamar goyan bayan Hyper HTTP na gwaji da aka aiwatar a cikin Tsatsa.
source: budenet.ru