The curl project has released version 8.4.0, addressing vulnerabilities CVE-2023-38545 and CVE-2023-38546, as announced. The CVE-2023-38545 vulnerability represents a highly critical flaw that allows the execution of code on the victim’s machine.
Despite being a code execution vulnerability, the attack conditions are considered appropriately severe. The attacker must be able to trigger the server to connect to any domain. For example, by posting a link that the server downloads for preview, where the server must be behind a SOCKS5 proxy layer. The vulnerability exploits a buffer management bug when the destination machine name exceeds 255 characters.
While the project released specific fixes for version 8.4.0, Jay Satiro, the reporter of this vulnerability, has also created a patch for version 7.69.0. Those who need to use older versions may consider applying the patch and recompiling. Alternatively, if using versions from various distributions, it is likely that the distributions have already provided patches.
TLDR: The curl project has released version 8.4.0 to fix severe vulnerabilities that allow code execution. Attack conditions require server connection to any domain and a machine name exceeding 255 characters. A patch is also available for version 7.69.0. Those using older versions should consider patching and recompiling, or rely on distribution-provided patches.
Source: HackerOne, curl.se