[Daniel's week] September 22, 2023

[Daniel Stenberg]

Hello friends!

Another busy week passed. Here are some of the things that I was involved in.

## Tech over Tea

My guest appearance on the Tech over Tech show [1] went public shortly after I
sent out the weekly email last week. It is a two hour recording with lots of
talks and dives into the world of curl and its development. I think we managed
to cover one or two corners that I have not previously talked that much about
on other shows. Even if of course every show where I talk curl has a certain
amount of overlap...

## null ptr deref

We received a security vulnerability report this week that identified a null
pointer dereference flaw [2]. Such a reference certainly can be a security
problem depending on how and when it occurs, but in this case I really could
not agree with the reporter and we had a little back and forth about it. I
decided it could be educational and the hackerone report is now disclosed and
readable for everyone. It gives a little glimpse into why and how security
work takes so much time and is hard.

## polhem prize

I had my first ever meeting with Polhemsrådet [3], the Polhem Council, this
week. We agreed and decided on the winner of this year's Polhem Prize [4] and
on November 8 the awardee(s) will be announced and there will be the
traditional big gala dinner in that evening etc.

## GSKit support

After having announced the pending removal for some eight months we eventually
actually did it in the 8.3.0 release on September 13 and to no surprise at
all, this has triggered some private emailing. GSKit was the only available
TLS backend on some IBM platforms and now users there have started to realize
that they now can't build a curl release with all CVE fixed (read: 8.3.0) to
use GSKit.

Ideally, with some communication and cooperation, we can drum up renewed
interest in GSKit and reintroduce support for it down the line. I am of course
the eternal optimist and we are a long way off from that, but still.

## feature window

Tomorrow, September 23, the feature window will open for curl and it will stay
open for the coming three weeks. We have a number of pull-requests already
queued up waiting for this [7], so I expect to merge some of them and work on
follow-up polish the next few weeks.

## another CVE for windows-curl

The CVE we announced we fixed with 8.3.0 (CVE-2023-38039 [5]) is already being
searched for by "security scanners" and users are getting alarmed when the
scanners sound the horn.

I have already received several emails from people asking for help to upgrade
curl in Windows 10 and 11, which brings us back to the exact same situation we
had back in April [6] and something tells me this is not the last time this
happens. Chances are that we will get this support flood for every single new
CVE we publish in the future. Not an optimal situation.

Reminder: we cannot upgrade the curl tool that is a component of Windows
itself. If you remove or replace that executable, Windows upgrade stops
working. The only viable option is to wait for Microsoft to ship an update.

In this particular case, I have heard that they have an upgrade to 8.3.0
prepared and in the pipelines. Should then probably ship soon. I don't know
when.

## sustain podcast

Friday afternoon I again joined the Sustain podcast [8] and talked bogus CVEs. 
How the bogus curl CVE happened and lots of details and background around it. 
Not much new if you have followed the details, but it might also help clarify 
things if you have not followed the cases closely.

## coming up

- the curl feature window opens tomorrow

## Links

[1] = https://youtu.be/ClF0PFXnlFI?si=gWg5dqlXikuUThBY
[2] = https://hackerone.com/reports/2171309
[3] = https://daniel.haxx.se/blog/2023/05/24/polhemsradet/
[4] = https://www.polhemspriset.se/
[5] = https://curl.se/docs/CVE-2023-38039.html
[6] = https://daniel.haxx.se/blog/2023/04/24/deleting-system32curl-exe/
[7] = https://github.com/curl/curl/labels/feature-window
[8] = https://podcast.sustainoss.org/

-- 

  / daniel.haxx.se