Upgrade libcurl

Got an idea for enhancing PureBasic? New command(s) you'd like to see?
User avatar
Haruks
User
User
Posts: 30
Joined: Wed Sep 23, 2009 1:41 am
Location: Brasil (Brazil)

Upgrade libcurl

Post by Haruks »

Hello!

PureBasic 5.62 for Windows comes with the libcurl.lib (version 7.42.1, released on April 2015).
But.. This version has 37 known vulnerabilities, including:
• HTTP authentication leak in redirects
• URL globbing out of bounds read
• write-out out of buffer read
• invalid URL parsing with '#'
• curl escape and unescape integer overflows
• Incorrect reuse of client certificates
• TLS session resumption client cert bypass
• Re-using connections with wrong client cert
• use of connection struct after free
• Windows DLL hijacking
• lingering HTTP credentials in connection re-use
• and others...
We can find others known vulnerabilities with this version (7.42.1) on cURL site:
https://curl.haxx.se/docs/vuln-7.42.1.html

At this time that I'm writing, the version 7.60.0 is the most secure version to use (https://curl.haxx.se/docs/vulnerabilities.html).

I wish to see this lib updated on PureBasic. Is possible to update?

Note: As workaround, I'm trying to use the lib from the https://curl.haxx.se/download.html, but I'm getting some POLINK errors :cry:
POLINK: error: Unresolved external symbol [...]
=D
infratec
Always Here
Always Here
Posts: 6818
Joined: Sun Sep 07, 2008 12:45 pm
Location: Germany

Re: Vulnerabilities with PureBasic 5.62 & libcurl

Post by infratec »

Hi,

this is a feature request and not a bug :wink:

It is possible to build a libcurl.lib which is usable within PB.
But it is horrible because of the dependencies.
It took me 3 days, because i needed imaps which is possible with libcurl.

Bernd
User avatar
Haruks
User
User
Posts: 30
Joined: Wed Sep 23, 2009 1:41 am
Location: Brasil (Brazil)

Re: Vulnerabilities with PureBasic 5.62 & libcurl

Post by Haruks »

Hello infratec!
libcurl is included on the PB, it's not a "new feature", just a vulnerability fix (that is a critical fix at my point of view), as any PB app using the lib is exposed to.
I know that it can have some delay to see it updated officially.

I'm really interested on how you compiled libcurl to work with PB, could you share your recipe? :D
=D
User avatar
tj1010
Enthusiast
Enthusiast
Posts: 623
Joined: Mon Feb 25, 2013 5:51 pm
Location: US or Estonia
Contact:

Re: Vulnerabilities with PureBasic 5.62 & libcurl

Post by tj1010 »

https://curl.haxx.se/docs/vuln-7.42.1.html
https://www.rapid7.com/db/vulnerabiliti ... -2016-7167

That's the only one you'll have to worry about, and you should have sandboxing on any process using it though. There are no public exploits and it's heap based so it's not as simple as over-writing a register in gdb to make an exploit.

Pretty sure sqllight needs updating too
The truth hurts.
Post Reply