I have talked about old curl bugs before, but now we have a new curl record. When we announced the security flaw CVE-2024-11053 on December 11, 2024 together with the release of curl 8.11.1 we fixed a security bug that was introduced in a curl release 9039 days ago. That is close to twenty-five years. … Continue reading A twenty-five years old curl bug →

I like the clarification:

Let me also touch this subject while talking security problems. This bug, the oldest so far in curl history, was a plain logic error and would not have been avoided had we used another language than C.

Otherwise, about 40% of all security problems in curl can be blamed on us using C instead of a memory-safe language. 50% of the high/critical severity ones.

Almost all of those C mistakes were done before there even existed a viable alternative language – if that even exists now.

  • @solrizeEnglish
    41 month ago

    I wonder whether some careful specifications and model checking could have found this.

    • @Blue_MorphoEnglish
      31 month ago

      As the article says, the problem was the logic. They had thousands of hours of model checking.

      • @solrizeEnglish
        71 month ago

        They had 1000s of hours of fuzz testing. Model checking means something different.