‘We borked the fix,’ developer candidly admits

cURL developers have taken a second stab at addressing a long dormant information disclosure vulnerability

Developers have taken a second stab at fixing a tricky flaw in cURL, the command-line tool and library for transferring data with URLs.

The utility, which is popular with developers, was subject to an information disclosure bug involving interactions with Telnet servers in June.

However, the attempted resolution of the flaw (CVE-2021-22898) failed to address an almost identical bug in the software which also presented an information disclosure, or potential data leak vulnerability in interacting with Telnet servers.

20-year-old bug

This latest vulnerability (CVE-2021-22925) represents only a medium risk flaw, but its similarity to the previous bug prompted cURL developer Daniel Stenberg to declare it as the “most embarrassing security advisory for cURL for a long time”.

“We meant to fix this in the previous release but borked the fix so the problem remained and now we fix the same problem *again*,” Stenberg admitted in a recent Twitter update.


Catch up with the latest secure software development news and analysis


Both issues were introduced by coding changes made in March 2001, meaning the underlying flaw had laid dormant in the software for more than 20 years.

As explained in a technical advisory, the latest flaw, like its predecessor, involves the seldom used -t command-line option to send variable=content pairs to Telnet servers:

Due to flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol.

This could happen because curl did not call and use sscanf() correctly when parsing the string provided by the application.

“The previous cURL security vulnerability CVE-2021-22898 is almost identical to this one but the fix was insufficient, so this security vulnerability remained,” the developers added.

Software update

Neither the latest flaw nor its near-identical predecessor are reckoned to be the target of active exploitation. Users of the technology are nonetheless advised to update to the latest release of the software, version 7.78.0.


RECOMMENDED TIBCO Data Virtualization software vulnerable to RCE via third-party flaws, claims researcher


Stenberg said the experience had taught him a few lessons.

“I learned (again) that when you take shortcuts (like skipping writing test cases for it) – mistakes easily happen,” he told The Daily Swig.

The latest version of cURL, released on Wednesday (July 21), also fixed four other vulnerabilities of lesser note, as well as introducing a large number of non-security related fixes and coding tweaks.

A full rundown of the patch batch can be found on the cURL website.


RELATED STORY Umbraco flags pending security patch for RCE vulnerability in forms package – updated