How to share what you’ve learned from our audits
By Nick Selby
Trail of Bits recently completed a security review of cURL, an amazing and ubiquitous data transfer tool. We were really excited when cURL Founder and Lead Developer Daniel Stenberg wrote a blog post about the engagement and report, and wanted to highlight a few key things he pointed out.
In this post, Daniel delves into the growth of cURL since its last audit in 2016: the project; the code base; and then to work with Trail of Bits. He addressed both the engagement experience and the final report.
His blog post provides great and meaningful context. He gives us great praise as well as actionable and meaningful criticism that our teams consider for the future. It also highlights an area of disagreement with a finding, provides context for the reasons, and provides links to the responses cURL provided for each of the exam items.
We believe that software vendors should follow Daniel’s example when deciding to publish their security reviews. This supplemental reading is much needed so that software developers can provide more context and clarity regarding their security decisions. This is a great example of how engineering teams can work with us and we take great pride in the compliments and recognize our responsibility to give careful consideration to his criticism.
Daniel’s post highlights a vulnerability that isn’t included in the final report, because the bug was found after the review ended (our engineers kept a fuzzer running after the review was complete). This bug, a use-after-free, is now known as CVE-2022-43552. The details are available on cURL’s website and were released in sync with the patch. Trail of Bits will have a blog post about the bug in the future.
While the error itself is not critical, the process Daniel and other cURL maintainers undertook to fix it is a great example of a commitment to excellence. While some software developers see vulnerability discovery and patching as something akin to a bug, we believe it’s a hallmark of how developers should deal with security issues.
We highly recommend reading the audit report, the threat model, and Daniel’s post!
*** This is a Security Bloggers Network syndicated blog from the Trail of Bits blog written by Trail of Bits. Read the original post at: https://blog.trailofbits.com/2022/12/22/curl-security-audit-threat-model/