cURL CVE-2023-38545

Apr 4, 2024

The cURL project has recently published a security advisory for CVE-2023-38545.

This vulnerability affects the SOCKS5 proxy feature of cURL.

The advisory’s recommendations are:

A - Upgrade curl to version 8.4.0

B - Apply the patch to your local version

C - Do not use CURLPROXY_SOCKS5_HOSTNAME proxies with curl

D - Do not set a proxy environment variable to socks5h://

Bitrise stacks #

Bitrise stacks ship with the curl CLI tool, as well as the libcurl package on Linux.

macOS #

The macOS stacks contain two curl packages:

• /usr/bin/curl as part of macOS: this version (8.1.2) is affected by the vulnerability
• /opt/homebrew/opt/curl/bin, installed via Homebrew: this version (8.1.2 or 8.3.0, depending on the exact stack) is also affected by the vulnerability

Because of Homebrew’s default behavior, the Homebrew curl package is not added to $PATH, so most curl invocations default to the macOS-provided curl binary. When installing cURL, Homebrew explains this behavior:

curl is keg-only, which means it was not symlinked into /opt/homebrew,
because macOS already provides this software and installing another version in
parallel can cause all kinds of trouble.

If you need to have curl first in your PATH, run:
  echo 'export PATH="/opt/homebrew/opt/curl/bin:$PATH"' >> ~/.zshrc

Linux #

The Bitrise Linux stack is based on Ubuntu 20.04 LTS. The stack ships with latest available curl and libcurl packages available from the official Ubuntu repositories, version 7.68.0. This version is outside the range of vulnerable versions (7.69.0 to and including 8.3.0).

Our response #

We are taking the following actions:

Update Homebrew-provided curl on macOS stacks #

We are updating the macOS stacks by upgrading the Homebrew-provided cURL package on the stacks. We’ll update this post once the stack updates are released, as well as the changelogs pages.

Update: the following stacks are updated with cURL 8.4.0:

• Xcode 15.0 with edge updates (2023-10-12)
• Xcode 15.1 with edge updates (2023-10-12)
• Xcode 14.1 (2023-10-17)
• Xcode 14.2 (2023-10-17)
• Xcode 14.3 (2023-10-17)
• Xcode 15.0 (2023-10-17)

However, the macOS-provided curl binary remains the default in $PATH, and we want to avoid sudden build failures by upgrading such a fundamental tool for every Bitrise user. If your use case involves the SOCKS5 proxy feature of cURL, you can activate the latest cURL version provided by Homebrew by running the following in a script step:

export PATH="/opt/homebrew/opt/curl/bin:$PATH"
envman add --key PATH --value $PATH

You can also upgrade curl right now by running:

unset HOMEBREW_NO_INSTALL_FROM_API
brew update
brew upgrade curl