This Week In Security: Curl Reveal, Rapid Reset DDoS, And Libcue

October 13, 2023 by Jonathan Bennett 17 Comments

Curl gave us all a big warning that a severe security problem had been found in that code-base. Given the staggering number of Curl installs around the world, we held our collective breath and waited for the bombshell to drop this Wednesday. It turns out, it’s not quite as bad as feared — so long as you don’t have a SOCKS proxy.

In hindsight, shipping a heap overflow in code installed in over twenty billion instances is not an experience I would recommend. — Daniel Stenberg

The trouble started when the SOCKS5 proxy support was converted to a non-blocking implementation. It’s a win for libcurl to work on requests asynchronously, but refactoring code and new features always runs a bit of risk. SOCKS5 proxying has some quirks, like allowing DNS resolution to happen locally or at the proxy. The new async code starts out with:

bool socks5_resolve_local = (proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;

First off, unnecessary ternary is unnecessary. But note that this local variable gets set by the proxytype. If that’s CURLPROXY_SOCKS5_HOSTNAME, then it uses remote resolution. But inherited from old code is a check for a hostname that is too long for a SOCKS request (255 bytes). This code converts back to local resolution in this case.

The important detail here is that this function is now a state machine, that potentially runs multiple times for a single request, to achieve that asynchronous execution. The check for a too-long hostname only happens during the initialization state. Copying the hostname into the buffer happens in a different state. If setting up the connection takes enough time, the function will return and be executed again when something has changed. The ternary check runs again, but not the hostname-too-long. So if set to do remote resolution with a long enough host name, execution slips through this edge case, and the long hostname is copied into a too-small buffer.

It’s safe to assume that this heap overflow can result in arbitrary code execution. The fix has landed in 8.4.0, after being present for 1,315 days. [Daniel] goes ahead and gets ahead of the inevitable suggestion that Curl should be written in rust or another memory-safe language. Curl was started before those alternatives existed, and there is a very slow effort to move portions of the project to memory-safe languages. And you’re welcome to help out. Continue reading “This Week In Security: Curl Reveal, Rapid Reset DDoS, And Libcue” →

Debian Bookworm Comes To The Raspberry Pi, And Wayland Is Now Default

October 13, 2023 by Jenny List 48 Comments

It must have been a busy week for the PR department at Raspberry Pi, with the launch of their latest single-board computer, the Pi 5. Alongside the new board comes something else, an updated Raspberry Pi OS version.

This is built from Debian 12 “Bookworm”, and supplants the previous “Bullseye” version. As well as the new OS base it comes with a pile of Pi-specific upgrades including an optimsied version of Mozilla Firefox. Probably most important is that henceforth (at least on 64-bit boards) its desktop will use the Wayland compositor rather than X11 to draw and manipulate windows. This is a development that has been in the works for a very long time — it must be almost a decade since the first Raspberry Pi blog entry about Wayland — so it’s welcome at last to see it.

The new tweaks as well as Wayland are supposed to deliver a much faster Pi experience, so we thought we’d break out the stopwatch and do some rough real-world tests. The bench 8GB Pi 4 here has a vanilla 64-bit Bullseye installed, so off we went to measure boot time, Chromium browser opening time, and Hackaday load time. It was time to download the new 64-bit Bookworm image and do the same. Have we just downloaded a power-up?

Both tests were done with an everyday boot, after the first-time OS set-up, and with all browser caches emptied. First up was a significant boost, with Bookworm booting in 37.14 seconds to Bullseye’s 53.5, but the Chromium opening was a little more disappointing. On Bullseye it took 7.15s, while Bookworm’s Chromium managed a more pedestrian 9.13s. The new Firefox takes only 7.95s to open. Both Chromium browsers load Hackaday in about 1.8s, while the new Firefox did the same job in a shade over 3s.

So allowing for our stopwatch reaction time and the ad-hoc nature of the test, this is a faster-booting OS, but the underlying hardware is still the limiting factor. We’re disappointed to see that there’s no update for the x86 version of the Raspberry Pi Desktop, and we hope they’ll be able to rectify this in the future.

An In-Depth Comparison Of Hobby PCB Manufacturers

October 13, 2023 by Richard Baguley 45 Comments

[Icamtuf] has been working on a prototyping run of a project, which involves getting PCBs made by several low volume PCB manufacturing companies. After receiving the boards, he analyzed the results and produced an interesting analysis.

The project he is working on is Sir-Box-A-Lot, a Sokoban gaming console clone that we’ve covered before. It uses an AVR128DA28 microcontroller to emulate the original box-pushing game and drive the OLED display. He ordered PCBs from OSHPark, DigiKey Red, JLCPCB, PCBWay and Aisler.

OSHPark boards are gorgeous, but you pay for it.

There were pros and cons for each of the services: OSHPark produced the nicest-looking boards, but at the highest cost. DigiKey Red had a flawless solder mask, but a rather sloppy-looking silkscreen and shipped the boards covered in adhesive gunk. JLCPCB was fast, shipping the boards in less than 7 days, but the smaller details of the silkscreen were blurry and the solder mask was thinner than the others. The solder mask from PCBWay was very slightly misaligned but was thicker than most, and they were the only ones who queried a badly shaped hole to see what [Icamtuf] wanted to do: the others just made assumptions and made the boards without checking.

To be fair, this analysis is based on a single PCB design ordered once and it is possible that some companies were having a bad day. These were also delivered to the US, so your delivery times may vary. So, there are no clear winners and I wouldn’t make a choice based on this alone. But the analysis is well worth a read if you want to know what to look out for on your own PCBs.