How to share what you’ve learned from our audits

By Nick Selby

Trail of Bits recently completed a security review of cURL, which is an amazing and ubiquitous tool for transferring data. We were really thrilled to see cURL founder and lead developer Daniel Stenberg write a blog post about the engagement and the report, and wanted to highlight some important things he pointed out.

In this post, Daniel dives into cURL’s growth since its last audit in 2016: the project; the codebase; and then into the work with Trail of Bits. He touched on both the engagement experience and the final report.

His blog post provides terrific and meaningful context. He gives us high praise, as well as actionable and meaningful critiques that our teams are considering for the future. He also highlights an area in which he disagrees with a finding, providing context on why, and provides links to the responses cURL made to each of the audit points.

We believe software providers should follow Daniel’s lead if they choose to publish their security reviews. This supplementary reading is deeply needed so software developers can provide greater context and clarity around their security decisions. This is a great example of how engineering teams can work with us, and we are very proud of the compliments and cognizant of our responsibility to diligently consider his critiques.

There is one vulnerability highlighted in Daniel’s post that is not included in the final report, because the bug was found after the review ended (our engineers kept a fuzzer rolling after the conclusion of the review). That bug, a use-after-free, is now known as CVE-2022-43552. The details are available on cURL’s website and were released in sync with the patch. Trail of Bits will have a blog post about the bug in the future.

While the bug itself isn’t a critical one, the process Daniel and other cURL maintainers took to fix it is a great example of a commitment to excellence. While some software developers think of discovering and patching vulnerabilities as something akin to failure, we believe it is a hallmark of how developers should handle security issues.

We highly recommend giving the audit report, the threat model, and Daniel’s post a read!