Request for Curl.exe update included in Git binaries

Request for Curl.exe update included in Git binaries

[Robert Smith]

Hello,

Regarding this CVE:

https://curl.se/docs/CVE-2023-38039.html

Is there any plan to update Git for Windows to include the updated 8.3.0 Curl binaries?

Thanks,

Robert S.

Re: Request for Curl.exe update included in Git binaries

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 904 bytes --]

On 2023-09-25 at 15:37:46, Robert Smith wrote:
> Hello,

Hey,

> Regarding this CVE:
> 
> https://curl.se/docs/CVE-2023-38039.html
> 
> Is there any plan to update Git for Windows to include the updated 8.3.0 Curl binaries?

The Git project doesn't ship any binaries at all, and we don't ship
curl.  Git for Windows does ship a substantial amount of other software,
including curl.  You can find their issue tracker at
https://github.com/git-for-windows/git/issues, but I believe this has
already been fixed in https://github.com/git-for-windows/git/issues/4605
and will be included in the next version.

I'm not certain about their release policy, but I seem to recall that
they don't issue updates for dependent packages until a new release
would normally be done.  To be certain, you'd have to inquire with them.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

Re: Request for Curl.exe update included in Git binaries

[Johannes Schindelin]

Hi brian and Robert,

On Mon, 25 Sep 2023, brian m. carlson wrote:

> On 2023-09-25 at 15:37:46, Robert Smith wrote:
>
> > Regarding this CVE:
> >
> > https://curl.se/docs/CVE-2023-38039.html

In the future, please consider sending security-relevant enquiries to
git-security@googlegroups.com instead of the regular Git mailing list.

In this case, not much harm was done, but let's not risk anything. I say
not much harm was done because that CVE would appear to be very low risk.
The cURL project itself says this:

	When curl retrieves an HTTP response, it stores the incoming
	headers so that they can be accessed later via the libcurl headers
	API.

	However, curl did not have a limit on the size or quantity of
	headers it would accept in a response, allowing a malicious server
	to stream an endless series of headers to a client and eventually
	cause curl to run out of heap memory.

So the most damage that can be done by exploiting this vulnerability is to
host a Git server from which a user targeted by the attack simply cannot
clone because the process will fail with an out-of-memory condition.

The Git for Windows project carefully vets any security updates of any of
the components distributed with Git for Windows, and if it is determined
that they constitute a vulnerability that can be exploited via regular Git
usage, we aim to release a new version as swiftly as possible.

In this instance, it was determined that the severity is low (deviating
from cURL's assessment because Git's usage of libcurl has a narrower focus
than general cURL usage), and no new Git for Windows version was deemed
necessary.

> > Is there any plan to update Git for Windows to include the updated
> > 8.3.0 Curl binaries?

Ever since https://github.com/git-for-windows/git/issues/4605 was
addressed, the v8.3.0 cURL binaries have been ready to go for the next Git
for Windows version.

> The Git project doesn't ship any binaries at all, and we don't ship
> curl.  Git for Windows does ship a substantial amount of other software,
> including curl.  You can find their issue tracker at
> https://github.com/git-for-windows/git/issues, but I believe this has
> already been fixed in https://github.com/git-for-windows/git/issues/4605
> and will be included in the next version.

Precisely.

> I'm not certain about their release policy,

Git for Windows' release policy is documented at
https://github.com/git-for-windows/git/security/policy.

> but I seem to recall that they don't issue updates for dependent
> packages until a new release would normally be done.  To be certain,
> you'd have to inquire with them.

Git for Windows does follow "upstream" Git releases. That is, every
official Git version on the latest major version release train is followed
shortly thereafter with a corresponding Git for Windows version.

As documented at
https://github.com/git-for-windows/git/security/policy#version-number-scheme
sometimes Git for Windows releases versions that do _not_ correspond to
upstream Git versions. Reasons for that include security bug fixes in
dependencies that affect Git usage, and bug fixes that are specific to Git
for Windows which are considered important enough to deliver to Git for
Windows users as quickly as possible.

In this instance, I do not see any reason to risk upgrade fatigue and
expect to publish the first Git for Windows version that includes cURL
v8.3.0 in the wake of Git v2.43.0 (slated for November 20th, 2023, see
https://gh.io/gitCal).

Robert, if you still feel very strongly that you need to have a Git for
Windows that includes an updated `curl.exe`, I invite you to install the
latest snapshot at https://wingit.blob.core.windows.net/files/index.html.
These snapshots are designed to be as robust and dependable as full Git
for Windows releases, the only difference being that snapshots are
released with every update to Git for Windows' `main` branch, i.e. at a
much faster cadence than official Git for Windows versions.

Ciao,
Johannes