Hi friends,
Just a few weeks ago I wrote a blog post about "how to backdoor curl" [1],
trying to look at and think about ways how a malicious actor could potentially
proceed to try to get bad code landed in curl.
Yesterday the news broke that researches at UMN (University of Minesota) did
exactly this against the Linux kernel project [2]: they submitted patches to
the project with deliberate flaws, in the same of research. Some of them were
merged before this was found out, but they're now all being reverted and
revetted. UMN has even been banned from further Linux work.
I did my part and checked: curl has never received or merged any
patches/commits from someone with a @umn.edu email address. We have not been a
target of this attack.
This Linux kernel attack shows that these kinds of methods and scenarios are
more than theoretical. They're actally used.
[1] = https://daniel.haxx.se/blog/2021/03/30/howto-backdoor-curl/
[2] =
https://lore.kernel.org/lkml/20210421130105.1226686-1-gre...@linuxfoundation.org/
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
