Hello Developers,
The Open Source community has identified a critical update required to the curl and libcurl open source repository. The open-source developer and maintainer of curl announced a fix for the vulnerability today which is currently available in the curl & libcurl 8.4.0 patch.
BACKGROUND: curl and libcurl versions 7.69.0 through 8.3.0 suffer from a buffer overflow vulnerability when using the SOCKS5 Proxy. This vulnerability does not impact the Roblox platform, but could impact developer workflows depending on their specific implementations. The authors of curl have updated the library in version 8.4.0 to remove this vulnerability. We recommend developers take a look at the tools and libraries they utilize in their work to ensure they use the latest available versions. More details can be found from the authoritative owners and authors of curl at curl - SOCKS5 heap buffer overflow - CVE-2023-38545.
A quick audit of Rojo and it’s related ecosystem says we’re fine, if anyone is curious.
I specifically looked at Rojo, Tarmac, Wally, and Lune and none of them utilize curl, so if anyone is worried about that aspect of their workflow, don’t be.
Thanks to the people at Roblox who felt the need to post this though. I understand it’s a lot of work for them to comment on relevant CVEs, especially with how flighty the Roblox user base can be, but it made me go look and thus helped keep the third party tooling ecosystem safe.
It did, though I didn’t mention it because Remodel is deprecated in favor of Lune (there’s a migration guide available here). It is safe from this issue also because it doesn’t use curl.
And since people will probably ask: so are Aftman, Foreman, and the Rojo VScode extension. Same deal, they don’t use curl.
Of course. Additionally, the vulnerability at hand should only really affect some specific Curl use-cases w/ SOCKS5 proxies etc. (It’s also reasonably common in relay nodes for protocols such as Tor)
Even then, Curl is VERY popular and installed in hundreds of millions of systems; even if most orgs/users aren’t using this feature, it is still an issue! The title of this thread could be just a bit misleading to the actual issue, as it was measured by Curl’s maintainer as HIGH instead of downright CRITICAL for a reason-
This thread by LiveOverflow does give a pretty good explanation to the whole situation, and how many are perceiving it. I’d suggest giving it a read if you’re interested in the whole thing!
And again, I’m very surprised Roblox personally made a thread for folks to be aware of this! It’s very awesome to see important security-related stuff outside of the platform being on here.
If you don’t know what Curl is, it probably doesn’t impact you!
Curl and by extension libcurl are programs that are used to download things from the internet. They had a large security exploit under some specific circumstances, which might impact people who use them for e.g. downloading things from Roblox in their workflows.
This is just a courtesy announcement by Roblox of that bug so that people who might be impacted are aware. It didn’t impact Roblox itself.
