Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: False Positive on cURL64 Still Appears

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
yinepuhotep False Positive on cURL64 Still Appears
Member 20th Feb, 2012 19:07
Ranking: 0
Posts: 15
User Since: 7th Feb, 2008
System Score: 92%
Location: US
PSI gives me the following:


---START---

Program Name:
cURL 7.x (64-bit)

Security State:
Insecure

Download Link:
http://curl.haxx.se/download.html

Instances Found:
C:\Users\All Gaming\Downloads\Windows Shells\LiteStep\Rainmeter\space craft\skins\Tweeter Feed\SendTweet\curl.exe, version: 7.23.1.0
C:\Users\All Gaming\Downloads\MinGW\curl-7.23.1-rtmp-ssh2-ssl-s spi-zlib-winidn-static-bin-w64\curl.exe, version: 7.23.1.0

Last System Scan (localtime):
16. Feb 2012, 17:03

Operating System:
Microsoft Windows 7, Microsoft Windows 7

---END---

That would be OK, except for the following:

From http://curl.haxx.se/download.html:

Win64 - Generic
Win64 7.23.1 binary Don Luchini 195 KB
Win64 7.23.1 binary Don Luchini 590 KB

Win64 - MinGW64
MinGW64 7.23.1 binary SSH Günter Knauf 1.03 MB
MinGW64 7.23.1 devel SSH Günter Knauf 2.12 MB

Notice the most recent version available for Windows? Why does PSI continue to mark that as requiring update, when there is no update available? I reported this 3 weeks ago, and it continues to give the false positive. And my original report was locked, with no response from anyone on the PSI front.

mogs RE: False Positive on cURL64 Still Appears
Expert Contributor 20th Feb, 2012 22:00
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@vinepuhotep

Can you try a more recent scan than the 16th ?
According to the Advisory........there is no vulnerability if fully patched :-
http://secunia.com/advisories/product/4691/?task=a...

The vulnerability is shown in the following :-
http://secunia.com/advisories/47690/

Don't know when the patch was issued.....hope it helps.......regards,

--
Was this reply relevant?
+0
-1
yinepuhotep RE: False Positive on cURL64 Still Appears
Member 20th Feb, 2012 23:03
Score: 0
Posts: 15
User Since: 7th Feb 2008
System Score: 92%
Location: US
Just finished re-scanning my system.

The problem is not the scan. The problem is that PSI is telling me to update to a version of cURL that does not exist. As you can see from the information I pasted from the official cURL website, the most recent version of cURL for Windows is the version that PSI detects installed on my system. Until a cURL developer updates the Windows version to the version that PSI wants me to install, PSI will continue to register a false positive whenever it scans cURL.

MY suggestion is that the PSI libraries should ONLY register the most recent up date FOR WINDOWS. It does not matter if there is a more recent version for LINUX, when the WINDOWS version has not been updated to match. PSI should not be telling people to install software that DOES NOT EXIST.
Was this reply relevant?
+0
-0
mogs RE: False Positive on cURL64 Still Appears
Expert Contributor 20th Feb, 2012 23:14
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
The only thing I can suggest you do if a Secunia official doesn't pick up on this thread in the morning...is to e mail Support direct with the details/info..
Sorry I can't be of more help.........regards,

--
Was this reply relevant?
+0
-0
yinepuhotep RE: False Positive on cURL64 Still Appears
Member 20th Feb, 2012 23:24
Score: 0
Posts: 15
User Since: 7th Feb 2008
System Score: 92%
Location: US
Thanks.

I've been trying to get someone from Secunia to respond for 3 weeks now, ever since it first appeared on my scan results. They locked my original thread, but didn't respond in any way, and you're the only person to respond otherwise, yet I've seen several posts regarding cURL. I'd LOVE it if the Windows version of cURL matched what PSI wants me to do, but it's just not happening. Not yet, anyway.
Was this reply relevant?
+0
-0
mogs RE: False Positive on cURL64 Still Appears
Expert Contributor 21st Feb, 2012 05:53
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@vinepuhotep

Worth remembering perhaps, for future reference, is that you can apply for a locked thread to be opened by mailing Support with the URL of .
I've already e mailed them and asked for this thread to be looked at.

Hope it helps.........regards,

--
Was this reply relevant?
+1
-0
E.Jeppesen RE: False Positive on cURL64 Still Appears
Secunia Official 21st Feb, 2012 13:22
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Please perform a full system rescan with the Secunia PSI and let us know if the issue has now been solved.
yinepuhotep RE: False Positive on cURL64 Still Appears
Member 22nd Feb, 2012 13:33
Score: 0
Posts: 15
User Since: 7th Feb 2008
System Score: 92%
Location: US
System scan completed, PSI still claims that I should update to a version of cURL that DOES NOT EXIST.

The problem is not one of questioning whether the vulnerability listed exists. The problem is that PSI advises upgrading to a software package that DOES NOT EXIST.

cURL 7.23.1 IS the most recent version of cURL for Windows - 32 OR 64 bit. PSI continues to insist that I upgrade to 7.24 -- a version of cURL that DOES NOT EXIST for WINDOWS. Unless you're trying to tell me I should install a Linux package in Windows, your program is giving bad advice. This has been going on since the vulnerability first appeared, at least 3 weeks ago. I reported this problem then, and instead of addressing the problem, my post was locked so no one could reply to it. If I had known I could email Secunia directly with a request that the post be looked into, maybe this would have been addressed 3 weeks ago. I don't know.

Still, the problem still exists. PSI still insists that I update to a version of cURL that DOES NOT EXIST in WINDOWS.
Was this reply relevant?
+0
-0
yinepuhotep RE: False Positive on cURL64 Still Appears
Member 22nd Feb, 2012 13:35
Score: 0
Posts: 15
User Since: 7th Feb 2008
System Score: 92%
Location: US
on 21st Feb, 2012 05:53, mogs wrote:
@vinepuhotep

Worth remembering perhaps, for future reference, is that you can apply for a locked thread to be opened by mailing Support with the URL of .
I've already e mailed them and asked for this thread to be looked at.

Hope it helps.........regards,


Thanks for the advise. You've given me a ray of hope in this situation. Maybe the Secunia folks will pay attention to your message.
Was this reply relevant?
+0
-0
E.Jeppesen RE: False Positive on cURL64 Still Appears
Secunia Official 23rd Feb, 2012 10:59
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
The advice you get from the PSI is the advice taken directly from the vendor of the software you have installed on your computer. For cURL 7.x you are currently advised to update to version 7.24.0.

Our advisory for cURL 7.x also refers you to these original advisories from the vendor:
http://curl.haxx.se/docs/adv_20120124.html
http://curl.haxx.se/docs/adv_20120124B.html

Quote: “Upgrade to curl and libcurl 7.24.0”

If the vendor does not provide a way for you to update to the new version, despite recommending that you do so, then please contact them for further assistance.

Please note that threads on the community are auto-locked after 7 days of inactivity.
yinepuhotep RE: False Positive on cURL64 Still Appears
Member 25th Feb, 2012 20:29
Score: 0
Posts: 15
User Since: 7th Feb 2008
System Score: 92%
Location: US
So, if I am to understand correctly, Secunia does not verify a vendor's recommendations, you just copy and forward them, whether they apply to the system in question or not? In this case, the recommendation is perfectly applicable (finally!) to Win32, but is still inapplicable to Win64. So, the recommendation would be appropriate to forward to Win32 users, but is does no good for Win64 users. It could, in fact, lead to a "cry wolf" scenario with Win64 users.
Was this reply relevant?
+0
-0
mogs RE: False Positive on cURL64 Still Appears
Expert Contributor 25th Feb, 2012 22:01
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@yinepuhotep

Hello again !
It's unlikely Support will reply much before Monday....meanwhile....I wondered if you could help me confirm my reading of the issue ?
In the vendor's own Advisories there is an admission of the vulnerabilities.....it's surely good that Secunia psi has detected ?
Tho' it may be verified that no patch is available for Win 64 (patches only available for those items coloured yellow )......there are other recommendations in their advisories......
4. RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of
preference:

A - Upgrade to curl and libcurl 7.24.0

B - Apply this patch and rebuild libcurl

http://curl.haxx.se/curl-dont-insert-empty-fragmen...

C - Rebuild curl with another SSL library

D - Change the option within your application by using the
CURLOPT_SSL_CTX_FUNCTION callback


Anything other than the 7.24.0 patch tho', will not prevent psi from detecting the prog as insecure ? Have I got it right?

--
Was this reply relevant?
+1
-0
yinepuhotep RE: False Positive on cURL64 Still Appears
Member 27th Feb, 2012 00:43
Score: 0
Posts: 15
User Since: 7th Feb 2008
System Score: 92%
Location: US
That's the way I'm reading it. If I were a developer, and so had all the necessary tools for building the recommended patch, it appears that Secunia would still read my copy of cURL as insecure, solely because I don't have the 7.24 version.
Was this reply relevant?
+0
-0
mogs RE: False Positive on cURL64 Still Appears
Expert Contributor 27th Feb, 2012 20:57
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@yinepuhotep

It looks very much as tho' all you can do is contact the vendor for advice/info and enquire as to whether there's any intention of them providing a patch for Win 64 at some time.

Support's position is quite clear in the statement :-

If the vendor does not provide a way for you to update to the new version, despite recommending that you do so, then please contact them for further assistance.

Good luck in your efforts......regards,

--
Was this reply relevant?
+0
-0
Anthony Wells RE: False Positive on cURL64 Still Appears
Expert Contributor 27th Feb, 2012 23:03
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 27th Feb, 2012 23:09
Hi ,

Just to clarify that your assumption is correct in that the PSI is not capable/designed to detect if a "workaround" has been applied/installed or not ; so the 64 bit version would/will continue to show as insecure until a patch is made available .

At least you know that now and can take the appropriate action.

Take care

Anthony

EDIT :PS: Secunia will do everything they consider relevant to check , confirm and "if necessary" test for themselves a publicly notified vulnerability .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability