Effect of Curl 8.4.0 on OpenWRT

What will be the effect of Curl 8.4.0 release on OpenWRT release? Will there be an update in OpenWRT as well?

Once it’s released, here is the process followed.

@RuralRoots
Thank you for your response.

I am fairly new to OpenWRT. Does this mean, at some point, OpenWRT team will release a version that has the issue fixed?

Technically speaking there doesn't need to be any effect on OpenWrt and its release schedule. curl/ libcurl is not preinstalled on any OpenWrt image, so it is -by default- not affected by bugs in libcurl at all.

As far as OpenWrt is concerned, curl/ libcurl is 'just' a (very popular) user-installable addon package (although it is often a dependency of more complex addon packages), which can also be updated accordingly (push a fixed version to the package repos, let its users update it, done). Given the kind of special situation of upgrading packages on OpenWrt, it might be sensible to 'encourage' the package upgrade indirectly, by providing new maintenance upgrade images, but there is no technical need to do so.

It will probably depend on how serious the issue really is (also in the context of its typical usages on OpenWrt) and how invasive the fixes are going to be (ABI changes, backportability). I would expect that fixed curl/ libcurl packages will be provided relatively quickly for all maintained branches (so not 21.02.x and earlier!, but anything more recent) - and upgrading those will fix the issue. If and when new maintenance releases will be provided then depends on the details (again, nothing inside the default images is using curl/ libcurl, so updating the default images is not necessary, doing so just indirectly 'encourages' (~forces) users to re-install all their user-installed addon packages, including fixed versions of curl/ libcurl).

3 Likes

@slh Thank you for the response. Yes, that makes sense. If I am not wrong, packages are included in the packages repository, https://git.openwrt.org/feed/packages.git. which are specified in the feeds.conf.default

My assumption/ understanding was that the package revisions are tied to the OpenWRT release. I would appreciate if you could help me understand the process of updates of the packages.

https://github.com/openwrt/packages/tree/master/net/curl is the (source-) code you're looking for, you can toggle between the different branches on the top left-hand side of the github webinterface (to switch branches); keep in mind that the buildbots will need some time to actually pick up the changes.

1 Like

this apply only for core packages. Anything that is not built in comes from downloading the ipk... And those version are updated by backports and we have buildbot that recompile the update packages.

So for those who care about security update they would just opkg update and upgrade the library.

2 Likes

Thank you @slh @Ansuel . I really appreciate your feedback. Thanks for clearing out my confusion.

1 Like

A note from a comment in another thread:

Is this the panic-famous issue?

To exploit this, an attacker would need to get the victim to connect through a malicious SOCKS5 proxy server

…so lots of panicing about a component that is not default installed, which can be updates by the user via opkg and for a scenario that involves connecting via a rogue socks proxy and we are basically talking about headless non interactively used devices.

Thanks @lleachii .

Thats right @Pico

people read RCE and automatically thinks it's full rip. It would be useful for privilege-escalation tho

1 Like