The bug fixed in cURL 8.4.0 (CVE-2023-38545) is a nasty one, but it seems rather harmless in our context.

First of all, if you don’t use socks5, this issue should be irrelevant. (But do your own research. Source code is there for you to freely study, modify, compile.)

According to the blog, the bug could be exploited only if a socks5 proxy user is tricked to resolve a crazy long hostname (~1024 characters+), which sounds unlikely; except if your direct peer is evil, they might be able to send you a crazy long hostname instead of a numeric IP… maybe? However, if you’re on socks5 proxy, the attacker can’t see your real IP to begin with, so they can’t attack you (I think).

The only attack vector my stupid head can think of is: if for some reason you use both clear connections and socks5 connections, then a lucky attacker who notices your behavior can hit your real IP when you’re on Tor, using your wallet address as an identifier. (Tor exit nodes are public, so they know someone is on Tor.) Even then, maybe the worst thing that could happen is that your p2pool crashes due to buffer overrun.

  • shortwavesurfer@monero.town
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I have been on 3.7 for like a week or so now and all is running well. The picks are breaking blocks and taking names. Lol

    • Saki@monero.townOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      It’s an old bug in cURL, not specific in p2pool v3.7. Every version is affected.

      I think it’s harmless in reality. We can safely keep using the current version, especially if you don’t use Socks5. It’ll be fixed in the next release (3.7.1? 3.8?), though.