The Mythos report for curl 2026-05-06 made public

_____k1 pts0 comments

mythos scan of curl 2026-05-06 · GitHub

/" data-turbo-transient="true" />

Skip to content

-->

Search Gists

Search Gists

Sign in

Sign up

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

Instantly share code, notes, and snippets.

bagder/mythos.md

Created<br>May 13, 2026 06:35

Show Gist options

Download ZIP

Star

(3)

You must be signed in to star a gist

Fork

(0)

You must be signed in to fork a gist

Embed

Select an option

Embed<br>Embed this gist in your website.

Share<br>Copy sharable link for this gist.

Clone via HTTPS<br>Clone using the web URL.

No results found

Learn more about clone URLs

Clone this repository at &lt;script src=&quot;https://gist.github.com/bagder/c9b83a19f30e82e41b11f6315465b17a.js&quot;&gt;&lt;/script&gt;

" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-66f44790-3744-41b2-8845-362a87f0e7e5" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-sized-down" />

Save bagder/c9b83a19f30e82e41b11f6315465b17a to your computer and use it in GitHub Desktop.

Embed

Select an option

Embed<br>Embed this gist in your website.

Share<br>Copy sharable link for this gist.

Clone via HTTPS<br>Clone using the web URL.

No results found

Learn more about clone URLs

Clone this repository at &lt;script src=&quot;https://gist.github.com/bagder/c9b83a19f30e82e41b11f6315465b17a.js&quot;&gt;&lt;/script&gt;

" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-7d239342-92d5-47aa-b0dc-1da397939ef1" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-original" />

Save bagder/c9b83a19f30e82e41b11f6315465b17a to your computer and use it in GitHub Desktop.

Download ZIP

mythos scan of curl 2026-05-06

Raw

mythos.md

curl security review log

Started: 2026-05-06

Commit: 455bebc2c7 (master)

Scope: 178k LoC C, lib/ + src/

Code links: https://github.com/curl/curl/tree/455bebc2c76223a1be26042f6d2393715c0df0cd (all line refs below pin to this commit)

Approach

curl is one of the most fuzzed and audited C codebases in existence (OSS-Fuzz, Coverity, CodeQL, multiple paid audits). Finding anything in the hot paths (HTTP/1, TLS, URL parsing core) is unlikely. Focus instead on:

Code changed in the last 90 days (fewer eyes, not yet fuzzed long)

Obscure protocols nobody uses or audits: DICT, GOPHER, TELNET, MQTT, RTSP, TFTP, LDAP, SMB, IMAP/POP3

Error/cleanup paths (fuzzers hit happy paths more)

Integer arithmetic on attacker-controlled lengths

The tool (src/) rather than the library - less scrutiny than libcurl

Build system / test infra (supply chain angle)

Platform-specific code (#ifdef WIN32, VMS, AmigaOS etc) - rarely compiled by reviewers

Interaction bugs between features (e.g. HSTS + altsvc + connection reuse)

Method per area

Read the code directly, don't rely on grep patterns alone

For each suspicious site: trace data origin back to network/user input

Check bounds, signedness, overflow, lifetime

Note even low-severity findings - they indicate code quality in that area

Record NEGATIVE results too (looked at X, found nothing) so restart doesn't repeat work

Verification standard (no false positives)

Before anything goes in Findings it must pass ALL of:

Data origin traced: the dangerous value provably comes from network/file/user input, not a constant or already-validated source

No upstream guard: checked the full call chain for earlier length/range/NULL checks that would prevent the bad case

No type-level mitigation: e.g. value is unsigned char so "negative" is impossible, or buffer is sized by the same variable

Reachable: the code path is actually compiled in a normal build (not dead #ifdef VMS etc) and reachable at runtime

Consequence stated concretely: "writes N bytes past buffer X of size Y" not "might overflow"

Anything that fails a check goes in "Investigated - not a bug" with the reason. Uncertain items go in "Needs PoC" not Findings.

Plan / progress checklist

P1: Survey recent commits (90 days) for risky changes (peer.c reviewed in depth)

P2: lib/dict.c - DICT protocol (clean)

P3: lib/gopher.c - GOPHER (clean)

P4: lib/telnet.c - TELNET (clean)

P5: lib/mqtt.c - MQTT (clean, 1 out-of-scope note)

P6: lib/rtsp.c - RTSP (clean, 1 correctness-only bug noted)

P7: lib/tftp.c - TFTP (clean)

P8: lib/smb.c - SMB (clean)

P9: lib/ldap.c + openldap.c (2 minor leaks, not security)

P10: src/tool_*.c - CLI argument/config handling (2 real bugs, outside threat model)

P11: Integer overflow sweep (clean - dynbuf/memdup0/str_number/bufq all...

gist clone clean curl data code

Related Articles