Windows OpenSSL engine code injection=====================================Project curl Security Advisory, June 24th 2019 -[Permalink](https://curl.haxx.se/docs/CVE-2019-5443.html)VULNERABILITY————-A non-privileged user or program can put code and a config file in a knownnon-privileged path (under `C:/usr/local/`) that will make curl automaticallyrun the code (as an openssl "engine") on invocation. If that curl is invokedby a privileged user it can do anything it wants.This flaw exists in the official curl-for-windows binaries built and hosted bythe curl project (all versions up to and including 7.65.1_1). It **does not**exist in the curl executable shipped by Microsoft, bundled with Windows 10. Itpossibly exists in other curl builds for Windows too that uses OpenSSL.The curl project has provided official curl executable builds for Windowssince [late August2018](https://daniel.haxx.se/blog/2018/08/27/blessed-curl-builds-for-windows/).There exists proof of concept exploits of this flaw.INFO—-This bug sneaked in partly due to insecure default build options in OpenSSLwhen built cross-compiled and partly due to a misleading commit message in thecurl commit that made it possible to disable this feature.This bug does not exist in the curl or libcurl source code but in the scriptsfor the Windows build.The Common Vulnerabilities and Exposures (CVE) project has assigned the nameCVE-2019-5443 to this issue.CWE-94: Code InjectionSeverity: HighAFFECTED VERSIONS—————— Affected versions: all curl-for-windows downloads before **7.65.1_2**.THE SOLUTION————Replace your downloaded curl version on Windows with the updated downloadpackage from the [curl site](https://curl.haxx.se/windows/).The build fix for curl-for-win correcting this flaw is in [thiscommit](https://github.com/curl/curl-for-win/commit/51b658a76594942cf1d6f227d8fc4732bb8ec277). Itcompletely disables curl's ability to load an OpenSSL config when invoked.RECOMMENDATIONS————–We suggest you take one of the following actions immediately, in order ofpreference: A – Upgrade to a fixed curl executable B – Remove curl executable downloaded from curl.haxx.se and instead use the one shipped by Microsoft in Windows 10TIMELINE——–The issue was reported to the curl project on June 12, 2019. The fix was done,verified and communicated with the reporter on June 12, 2019.While planning the release schedule of this advisory and coordinating withother affected projects, we discovered that this exact flaw had already beenpublished and discussed in public before we were informed about it. A fewother OpenSSL-using projects on Windows also had already fixed their buildsfor this exact problem. Realizing this, we switched gears and decided topublish as soon as possible to minimize user impact.curl 7.65.1_2 for Windows was uploaded and made available on June 21 2019 -the older, vulnerable builds, were removed from the site at the same time.This advisory was posted on June 24th 2019.CREDITS——-Reported by Rich Mirch. OpenSSL patch by Viktor Szakats.Thanks a lot!