CVE-2024-2379: libcurl skips the certificate verification for a QUIC connection under certain conditions, when...

The vulnerability description states that libcurl skips certificate verification for QUIC connections with wolfSSL when an unknown/bad cipher or curve is used, because the error path accidentally skips verification and returns OK. The fixing commit aedbbdf18e689a5eee8dc396 modifies the curl_wssl_init_ctx function in lib/vquic/vquic-tls.c. Specifically, it adds assignments to the result variable (e.g., result = CURLE_BAD_FUNCTION_ARGUMENT;) in error handling blocks related to wolfSSL_CTX_set_cipher_list and wolfSSL_CTX_set1_groups_list. Before this fix, if these wolfSSL functions failed (which would happen with bad ciphers/curves), curl_wssl_init_ctx could still return CURLE_OK if no prior error had occurred within the function. This incorrect success indication would then lead to the rest of the connection setup proceeding with a faulty TLS configuration, causing the certificate verification to be bypassed. Therefore, curl_wssl_init_ctx is identified as the vulnerable function due to its flawed error propagation in these specific scenarios.