oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[SECURITY ADVISORY] curl: CVE-2023-27534: SFTP path ~ resolving discrepancy

From: Daniel Stenberg <daniel () haxx se>
Date: Mon, 20 Mar 2023 08:26:06 +0100 (CET)
CVE-2023-27534: SFTP path ~ resolving discrepancy
=================================================

Project curl Security Advisory, March 20th 2023 -
[Permalink](https://curl.se/docs/CVE-2023-27534.html)

VULNERABILITY
-------------

curl supports SFTP transfers. curl's SFTP implementation offers a special
feature in the path component of URLs: a tilde (`~`) character as the first
path element in the path to denotes a path relative to the user's home
directory. This is supported because of wording in the [once proposed
to-become RFC
draft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04)
that was to dictate how SFTP URLs work.

Due to a bug, the handling of the tilde in SFTP path did however not only
replace it when it is used stand-alone as the first path element but also
wrongly when used as a mere prefix in the first element.

Using a path like `/~2/foo` when accessing a server using the user `dan` (with
home directory `/home/dan`) would then quite surprisingly access the file
`/home/dan2/foo`.

This can be taken advantage of to circumvent filtering or worse.

We are not aware of any exploit of this flaw.

INFO
----

CVE-2023-27534 was introduced in [commit
ba6f20a244](https://github.com/curl/curl/commit/ba6f20a244), shipped in curl
7.18.0.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.18.0 to and including 7.88.1
- Not affected versions: curl < 7.18.0 and curl >= 8.0.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

A [fix for CVE-2023-27534](https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a)

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 8.0.0

 B - Apply the patch to your local version

 C - Avoid using tilde in SFTP URL paths.

TIMELINE
--------

This issue was reported to the curl project on March 5, 2023. We contacted
distros@openwall on March 13, 2023.

curl 8.0.0 was released on March 20 2023, coordinated with the publication of
this advisory.

CREDITS
-------

- Reported-by: Harry Sintonen
- Patched-by: Daniel Stenberg

Thanks a lot!

--

 / daniel.haxx.se
 | Commercial curl support up to 24x7 is available!
 | Private help, bug fixes, support, ports, new features
 | https://curl.se/support.html
Previous By Date Next
Previous By Thread Next

Current thread: