oss-sec mailing list archives
[SECURITY ADVISORY] curl: CVE-2023-27534: SFTP path ~ resolving discrepancy
From: Daniel Stenberg <daniel () haxx se>
Date: Mon, 20 Mar 2023 08:26:06 +0100 (CET)
CVE-2023-27534: SFTP path ~ resolving discrepancy ================================================= Project curl Security Advisory, March 20th 2023 - [Permalink](https://curl.se/docs/CVE-2023-27534.html) VULNERABILITY ------------- curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (`~`) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the [once proposed to-become RFC draft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04) that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like `/~2/foo` when accessing a server using the user `dan` (with home directory `/home/dan`) would then quite surprisingly access the file `/home/dan2/foo`. This can be taken advantage of to circumvent filtering or worse. We are not aware of any exploit of this flaw. INFO ---- CVE-2023-27534 was introduced in [commit ba6f20a244](https://github.com/curl/curl/commit/ba6f20a244), shipped in curl 7.18.0. CWE-22: Improper Limitation of a Pathname to a Restricted Directory Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.18.0 to and including 7.88.1 - Not affected versions: curl < 7.18.0 and curl >= 8.0.0 libcurl is used by many applications, but not always advertised as such! THE SOLUTION ------------ A [fix for CVE-2023-27534](https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a) RECOMMENDATIONS -------------- A - Upgrade curl to version 8.0.0 B - Apply the patch to your local version C - Avoid using tilde in SFTP URL paths. TIMELINE -------- This issue was reported to the curl project on March 5, 2023. We contacted distros@openwall on March 13, 2023. curl 8.0.0 was released on March 20 2023, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Harry Sintonen - Patched-by: Daniel Stenberg Thanks a lot! -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html
Current thread:
- [SECURITY ADVISORY] curl: CVE-2023-27534: SFTP path ~ resolving discrepancy Daniel Stenberg (Mar 20)