Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
[SECURITY ADVISORY] curl: CVE-2023-27534: SFTP path ~ resolving discrepancy
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 20 Mar 2023 08:26:06 +0100 (CET)
CVE-2023-27534: SFTP path ~ resolving discrepancy
=================================================
Project curl Security Advisory, March 20th 2023 -
[Permalink](https://curl.se/docs/CVE-2023-27534.html)
VULNERABILITY
-------------
curl supports SFTP transfers. curl's SFTP implementation offers a special
feature in the path component of URLs: a tilde (`~`) character as the first
path element in the path to denotes a path relative to the user's home
directory. This is supported because of wording in the [once proposed
to-become RFC
draft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04)
that was to dictate how SFTP URLs work.
Due to a bug, the handling of the tilde in SFTP path did however not only
replace it when it is used stand-alone as the first path element but also
wrongly when used as a mere prefix in the first element.
Using a path like `/~2/foo` when accessing a server using the user `dan` (with
home directory `/home/dan`) would then quite surprisingly access the file
`/home/dan2/foo`.
This can be taken advantage of to circumvent filtering or worse.
We are not aware of any exploit of this flaw.
INFO
Date: Mon, 20 Mar 2023 08:26:06 +0100 (CET)
CVE-2023-27534: SFTP path ~ resolving discrepancy
=================================================
Project curl Security Advisory, March 20th 2023 -
[Permalink](https://curl.se/docs/CVE-2023-27534.html)
VULNERABILITY
-------------
curl supports SFTP transfers. curl's SFTP implementation offers a special
feature in the path component of URLs: a tilde (`~`) character as the first
path element in the path to denotes a path relative to the user's home
directory. This is supported because of wording in the [once proposed
to-become RFC
draft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04)
that was to dictate how SFTP URLs work.
Due to a bug, the handling of the tilde in SFTP path did however not only
replace it when it is used stand-alone as the first path element but also
wrongly when used as a mere prefix in the first element.
Using a path like `/~2/foo` when accessing a server using the user `dan` (with
home directory `/home/dan`) would then quite surprisingly access the file
`/home/dan2/foo`.
This can be taken advantage of to circumvent filtering or worse.
We are not aware of any exploit of this flaw.
INFO
---- CVE-2023-27534 was introduced in [commit ba6f20a244](https://github.com/curl/curl/commit/ba6f20a244), shipped in curl 7.18.0. CWE-22: Improper Limitation of a Pathname to a Restricted Directory Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.18.0 to and including 7.88.1 - Not affected versions: curl < 7.18.0 and curl >= 8.0.0 libcurl is used by many applications, but not always advertised as such! THE SOLUTION ------------ A [fix for CVE-2023-27534](https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a) RECOMMENDATIONS -------------- A - Upgrade curl to version 8.0.0 B - Apply the patch to your local version C - Avoid using tilde in SFTP URL paths. TIMELINE -------- This issue was reported to the curl project on March 5, 2023. We contacted distros_at_openwall on March 13, 2023. curl 8.0.0 was released on March 20 2023, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Harry Sintonen - Patched-by: Daniel Stenberg Thanks a lot! -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-03-20