Bug#1107902: bookworm-pu: package curl/7.88.1-10+deb12u13
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: curl@packages.debian.org
Control: affects -1 + src:curl
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
During bookworm's development, 7.88.1-7 picked up a patch from upstream
to fix [CVE-2023-27534] which made the handling of tilde (~) way more
strict in sftp mode and caused a regression when trying to list the home
directory with sftp://host/~ which simply would not work at all.
Upstream released an [initial fix] but it was incomplete and a [second
patch] was required to make the previous behaviour work. Both patches
have been cherry-picked for this p-u.
[ Impact ]
Users won't be able to use sftp://host/~ to list the home directory and
will need to use sftp://host/~/ for that.
[ Tests ]
The full automated upstream's test suite and our own autopkgtests have
run and passed against this p-u version. Additionaly, I have manually
checked the behaviour using sftp://host/~/, sftp://host/~ and
sftp://host/~/file to make sure things are working as intended.
[ Risks ]
The changes are pretty trivial and have been approved and merged
upstream. Beyond that, the code in bookworm's version is pretty similar
to the latest upstream version and cherry-picking worked without
conflicts. As a final point, this fix has also been backported and
released in LTS too for a few days now without any regressions reported.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable (see [ Other info ])
[ Changes ]
Cherry-picked 2 patches from upstream and I was the author of the last
one that actually fixed the regression. I'll quote myself since the bug
report filled against upstream's BTS [#17534] was very detailed:
> In 4e2b52b, sftp handling of ~ was restricted to sftp://url/~/ to fix
> CVE-2023-27534.
>
> A bit later, #11001 was opened to report a regression because
> previously sftp://url/~ listed the home dir but now it wasn't working.
>
> Then 91b53ef fixed it by resolving /~ to /home/<user>, but as far as I
> could test (bookworm's, trixie's and sid's versions), it actually
> doesn't work at all.
>
> After debugging things with gdb, the problem is Curl_getworkingpath
> returning /home/<user> for the first case and /home/<user>/ for the
> second. Later in the code (in ssh_statemachine), it inspects the last
> char of sshp->path to decide if it's going to SSH_SFTP_READDIR_INIT or
> SSH_SFTP_DOWNLOAD_INIT. As you might have guessed by now, for the /~
> case, it tries to download /home/<user> and things fail.
[ Other info ]
Currently the patch to fix the regression is waiting RT unblock to be
uploaded to unstable [#1107751], but I have manually verified 8.14.1-2
fixes the regression.
Cheers,
Charles
[CVE-2023-27534]: https://security-tracker.debian.org/CVE-2023-27534
[intial fix]: https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325
[second patch]: https://github.com/curl/curl/commit/0ede81dcc61844cecce8904fb4de24319afeb024
[#17534]: https://github.com/curl/curl/issues/17534
[#1107751]: https://bugs.debian.org/1107751
diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
--- curl-7.88.1/debian/changelog 2025-03-09 07:45:45.000000000 -0300
+++ curl-7.88.1/debian/changelog 2025-06-16 20:56:01.000000000 -0300
@@ -1,3 +1,11 @@
+curl (7.88.1-10+deb12u13) bookworm; urgency=medium
+
+ * Team upload.
+ * debian/patches/fix-CVE-2023-27534-regression-{1,2}.patch: add patches from
+ upstream to restore sftp://host/~ behaviour.
+
+ -- Carlos Henrique Lima Melara <charlesmelara@riseup.net> Mon, 16 Jun 2025 20:56:01 -0300
+
curl (7.88.1-10+deb12u12) bookworm; urgency=medium
* d/p/runtests.pl-Increase-variance-of-random-seed-used-for-tes: Fix test
diff -Nru curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-1.patch curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-1.patch
--- curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-1.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-1.patch 2025-06-16 20:54:40.000000000 -0300
@@ -0,0 +1,68 @@
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 25 Apr 2023 13:06:01 +0200
+Subject: curl_path: bring back support for SFTP path ending in /~
+
+libcurl used to do a directory listing for this case (even though the
+documentation says a URL needs to end in a slash for this), but
+4e2b52b5f7a3 modified the behavior.
+
+This change brings back a directory listing for SFTP paths that are
+specified exactly as /~ in the URL.
+
+Reported-by: Pavel Mayorov
+Fixes #11001
+Closes #11023
+
+Origin: upstream, https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325
+Bug: https://github.com/curl/curl/issues/11001
+Last-Update: 2025-06-09
+---
+ lib/curl_path.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index 977e533..b4b48fe 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -62,24 +62,27 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data,
+ }
+ }
+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
+- (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
+- size_t len;
+- const char *p;
+- int copyfrom = 3;
++ (!strcmp("/~", working_path) ||
++ ((working_path_len > 2) && !memcmp(working_path, "/~/", 3)))) {
+ if(Curl_dyn_add(&npath, homedir)) {
+ free(working_path);
+ return CURLE_OUT_OF_MEMORY;
+ }
+- /* Copy a separating '/' if homedir does not end with one */
+- len = Curl_dyn_len(&npath);
+- p = Curl_dyn_ptr(&npath);
+- if(len && (p[len-1] != '/'))
+- copyfrom = 2;
+-
+- if(Curl_dyn_addn(&npath,
+- &working_path[copyfrom], working_path_len - copyfrom)) {
+- free(working_path);
+- return CURLE_OUT_OF_MEMORY;
++ if(working_path_len > 2) {
++ size_t len;
++ const char *p;
++ int copyfrom = 3;
++ /* Copy a separating '/' if homedir does not end with one */
++ len = Curl_dyn_len(&npath);
++ p = Curl_dyn_ptr(&npath);
++ if(len && (p[len-1] != '/'))
++ copyfrom = 2;
++
++ if(Curl_dyn_addn(&npath,
++ &working_path[copyfrom], working_path_len - copyfrom)) {
++ free(working_path);
++ return CURLE_OUT_OF_MEMORY;
++ }
+ }
+ }
+
diff -Nru curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-2.patch curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-2.patch
--- curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-2.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-2.patch 2025-06-16 20:54:40.000000000 -0300
@@ -0,0 +1,33 @@
+From: Carlos Henrique Lima Melara <charlesmelara@riseup.net>
+Date: Thu, 5 Jun 2025 14:29:06 +0200
+Subject: curl_path: make SFTP handle a path like /~ properly.
+
+... without a trailing slash.
+
+Fixes #17534
+Closes #17542
+
+Origin: upstream, https://github.com/curl/curl/commit/0ede81dcc61844cecce8904fb4de24319afeb024
+Bug: https://github.com/curl/curl/issues/17534
+Last-Update: 2025-06-09
+---
+ lib/curl_path.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index b4b48fe..db66fb0 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -84,6 +84,12 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data,
+ return CURLE_OUT_OF_MEMORY;
+ }
+ }
++ else {
++ if(Curl_dyn_add(&npath, "/")) {
++ free(working_path);
++ return CURLE_OUT_OF_MEMORY;
++ }
++ }
+ }
+
+ if(Curl_dyn_len(&npath)) {
diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series
--- curl-7.88.1/debian/patches/series 2025-03-09 07:45:45.000000000 -0300
+++ curl-7.88.1/debian/patches/series 2025-06-16 20:54:40.000000000 -0300
@@ -65,6 +65,9 @@
# Fix test issues with port clashes, now each build has a different random seed.
runtests.pl-Increase-variance-of-random-seed-used-for-tes.patch
+fix-CVE-2023-27534-regression-1.patch
+fix-CVE-2023-27534-regression-2.patch
+
# Do not add patches below.
# Used to generate packages for the other crypto libraries.
90_gnutls.patch
Reply to: