[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1107902: marked as done (bookworm-pu: package curl/7.88.1-10+deb12u13)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1107902,
regarding bookworm-pu: package curl/7.88.1-10+deb12u13
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107902: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107902
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: curl@packages.debian.org
Control: affects -1 + src:curl
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

During bookworm's development, 7.88.1-7 picked up a patch from upstream
to fix [CVE-2023-27534] which made the handling of tilde (~) way more
strict in sftp mode and caused a regression when trying to list the home
directory with sftp://host/~ which simply would not work at all.

Upstream released an [initial fix] but it was incomplete and a [second
patch] was required to make the previous behaviour work. Both patches
have been cherry-picked for this p-u.

[ Impact ]

Users won't be able to use sftp://host/~ to list the home directory and
will need to use sftp://host/~/ for that.

[ Tests ]

The full automated upstream's test suite and our own autopkgtests have
run and passed against this p-u version. Additionaly, I have manually
checked the behaviour using sftp://host/~/, sftp://host/~ and
sftp://host/~/file to make sure things are working as intended.

[ Risks ]

The changes are pretty trivial and have been approved and merged
upstream. Beyond that, the code in bookworm's version is pretty similar
to the latest upstream version and cherry-picking worked without
conflicts. As a final point, this fix has also been backported and
released in LTS too for a few days now without any regressions reported.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable (see [ Other info ])

[ Changes ]

Cherry-picked 2 patches from upstream and I was the author of the last
one that actually fixed the regression. I'll quote myself since the bug
report filled against upstream's BTS [#17534] was very detailed:

> In 4e2b52b, sftp handling of ~ was restricted to sftp://url/~/ to fix
> CVE-2023-27534.
> 
> A bit later, #11001 was opened to report a regression because
> previously sftp://url/~ listed the home dir but now it wasn't working.
> 
> Then 91b53ef fixed it by resolving /~ to /home/<user>, but as far as I
> could test (bookworm's, trixie's and sid's versions), it actually
> doesn't work at all.
> 
> After debugging things with gdb, the problem is Curl_getworkingpath
> returning /home/<user> for the first case and /home/<user>/ for the
> second. Later in the code (in ssh_statemachine), it inspects the last
> char of sshp->path to decide if it's going to SSH_SFTP_READDIR_INIT or
> SSH_SFTP_DOWNLOAD_INIT. As you might have guessed by now, for the /~
> case, it tries to download /home/<user> and things fail.

[ Other info ]

Currently the patch to fix the regression is waiting RT unblock to be
uploaded to unstable [#1107751], but I have manually verified 8.14.1-2
fixes the regression.

Cheers,
Charles

[CVE-2023-27534]: https://security-tracker.debian.org/CVE-2023-27534
[intial fix]: https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325
[second patch]: https://github.com/curl/curl/commit/0ede81dcc61844cecce8904fb4de24319afeb024
[#17534]: https://github.com/curl/curl/issues/17534
[#1107751]: https://bugs.debian.org/1107751

diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
--- curl-7.88.1/debian/changelog	2025-03-09 07:45:45.000000000 -0300
+++ curl-7.88.1/debian/changelog	2025-06-16 20:56:01.000000000 -0300
@@ -1,3 +1,11 @@
+curl (7.88.1-10+deb12u13) bookworm; urgency=medium
+
+  * Team upload.
+  * debian/patches/fix-CVE-2023-27534-regression-{1,2}.patch: add patches from
+    upstream to restore sftp://host/~ behaviour.
+
+ -- Carlos Henrique Lima Melara <charlesmelara@riseup.net>  Mon, 16 Jun 2025 20:56:01 -0300
+
 curl (7.88.1-10+deb12u12) bookworm; urgency=medium
 
   * d/p/runtests.pl-Increase-variance-of-random-seed-used-for-tes: Fix test
diff -Nru curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-1.patch curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-1.patch
--- curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-1.patch	1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-1.patch	2025-06-16 20:54:40.000000000 -0300
@@ -0,0 +1,68 @@
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 25 Apr 2023 13:06:01 +0200
+Subject: curl_path: bring back support for SFTP path ending in /~
+
+libcurl used to do a directory listing for this case (even though the
+documentation says a URL needs to end in a slash for this), but
+4e2b52b5f7a3 modified the behavior.
+
+This change brings back a directory listing for SFTP paths that are
+specified exactly as /~ in the URL.
+
+Reported-by: Pavel Mayorov
+Fixes #11001
+Closes #11023
+
+Origin: upstream, https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325
+Bug: https://github.com/curl/curl/issues/11001
+Last-Update: 2025-06-09
+---
+ lib/curl_path.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index 977e533..b4b48fe 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -62,24 +62,27 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data,
+     }
+   }
+   else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
+-          (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
+-    size_t len;
+-    const char *p;
+-    int copyfrom = 3;
++          (!strcmp("/~", working_path) ||
++           ((working_path_len > 2) && !memcmp(working_path, "/~/", 3)))) {
+     if(Curl_dyn_add(&npath, homedir)) {
+       free(working_path);
+       return CURLE_OUT_OF_MEMORY;
+     }
+-    /* Copy a separating '/' if homedir does not end with one */
+-    len = Curl_dyn_len(&npath);
+-    p = Curl_dyn_ptr(&npath);
+-    if(len && (p[len-1] != '/'))
+-      copyfrom = 2;
+-
+-    if(Curl_dyn_addn(&npath,
+-                     &working_path[copyfrom], working_path_len - copyfrom)) {
+-      free(working_path);
+-      return CURLE_OUT_OF_MEMORY;
++    if(working_path_len > 2) {
++      size_t len;
++      const char *p;
++      int copyfrom = 3;
++      /* Copy a separating '/' if homedir does not end with one */
++      len = Curl_dyn_len(&npath);
++      p = Curl_dyn_ptr(&npath);
++      if(len && (p[len-1] != '/'))
++        copyfrom = 2;
++
++      if(Curl_dyn_addn(&npath,
++                       &working_path[copyfrom], working_path_len - copyfrom)) {
++        free(working_path);
++        return CURLE_OUT_OF_MEMORY;
++      }
+     }
+   }
+ 
diff -Nru curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-2.patch curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-2.patch
--- curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-2.patch	1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/fix-CVE-2023-27534-regression-2.patch	2025-06-16 20:54:40.000000000 -0300
@@ -0,0 +1,33 @@
+From: Carlos Henrique Lima Melara <charlesmelara@riseup.net>
+Date: Thu, 5 Jun 2025 14:29:06 +0200
+Subject: curl_path: make SFTP handle a path like /~ properly.
+
+... without a trailing slash.
+
+Fixes #17534
+Closes #17542
+
+Origin: upstream, https://github.com/curl/curl/commit/0ede81dcc61844cecce8904fb4de24319afeb024
+Bug: https://github.com/curl/curl/issues/17534
+Last-Update: 2025-06-09
+---
+ lib/curl_path.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index b4b48fe..db66fb0 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -84,6 +84,12 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data,
+         return CURLE_OUT_OF_MEMORY;
+       }
+     }
++    else {
++      if(Curl_dyn_add(&npath, "/")) {
++        free(working_path);
++        return CURLE_OUT_OF_MEMORY;
++      }
++    }
+   }
+ 
+   if(Curl_dyn_len(&npath)) {
diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series
--- curl-7.88.1/debian/patches/series	2025-03-09 07:45:45.000000000 -0300
+++ curl-7.88.1/debian/patches/series	2025-06-16 20:54:40.000000000 -0300
@@ -65,6 +65,9 @@
 # Fix test issues with port clashes, now each build has a different random seed.
 runtests.pl-Increase-variance-of-random-seed-used-for-tes.patch
 
+fix-CVE-2023-27534-regression-1.patch
+fix-CVE-2023-27534-regression-2.patch
+
 # Do not add patches below.
 # Used to generate packages for the other crypto libraries.
 90_gnutls.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: