The maintainers of the curl library have released version 8.0.0, which addresses six security vulnerabilities, including an authentication bypass in the way that the library handles FTP connections.
The release of libcurl 8.0.0 coincides with the 25th anniversary of the initial release of the tool, which is used in countless projects and apps. Most of the vulnerabilities fixed in this version are relatively low severity, with the authentication bypass being the most serious of the six. That bug (CVE-2023-27535) derives from the fact that libcurl reused FTP connections.
“libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a very different one, thus leading to the doing the second transfer with wrong credentials,” the advisory says.
“libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily.”
Among the other vulnerabilities patched in the new version is a bug (CVE-2023-27538) that is nearly identical to an older one related to SSH connections that had been fixed previously, but that fix was incomplete.
“libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse,” the advisory says.
“libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.”
There is also a vulnerability related to the implementation of SFTP in curl that can allow an attacker to get around filtering.
“Curl’s SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user’s home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element,” the advisory says.
“Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo. This can be taken advantage of to circumvent filtering or worse.”
Users should upgrade to version 8.0.0 to protect against these flaws.