CVE-2023-27534

Name	CVE-2023-27534
Description	A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3763-1, ELA-1068-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
curl (PTS)	jessie, jessie (lts)	7.38.0-4+deb8u28	vulnerable
	stretch (security)	7.52.1-5+deb9u16	vulnerable
	stretch (lts), stretch	7.52.1-5+deb9u22	fixed
	buster, buster (lts)	7.64.0-4+deb10u10	fixed
	buster (security)	7.64.0-4+deb10u9	fixed
	bullseye	7.74.0-1.3+deb11u13	fixed
	bullseye (security)	7.74.0-1.3+deb11u14	fixed
	bookworm	7.88.1-10+deb12u8	fixed
	bookworm (security)	7.88.1-10+deb12u5	fixed
	sid, trixie	8.11.0-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
curl	source	stretch	7.52.1-5+deb9u21	ELA-1068-1
curl	source	buster	7.64.0-4+deb10u9	DLA-3763-1
curl	source	bullseye	7.74.0-1.3+deb11u8
curl	source	(unstable)	7.88.1-7

Notes

https://curl.se/docs/CVE-2023-27534.html
Introduced by: https://github.com/curl/curl/commit/ba6f20a2442ab1ebfe947cff19a552f92114a29a (curl-7_18_0)
Fixed by: https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 (curl-8_0_0)
Regression fix: https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325 (curl-8_1_0)
[jessie] - curl <no-dsa> (Minor issue)