Your message dated Sat, 22 Mar 2025 15:23:26 +0000
with message-id
<772uz6ncnhsmkg6akmtsiastdmcmgpugwsjvh5envavoax2g3u@5t7oge5vzpqz>
and subject line Re: Bug#1095258: curl: Curl insecure default SSH behavior when
.ssh/known_hosts is missing
has caused the Debian Bug report #1095258,
regarding curl: Curl insecure default SSH behavior when .ssh/known_hosts is
missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1095258: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095258
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: curl
Version: 7.88.1-10+deb12u8
Severity: important
Tags: patch upstream
Curl package is currently in breach of "secure by default" Debian policy.
When I launch curl without ~/.ssh/known_host file curl will connect to any host
without
any host identity validation, rather than refusing the connection as expected.
Here's how to demonstrate the issue:
$ mv ~/.ssh/known_hosts ~/.ssh/known_hosts.backup
$ curl -u bob:hunter2 sftp://target.invalid/file
After testing restore the previous known_hosts file:
$ mv ~/.ssh/known_hosts.backup ~/.ssh/known_hosts
Due to a curl logic flaw the connection is established to target.invalid host
without
validating the host identity. Anyone in a privileged network position is able
to spoof
the SSH server. The impact is quite serious, as the malicious server can:
1. In case of download send malicious content back
2. In case of upload capture the uploaded content
3. Steal the username & password (if password auth is used)
I expect curl command to fail if the host identity cannot be validated.
The issue is described in detail here:
https://sintonen.fi/advisories/curl-ssh-insufficient-host-identity-verification.txt
or: https://www.openwall.com/lists/oss-security/2025/02/05/4
A proposed patch to fix this issue is:
---8<---
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 007a5e054..52e10a5f5 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1170,14 +1170,13 @@ static CURLcode config2setopts(struct GlobalConfig
*global,
/* new in curl 7.19.6 */
result = res_setopt_str(curl, CURLOPT_SSH_KNOWNHOSTS, known);
curl_free(known);
- if(result == CURLE_UNKNOWN_OPTION)
- /* libssh2 version older than 1.1.1 */
- result = CURLE_OK;
- if(result)
- return result;
}
- else
+ else {
warnf(global, "Couldn't find a known_hosts file");
+ result = res_setopt_str(curl, CURLOPT_SSH_KNOWNHOSTS, "");
+ }
+ if(result)
+ return result;
}
}
---8<---
-- System Information:
Debian Release: 12.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-28-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages curl depends on:
ii libc6 2.36-9+deb12u9
ii libcurl4 7.88.1-10+deb12u8
ii zlib1g 1:1.2.13.dfsg-1
curl recommends no packages.
curl suggests no packages.
-- no debconf information
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 007a5e054..52e10a5f5 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1170,14 +1170,13 @@ static CURLcode config2setopts(struct GlobalConfig
*global,
/* new in curl 7.19.6 */
result = res_setopt_str(curl, CURLOPT_SSH_KNOWNHOSTS, known);
curl_free(known);
- if(result == CURLE_UNKNOWN_OPTION)
- /* libssh2 version older than 1.1.1 */
- result = CURLE_OK;
- if(result)
- return result;
}
- else
+ else {
warnf(global, "Couldn't find a known_hosts file");
+ result = res_setopt_str(curl, CURLOPT_SSH_KNOWNHOSTS, "");
+ }
+ if(result)
+ return result;
}
}
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 007a5e054..52e10a5f5 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1170,14 +1170,13 @@ static CURLcode config2setopts(struct GlobalConfig
*global,
/* new in curl 7.19.6 */
result = res_setopt_str(curl, CURLOPT_SSH_KNOWNHOSTS, known);
curl_free(known);
- if(result == CURLE_UNKNOWN_OPTION)
- /* libssh2 version older than 1.1.1 */
- result = CURLE_OK;
- if(result)
- return result;
}
- else
+ else {
warnf(global, "Couldn't find a known_hosts file");
+ result = res_setopt_str(curl, CURLOPT_SSH_KNOWNHOSTS, "");
+ }
+ if(result)
+ return result;
}
}
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 007a5e054..52e10a5f5 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1170,14 +1170,13 @@ static CURLcode config2setopts(struct GlobalConfig
*global,
/* new in curl 7.19.6 */
result = res_setopt_str(curl, CURLOPT_SSH_KNOWNHOSTS, known);
curl_free(known);
- if(result == CURLE_UNKNOWN_OPTION)
- /* libssh2 version older than 1.1.1 */
- result = CURLE_OK;
- if(result)
- return result;
}
- else
+ else {
warnf(global, "Couldn't find a known_hosts file");
+ result = res_setopt_str(curl, CURLOPT_SSH_KNOWNHOSTS, "");
+ }
+ if(result)
+ return result;
}
}
--- End Message ---
--- Begin Message ---
Version: 8.13.0~rc2-1
Upstream fix is present on 8.13.0:
https://github.com/curl/curl/commit/e1b3d46944890cd2c1e3eef8d75d292ab0411e35
I don't plan to backport this to stable to reduce the change of breakage for an
user that expects the old behavior. Even though the old behavior is bad, it's
not bad enough to risk breaking them on a point release, it's better to make
the change between major Debian releases.
Users who are concerned about this issue can reply here and I could change my
mind, but they can also use curl from the backports repository, which we will
update with the fix in the next few weeks (the fixed version is currently RC).
Thank you,
--
Samuel Henrique <samueloph>
--- End Message ---
