curl: CVE-2023-27535: FTP too eager connection reuse

Summary:

libcurl FTP(S) protocol will reuse connection even if different CURLOPT_FTP_ACCOUNT (libcurl) or --ftp-account (curl) is specified for different connections and the server requests account authentication via reply code 332. It appears that STRING_FTP_ALTERNATIVE_TO_USER (libcurl) or --ftp-alternative-to-user (curl) is also affected and should also result in caching being refused.

Steps To Reproduce:

1. terminal 1: echo -e "foo\n" | nc -v -l -p 9998; echo -e "bar\n" | nc -v -l -p 9998
2. terminal 2: echo -ne "220 a\n331 b\n332 c\n230 d\n257 \"/\"\n229 (|||9998|)\n200 e\n213 4\n150 f\n226 g\n229 (|||9998|)\n213 4\n150 f\n226 g\n" | nc -v -l -p 9999
3. terminal 3: curl -v --ftp-account alice "ftp://ftp@server:9999/file1" -: --ftp-account bob "ftp://ftp@server:9999/file2"

As a result connection authenticated as user alice will be used when fetching file2 regardless that user bob was specified for fetching it.

Remediation

• Don’t reuse connection if CURLOPT_FTP_ACCOUNT or STRING_FTP_ALTERNATIVE_TO_USER are different.

Supporting Material/References:

• https://www.ietf.org/rfc/rfc0959.txt

Impact

Accessing content with wrong cached credentials.