[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#657445: marked as done (openssh-server: Forced Command handling leaks private information to ssh clients)

Your message dated Tue, 21 Feb 2012 19:17:11 +0000
with message-id <E1RzvD5-0007et-Cm@franck.debian.org>
and subject line Bug#657445: fixed in openssh 1:5.5p1-6+squeeze2
has caused the Debian Bug report #657445,
regarding openssh-server: Forced Command handling leaks private information to ssh clients
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
657445: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 1:5.5p1-6+squeeze1
Severity: normal


The handling of multiple forced commands in ~/.ssh/authorized key leaks
information about other configured forced commands to the user. This
affects tools lile gitolite, which makes heavy use of forced commands
(For gitolite, this bug means: A user can obtain some or all usernames 
 with access to the same gitolite setup by just using the verbose
 switch of his ssh client, which is a really nasty thing).

Example: 
 
 User "bbu" on machine "ptx" has three configured forced commands for
 keys test{1,2,3}_rsa.pub:

 command="/usr/bin/first_command" ssh-rsa [...third_key...]
 command="/usr/bin/second_command" ssh-rsa [...second_key...]
 command="/usr/bin/third_command" ssh-rsa [...third_key...]

 Now, if the user of test1_rsa.pub uses the "-v" switch of
 his ssh client, he gets just his command:

 foo@bar:~/ssh_debug$ ssh -i test1_rsa -v bbu@ptx 2>&1 | grep Forced\ command
 debug1: Remote: Forced command: /usr/bin/first_command
 debug1: Remote: Forced command: /usr/bin/first_command

 but the user of test2_rsa.pub sees two commands:

 foo@bar:~/ssh_debug$ ssh -i test2_rsa -v bbu@ptx 2>&1 | grep Forced\ command
 debug1: Remote: Forced command: /usr/bin/first_command
 debug1: Remote: Forced command: /usr/bin/second_command
 debug1: Remote: Forced command: /usr/bin/first_command
 debug1: Remote: Forced command: /usr/bin/second_command

 and for user of test3_rsa.pub:

 bbu@elara:~/ssh_debug$ ssh -i test3_rsa -v bbu@ptx 2>&1 | grep Forced\ command
 debug1: Remote: Forced command: /usr/bin/first_command
 debug1: Remote: Forced command: /usr/bin/second_command
 debug1: Remote: Forced command: /usr/bin/third_command
 debug1: Remote: Forced command: /usr/bin/first_command
 debug1: Remote: Forced command: /usr/bin/second_command
 debug1: Remote: Forced command: /usr/bin/third_command


-- System Information:
Debian Release: 6.0.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser             3.112+nmu2           add and remove users and groups
ii  debconf [debconf-2. 1.5.36.1             Debian configuration management sy
ii  dpkg                1.15.8.11            Debian package management system
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib
ii  libcomerr2          1.41.12-4stable1     common error description library
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - k
ii  libkrb5-3           1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries
ii  libpam-modules      1.1.1-6.1+squeeze1   Pluggable Authentication Modules f
ii  libpam-runtime      1.1.1-6.1+squeeze1   Runtime support for the PAM librar
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libselinux1         2.0.96-1             SELinux runtime shared libraries
ii  libssl0.9.8         0.9.8o-4squeeze7     SSL shared libraries
ii  libwrap0            7.6.q-19             Wietse Venema's TCP wrappers libra
ii  lsb-base            3.2-23.2squeeze1     Linux Standard Base 3.2 init scrip
ii  openssh-blacklist   0.4.1                list of default blacklisted OpenSS
ii  openssh-client      1:5.5p1-6+squeeze1   secure shell (SSH) client, for sec
ii  procps              1:3.2.8-9            /proc file system utilities
ii  zlib1g              1:1.2.3.4.dfsg-3     compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)
pn  ufw                           <none>     (no description available)

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:5.5p1-6+squeeze2

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
  to main/o/openssh/openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
openssh-client_5.5p1-6+squeeze2_i386.deb
  to main/o/openssh/openssh-client_5.5p1-6+squeeze2_i386.deb
openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
  to main/o/openssh/openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
openssh-server_5.5p1-6+squeeze2_i386.deb
  to main/o/openssh/openssh-server_5.5p1-6+squeeze2_i386.deb
openssh_5.5p1-6+squeeze2.debian.tar.gz
  to main/o/openssh/openssh_5.5p1-6+squeeze2.debian.tar.gz
openssh_5.5p1-6+squeeze2.dsc
  to main/o/openssh/openssh_5.5p1-6+squeeze2.dsc
ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
  to main/o/openssh/ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
ssh-krb5_5.5p1-6+squeeze2_all.deb
  to main/o/openssh/ssh-krb5_5.5p1-6+squeeze2_all.deb
ssh_5.5p1-6+squeeze2_all.deb
  to main/o/openssh/ssh_5.5p1-6+squeeze2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 657445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 20 Feb 2012 02:23:55 +0000
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source all i386
Version: 1:5.5p1-6+squeeze2
Distribution: stable
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 657445
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Changes: 
 openssh (1:5.5p1-6+squeeze2) stable; urgency=high
 .
   * CVE-2012-0814: Don't send the actual forced command in a debug message,
     which allowed remote authenticated users to obtain potentially sensitive
     information by reading these messages (closes: #657445).
Checksums-Sha1: 
 89b5aedc4dfb5e2876df5fa40c3313b5b572d9ed 2557 openssh_5.5p1-6+squeeze2.dsc
 ceb108f0b33ff4e5c167fc0eb41c93ea22cfebbc 233367 openssh_5.5p1-6+squeeze2.debian.tar.gz
 3d094e8dcbdcaf571185bf15518818b27f205189 881778 openssh-client_5.5p1-6+squeeze2_i386.deb
 5319802d08acc7b0725f0816d267aa043bc446ea 298402 openssh-server_5.5p1-6+squeeze2_i386.deb
 dfb2c8660b4700e4fcac8df396273202d5397714 1250 ssh_5.5p1-6+squeeze2_all.deb
 ec6d537e0cc11e2d2bc76b81ca68d0254e2bd5fc 95606 ssh-krb5_5.5p1-6+squeeze2_all.deb
 6423d75f63c93835533f33a7947b6d4f58a8dba9 103596 ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
 8395bf68345197de9daf9349ac9666e2454b7185 195664 openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
 46d371ac35ee44238b63fb29d67d47971f159cba 218428 openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
Checksums-Sha256: 
 94c2efd5a2ab76c3e65ba69230c818da546d4e448ab225e4af3e82c48e041e55 2557 openssh_5.5p1-6+squeeze2.dsc
 ecb30b1e40ac3446c3e3e6ffade5fe85656f084fcce3116184ad06101679bee0 233367 openssh_5.5p1-6+squeeze2.debian.tar.gz
 48b9c646f9369c4518719cd6d84cdfa4271fff981d9e0f37ce900d730f6f8eda 881778 openssh-client_5.5p1-6+squeeze2_i386.deb
 9f188d713a59ba4d6d6606ba3f864be5b2e0cdf43d3a4293c076068ca26f9d56 298402 openssh-server_5.5p1-6+squeeze2_i386.deb
 91fa5c92e0c525d9bf679a8a3c35d539bf2f7db38c8e12c65eda21af3b630de0 1250 ssh_5.5p1-6+squeeze2_all.deb
 2e81af056cb303462f52d715fc30c1d76ab7b476ae6df52716ad67672209b538 95606 ssh-krb5_5.5p1-6+squeeze2_all.deb
 75c8f15fd4e2d0055cf83fe60195e3bcbdb1680ea4e451e04bae161a31f48e44 103596 ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
 7a3263a461dcd1d476479b351157b1bb86c1016da4e40261c200dcad07e80cb0 195664 openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
 28f77fbec04398525336d92d8d197f552b693c10e0da1568d104e7626e7ce785 218428 openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
Files: 
 ce639f805e5c7b07623bf4cc26f5782f 2557 net standard openssh_5.5p1-6+squeeze2.dsc
 c616a201b3e82a8eb3226eba13aa0016 233367 net standard openssh_5.5p1-6+squeeze2.debian.tar.gz
 d3eaaf434db099c4671d36c63ed55188 881778 net standard openssh-client_5.5p1-6+squeeze2_i386.deb
 53c5facf5e422739402d749ac81240ec 298402 net optional openssh-server_5.5p1-6+squeeze2_i386.deb
 5575f145bfab822a04cea7d9b0e6b093 1250 net extra ssh_5.5p1-6+squeeze2_all.deb
 37a3ffe077000eca4028719402e31320 95606 net extra ssh-krb5_5.5p1-6+squeeze2_all.deb
 40998f5446f65301e5cf1a2e4e8b5bcd 103596 gnome optional ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
 85a30bd06c6070ed5f434dc435348212 195664 debian-installer optional openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
 0051884bd9de85c5e276b72073ba6c67 218428 debian-installer optional openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBT0NYODk1h9l9hlALAQiRqg/9HJ0ydtlAOSeOm3CrwgxTi7jPt0+6cAbF
fQpM/81V3WcMpIpg7jrBtkuduyqfB3tctYcdIBv0v5GhHeD8GGKDHi/k35/UmyI4
EKedk8XpR/+8G8564uwLOzBIPo+jc/a+PCXu1D4OuaUc4VwNZglYL5N2+MFZA4jv
Xex/OvjJS40nckAgjdDNeszUTUw8d/dD+av7iWz65cbBPflUcIATZ3PyDtVomkEZ
QcHPlNYG+Eu3VJhUwgI+S7LxWQZSfZNTvwUgj3JwJX4qMoRtSpVV8RHhcSiMvsA3
AeG1kZUDPYg0fnpTKTajmY95YQQnwfQRwxXmz0d7Wep6nF/2kF3Khzo3Z1XckGlC
oi9mAPIWtgLiEWVYurM7TiNz/1Hqc5Rsk3v4xE56d9jBZQ9axWfGSp8nPjssWdea
7vGmaDVBJWSiiwVN+HcPzfwZ6xtaNvDWWlcXyqD+ttuwzlXy3AypZfNgsbr7LGA2
C/l+xZx70WOYOZxjuXfg+fczmQr8uO29CDmg8cEUtnrlfll1C25YwohhppWebjcp
oYz+gZOvQ9v1Crnl843vC54BDbqQKR/HBKOpnGOne9uR/HcRLH4B+7z6Ujs2ybIJ
WlXtjUD9lejwMlHg1TBiU5M5Af+WhA9HdRXQ9GWEf3BKdLOrqSr6XJVfHY6NVBcu
PdXHBKFK8n4=
=xDPA
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: