[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Hi Mike

I have had a look at this. First of all I do not think the CVE is completely fixed even with the additional patch. I also do not fully understand how 6111-2.patch is supposed to work. More about this below.
Let us give some example commands.

[1] scp host:/foobar/a* b
[2] scp host:a* b
[3] scp -r host /foobar/a* b
[4] scp -r host a* b

My understanding is that only case 1 is protected by 6111-1.patch
6111-2.patch seems to protect against case 2.

But to my understanding we do not protect against 3 and 4. Am I missing something?

Anyway I have tried to see if I could reproduce the segfault. I do not know fully how you have tested it so I decided to copy the new code to a new test.c file and test different patterns.
The functionality as such seems to be working fine.

I did one change though to make it work. I changed xstrdup to strdup because I could not find link against it for some reason. Could that be your problem too?

Essentially my test.c file looks like this:
#include <sys/types.h>
#include <stdlib.h>
#include <bsd/stdlib.h>
#include <string.h>
#include <publib.h>
#define fatal sprintf

... the new functions code here ...

int testpattern(char* pattern) {
  char **patterns = NULL;
  size_t npatterns = 0;
  int i = 0;
  printf("==== Test pattern %s ====\n", pattern);
  brace_expand(pattern, &patterns, &npatterns);
  for (i = 0; i < npatterns; i++) {
    printf("Pattern %d: %s\n", i, patterns[i]);

int main(int argc, char** argv) {

I could not reproduce the crash. How did you reproduce it?

Best regards

// Ola

On Fri, 8 Mar 2019 at 23:41, Mike Gabriel <sunweaver@debian.org> wrote:
Hi Colin, hi Debian LTS team,

On  Fr 01 Mär 2019 13:24:30 CET, Colin Watson wrote:

> And yes, it looks OK - I'll upload it to unstable shortly.

I have prepared a backport of this newly added patch [1] (see #923486 
for details) to openssh in Debian jessie LTS, but with that patch 
backported to openssh in Debian jessie, I get a segmentation fault 
whenever I copy something using the scp cmdline tool (I have of course 
backported all other patches regarding CVE-2019-6109 and CVE-2019-6111).

I have attached the complete .debdiff between openssh 1:6.7p1-5+deb8u7 
(in jessie-security) and my (not-yet-)proposal for 1:6.7p1-5+deb8u8.

The critical patch is CVE-2019-6111-2.patch. With that patch added I 
get segfaults with scp. Without that patch scp works, but is 
susceptible to the earlier mentioned exploit for CVE-2019-6111.

I am a bit lost here and would appreciate some ideas about what is 
going wrong here.

I will only be able to continue on this on Monday, but maybe someone 
else can offer some genuine input over the weekend. Will be much 



mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: