Bug#873201: marked as done (openssh-client: command line parsing with -- between option and non-option arguments completely broken)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#873201: marked as done (openssh-client: command line parsing with -- between option and non-option arguments completely broken)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 19 Nov 2017 10:57:09 +0000
Message-id: <[🔎] handler.873201.D873201.151108879829491.ackdone@bugs.debian.org>
Reply-to: 873201@bugs.debian.org
References: <20171119105314.levny76spr4kx5xe@riva.ucam.org> <150366993382.6188.17217869647535321089.reportbug@tglase.lan.tarent.de>

Your message dated Sun, 19 Nov 2017 10:53:14 +0000
with message-id <20171119105314.levny76spr4kx5xe@riva.ucam.org>
and subject line fixed in openssh 1:7.4p1-10+deb9u2
has caused the Debian Bug report #873201,
regarding openssh-client: command line parsing with -- between option and non-option arguments completely broken
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
873201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873201
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh-client: command line parsing with -- between option and non-option arguments completely broken
From: Thorsten Glaser <tg@mirbsd.de>
Date: Fri, 25 Aug 2017 16:05:33 +0200
Message-id: <150366993382.6188.17217869647535321089.reportbug@tglase.lan.tarent.de>

Package: openssh-client
Version: 1:7.5p1-7
Severity: grave
Tags: upstream security
Justification: user security hole

Dear Debian maintainer,

I was intending to report this upstream, but, contrary to the documentation
     * [9]openssh-unix-dev@mindrot.org This is a public list and is open to posting from non-subscribed
       users.
on https://www.openssh.com/report.html the upstream mailing list is not
open for postings, as I got a rejection message…
> Posting by non-members to openssh-unix-dev@mindrot.org is currently
> disabled, sorry.
… so please forward this upstream, as is a package maintainer’s duty.

Original message follows:

-----cutting here may damage your screen surface-----
From: Thorsten Glaser <t.glaser@tarent.de>
Message-ID: <alpine.DEB.2.20.1708251545580.2732@tglase.lan.tarent.de>
To: openssh-unix-dev@mindrot.org
Date: Fri, 25 Aug 2017 15:57:47 +0200 (CEST)
Subject: command line parsing with -- between option and non-option arguments completely broken

Hi,

in the process of me fixing CVE-2017-12836 a user noticed a
problem with OpenSSH’s command line parsing.

I’ve verified these on OpenSSH 5.3 (MirBSD) and 7.5p1 (Debian).

So, to begin with, this command _should_ spawn xeyes:

$ ssh -oProxyCommand=xeyes vuxu.org

This command _could_ spawn xeyes on glibc systems, but
probably shouldn’t on POSIX or BSD systems:

$ ssh vuxu.org -oProxyCommand=xeyes

This command properly does not spawn xeyes but tries to
resolve “-oProxyCommand=xeyes” as hostname, correctly failing:

$ ssh -- -oProxyCommand=xeyes

This command *must not* spawn xeyes, but does:

$ ssh -- vuxu.org -oProxyCommand=xeyes

This instead must execute “-oProxyCommand=xeyes” as command
on the remote side.

Interestingly enough, this command works the same and also
mustn’t but also doesn’t:

$ ssh vuxu.org -- -oProxyCommand=xeyes

Now it gets completely weird, this doesn’t spawn xeyes either:

$ ssh -- vuxu.org -- -oProxyCommand=xeyes

This “should” execute “--” as command with “-oProxyCommand=xeyes”
as its first option on the remote site, but judging from the error
| mksh: ProxyCommand=xeyes: unknown option
it instead passes “-oProxyCommand=xeyes” as option to a shell on
the remote side.

I don’t do the security theatre, but this could perhaps be considered
missing command escaping on the remote side (passing what would be a
command as an option to the remote shell) in addition to completely
fucked up option parsing on the local side.

This was first reported by nickserv-auth’d user jn__ on #musl on
Freenode IRC, and leah2 forwarded it to me as current de-facto
maintainer of GNU CVS because I considered adding “--” between
option and nōn-option arguments sufficient for fixing the afore‐
mentioned CVE, judging this effective enough with normal command
line parsing rules (as in getopt(3) on OpenBSD) and given the
.Sx SYNOPSIS
in the ssh manpage.

bye,
//mirabilos

PS: Please keep me in Cc, I’m not subscribed to the list.
-----cutting here may damage your screen surface-----

Thanks!

PS: This affects cvs in wheezy, jessie and stretch but not sid.


-- System Information:
Debian Release: buster/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.11.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages openssh-client depends on:
ii  adduser           3.116
ii  dpkg              1.18.24
ii  libc6             2.24-14
ii  libedit2          3.1-20170329-1
ii  libgssapi-krb5-2  1.15.1-2
ii  libselinux1       2.6-3+b2
ii  libssl1.0.2       1.0.2l-2
ii  passwd            1:4.4-4.1
ii  zlib1g            1:1.2.8.dfsg-5

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain                  <none>
ii  kwalletcli [ssh-askpass]  3.00-1
pn  libpam-ssh                <none>
pn  monkeysphere              <none>

-- Configuration Files:
/etc/ssh/moduli changed [not included]
/etc/ssh/ssh_config changed [not included]

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 873201-done@bugs.debian.org
Subject: fixed in openssh 1:7.4p1-10+deb9u2
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 19 Nov 2017 10:53:14 +0000
Message-id: <20171119105314.levny76spr4kx5xe@riva.ucam.org>

Source: openssh
Source-Version: 1:7.4p1-10+deb9u2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 18 Nov 2017 09:37:22 +0000
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.4p1-10+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 865770 873201 877800
Changes:
 openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium
 .
   * Test configuration before starting or reloading sshd under systemd
     (closes: #865770).
   * Adjust compatibility patterns for WinSCP to correctly identify versions
     that implement only the legacy DH group exchange scheme (closes:
     #877800).
   * Make "--" before the hostname terminate argument processing after the
     hostname too (closes: #873201).
Checksums-Sha1:
 46c6f918c4327b76bccf708cb17f078eefa24494 2924 openssh_7.4p1-10+deb9u2.dsc
 6daedbfc85b992a406642ceed5d28ba03d8946c8 162256 openssh_7.4p1-10+deb9u2.debian.tar.xz
 a17e64964ba0d7882ae4238869ce8ea601736ca7 14817 openssh_7.4p1-10+deb9u2_source.buildinfo
Checksums-Sha256:
 450e7daae7dd4e354e80c1d2ea9228e744950ffebce51d0d75fe937be7f54301 2924 openssh_7.4p1-10+deb9u2.dsc
 023c2277db76405b85262e05255cd9782b5634dbd861e4ea455872a6da195abe 162256 openssh_7.4p1-10+deb9u2.debian.tar.xz
 b328e90f47bd122b83fb21bb98ec369db4394de02008ad9349da3e0b1b85d613 14817 openssh_7.4p1-10+deb9u2_source.buildinfo
Files:
 f9a6ea5b78288b85aaeb88973e14a642 2924 net standard openssh_7.4p1-10+deb9u2.dsc
 deab53428f04ccc029e69ccdb8e3e208 162256 net standard openssh_7.4p1-10+deb9u2.debian.tar.xz
 94443afcdfd7369ec9bb8e49584963ae 14817 net standard openssh_7.4p1-10+deb9u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAloP/80ACgkQOTWH2X2G
UAs6zA/+Nk5oU8m40tIwQqV0aqc3KUbz1tcU3AUvUeLLS0MuMBwnsbPYMeWscUIo
nlPQo6cmt68G90t5owij2FuLDMwR0Osvv7ZaFouyF3HVEkRlRrSBRv1erkY/g8D1
J4p9VHZozsGcDXSbliqcU9Py7Q4ARISNs8/JOTEyoseUGQWONZvYZhLsVMnaRI0d
GO5/CJ+EBm8CdI1ewjqb+ZXnzkXNFWB02+2Q7tvY5BcjASfnzOhZgnX6dZ/tID+C
KsNGRdVBLGAIupVMrHWRi56ywATZa2BSX1KdLI03GmbJ4TZXXX76NK4jk0SIxamB
wZt2bb4SROlj5rWb4ZvjfnNsUPOWsoJeneh8aUYclVmHJi/pTR1OPJIo1FCU2LPM
54sXTD9Xw9mfGtkiAwjdY8zKqt0ciDqS7RaQWnzVFT/Zd/O/CFcP7Fb+N6V9DbBx
bRs9i2GmYQm2ab6umwKPk2/t0OBPt4INANoCsfHTWiRLvZb2DwGTAMPq3MXtDbzk
3yrDsCpwk/13T9PX+uP714NuttTccdI7WhF6G9/dVnV3Y22TkU+VFXkawceZLqI1
/fIGGQsASe/R0cuWxjlQFi4u+kiq0M9uqbmwYM9il8Fg7dX/CIen898JNOmdaG28
ErKAOWMt1NgX9yRbXBi8Ftp6KSPsZXOF9+fju99zYTUTlE4pzu8=
=Y5rU
-----END PGP SIGNATURE-----

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---

Reply to:

Prev by Date: Processed: found 873201 in openssh/1:7.4p1-10, found 873201 in 1:6.7p1-5
Next by Date: Processed: tagging 878424
Previous by thread: Processed: found 873201 in openssh/1:7.4p1-10, found 873201 in 1:6.7p1-5
Next by thread: Bug#873201: marked as done (openssh-client: command line parsing with -- between option and non-option arguments completely broken)
Index(es):
- Date
- Thread