[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#923486: marked as done (CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible)

Your message dated Fri, 01 Mar 2019 12:50:22 +0000
with message-id <E1gzhcM-0007G3-U9@fasolo.debian.org>
and subject line Bug#923486: fixed in openssh 1:7.9p1-9
has caused the Debian Bug report #923486,
regarding CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
923486: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923486
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: openssh
Version: 1:7.9p1-7
Severity: important
Tags: security
Control: found -1 1:7.9p1-6
Control: found -1 1:7.4p1-10+deb9u5
Control: found -1 1:6.7p1-5+deb8u7

Hi,

while working on a fixed openssh version for Debian jessie LTS regarding

  CVE-2019-6110
  CVE-2019-6111
  CVE-2018-20685
after several checks, code readings, double checking, I am pretty sure that CVE-2019-6111 is still not yet fixed. Neither in Debian, nor openssh upstream (though I haven't tested that, only from code readings I assume that). 

What I tested this with is this piece of Python code:
https://www.exploit-db.com/exploits/46193
In fact, the sshtranger_things.py script needs a little bit of patching, to not throw unwanted exceptions: 

```
--- sshtranger_things.py.orig	2019-02-28 21:48:41.868955825 +0100
+++ sshtranger_things.py	2019-02-28 20:47:01.456096511 +0100
@@ -85,7 +85,10 @@
         return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED

     def check_channel_exec_request(self, channel, command):
-        command = command.decode('ascii')
+        try:
+            command = command.decode('ascii')
+        except:
+            pass
         logging.info('Approving exec request: %s', command)
         parts = command.split(' ')
         # Make sure that this is a request to get a file:
```
Can someone please double-check this with a second pair of eyes? I guess this needs to be communicated back to upstream. Can this be handled by the security team and/or the package maintainers? 

Thanks+Greets,
Mike
--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: pgpKLbSS_BdPw.pgp
Description: Digitale PGP-Signatur


--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:7.9p1-9

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 923486@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Mar 2019 12:23:36 +0000
Source: openssh
Architecture: source
Version: 1:7.9p1-9
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 923486
Changes:
 openssh (1:7.9p1-9) unstable; urgency=medium
 .
   * Apply upstream patch to make scp handle shell-style brace expansions
     when checking that filenames sent by the server match what the client
     requested (closes: #923486).
Checksums-Sha1:
 741dc3e94df0acbbc62996ebc738c888d447d0ca 3161 openssh_7.9p1-9.dsc
 7bcb465855526f695b25b6f3d00eb517284f88f6 172068 openssh_7.9p1-9.debian.tar.xz
 a42c00e6d15c98e797a8b38b02b3ee0a1d23258c 15011 openssh_7.9p1-9_source.buildinfo
Checksums-Sha256:
 32cfc26396623401cd92b06cad191c55ee8a41dba91ca012ec30412991f8233c 3161 openssh_7.9p1-9.dsc
 11972b804f024f1d7559d4a3d6be0dba61c90c6072ce3d5977c22e55f834a17b 172068 openssh_7.9p1-9.debian.tar.xz
 8078bcadae0993879047bd50640e837ffe32f4b017c6377bb6967a379d2a5ecb 15011 openssh_7.9p1-9_source.buildinfo
Files:
 ca9c0934aeaa1f52ef984f2e77507643 3161 net standard openssh_7.9p1-9.dsc
 f00ac1ae10dc47a06be2b04f2f95a6ec 172068 net standard openssh_7.9p1-9.debian.tar.xz
 8e378119ca1029e1d69feb242b2a689a 15011 net standard openssh_7.9p1-9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlx5JGUACgkQOTWH2X2G
UAs5SQ//Sat9RmhmY4dgDbb2F1r+bfrEJwS/COYjnrbD4U0gpCltFhe3cVe1hLgS
SsMGlgY8jqZVQZpv1ea89Ei5NxsSg9otkk7gC8cAn73kQY6k9CrUAd9ETt1B1XhS
MFcAnU1z/QQL9QYRwkqJ2bgXiZj/2FB5F3wVuOIJ/szGSpZAdjSWTz7tJnvFUWWY
mdb1bi5/nWVkJaiFd1mC1aLVMIFotWtChLkYMFOZ+vrYp0B3oRwst+ZkV5C0Oqmt
bnAZNzvqlWgQvNyaUrVoHW/P18F8wVme/MWzfdM+WVwW+xGWqWjY0K2EP6TBMHaJ
HUfgEM5mR7fUKaJxY4n7GU/0c/KbM0sm1+JA7VyCzngxX/jmnvRqHE0AiVtEEIP1
jM7ffX6wtZg+9i8V0gsEJP2XbbgPo2c1HXrN2IfJM2ji9sOqj12Il3uND55UYwpu
tvOJRBZvIZQUSHiKMp4FaxgrAs4LXOMxS9AfvYOfCTAVKy32DWKekmBd4EB+OGgg
2XA8ItIXKpGqUEZkQ8s5qfkJHB7yJzbDzrecbzfQ5SCl7XBTCVyEVeZ0zugh53Fm
P1qlIlAgcCqchyAdGVb88r+TBBH7cnAJV0Y+huk9qjuyeohFwxh+ptH8oCapYXGS
4M/+tFBEJ/Mkcfhn7epDpxSlruc0yyaGcdR1vnKptt1Co37bLL0=
=zH1J
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: