Your message dated Fri, 01 Mar 2019 12:50:22 +0000 with message-id <E1gzhcM-0007G3-U9@fasolo.debian.org> and subject line Bug#923486: fixed in openssh 1:7.9p1-9 has caused the Debian Bug report #923486, regarding CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 923486: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923486 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible
- From: Mike Gabriel <sunweaver@debian.org>
- Date: Thu, 28 Feb 2019 20:54:51 +0000
- Message-id: <20190228205451.Horde.tBOWJjnj4hjTh4TJUw1N8l8@mail.das-netzwerkteam.de>
Source: openssh Version: 1:7.9p1-7 Severity: important Tags: security Control: found -1 1:7.9p1-6 Control: found -1 1:7.4p1-10+deb9u5 Control: found -1 1:6.7p1-5+deb8u7 Hi, while working on a fixed openssh version for Debian jessie LTS regarding CVE-2019-6110 CVE-2019-6111 CVE-2018-20685after several checks, code readings, double checking, I am pretty sure that CVE-2019-6111 is still not yet fixed. Neither in Debian, nor openssh upstream (though I haven't tested that, only from code readings I assume that).What I tested this with is this piece of Python code: https://www.exploit-db.com/exploits/46193In fact, the sshtranger_things.py script needs a little bit of patching, to not throw unwanted exceptions:``` --- sshtranger_things.py.orig 2019-02-28 21:48:41.868955825 +0100 +++ sshtranger_things.py 2019-02-28 20:47:01.456096511 +0100 @@ -85,7 +85,10 @@ return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED def check_channel_exec_request(self, channel, command): - command = command.decode('ascii') + try: + command = command.decode('ascii') + except: + pass logging.info('Approving exec request: %s', command) parts = command.split(' ') # Make sure that this is a request to get a file: ```Can someone please double-check this with a second pair of eyes? I guess this needs to be communicated back to upstream. Can this be handled by the security team and/or the package maintainers?Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.netAttachment: pgpKLbSS_BdPw.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
- To: 923486-close@bugs.debian.org
- Subject: Bug#923486: fixed in openssh 1:7.9p1-9
- From: Colin Watson <cjwatson@debian.org>
- Date: Fri, 01 Mar 2019 12:50:22 +0000
- Message-id: <E1gzhcM-0007G3-U9@fasolo.debian.org>
Source: openssh Source-Version: 1:7.9p1-9 We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 923486@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <cjwatson@debian.org> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 01 Mar 2019 12:23:36 +0000 Source: openssh Architecture: source Version: 1:7.9p1-9 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Closes: 923486 Changes: openssh (1:7.9p1-9) unstable; urgency=medium . * Apply upstream patch to make scp handle shell-style brace expansions when checking that filenames sent by the server match what the client requested (closes: #923486). Checksums-Sha1: 741dc3e94df0acbbc62996ebc738c888d447d0ca 3161 openssh_7.9p1-9.dsc 7bcb465855526f695b25b6f3d00eb517284f88f6 172068 openssh_7.9p1-9.debian.tar.xz a42c00e6d15c98e797a8b38b02b3ee0a1d23258c 15011 openssh_7.9p1-9_source.buildinfo Checksums-Sha256: 32cfc26396623401cd92b06cad191c55ee8a41dba91ca012ec30412991f8233c 3161 openssh_7.9p1-9.dsc 11972b804f024f1d7559d4a3d6be0dba61c90c6072ce3d5977c22e55f834a17b 172068 openssh_7.9p1-9.debian.tar.xz 8078bcadae0993879047bd50640e837ffe32f4b017c6377bb6967a379d2a5ecb 15011 openssh_7.9p1-9_source.buildinfo Files: ca9c0934aeaa1f52ef984f2e77507643 3161 net standard openssh_7.9p1-9.dsc f00ac1ae10dc47a06be2b04f2f95a6ec 172068 net standard openssh_7.9p1-9.debian.tar.xz 8e378119ca1029e1d69feb242b2a689a 15011 net standard openssh_7.9p1-9_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlx5JGUACgkQOTWH2X2G UAs5SQ//Sat9RmhmY4dgDbb2F1r+bfrEJwS/COYjnrbD4U0gpCltFhe3cVe1hLgS SsMGlgY8jqZVQZpv1ea89Ei5NxsSg9otkk7gC8cAn73kQY6k9CrUAd9ETt1B1XhS MFcAnU1z/QQL9QYRwkqJ2bgXiZj/2FB5F3wVuOIJ/szGSpZAdjSWTz7tJnvFUWWY mdb1bi5/nWVkJaiFd1mC1aLVMIFotWtChLkYMFOZ+vrYp0B3oRwst+ZkV5C0Oqmt bnAZNzvqlWgQvNyaUrVoHW/P18F8wVme/MWzfdM+WVwW+xGWqWjY0K2EP6TBMHaJ HUfgEM5mR7fUKaJxY4n7GU/0c/KbM0sm1+JA7VyCzngxX/jmnvRqHE0AiVtEEIP1 jM7ffX6wtZg+9i8V0gsEJP2XbbgPo2c1HXrN2IfJM2ji9sOqj12Il3uND55UYwpu tvOJRBZvIZQUSHiKMp4FaxgrAs4LXOMxS9AfvYOfCTAVKy32DWKekmBd4EB+OGgg 2XA8ItIXKpGqUEZkQ8s5qfkJHB7yJzbDzrecbzfQ5SCl7XBTCVyEVeZ0zugh53Fm P1qlIlAgcCqchyAdGVb88r+TBBH7cnAJV0Y+huk9qjuyeohFwxh+ptH8oCapYXGS 4M/+tFBEJ/Mkcfhn7epDpxSlruc0yyaGcdR1vnKptt1Co37bLL0= =zH1J -----END PGP SIGNATURE-----
--- End Message ---