Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

To: Salvatore Bonaccorso <carnil@debian.org>, 923486@bugs.debian.org
Cc: Mike Gabriel <sunweaver@debian.org>, Debian Security Team <team@security.debian.org>
Subject: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 1 Mar 2019 12:24:30 +0000
Message-id: <[🔎] 20190301122430.l6neo4ssknn7ksvn@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 923486@bugs.debian.org
In-reply-to: <20190228220537.GA11888@lorien.valinor.li>
References: <20190228205451.Horde.tBOWJjnj4hjTh4TJUw1N8l8@mail.das-netzwerkteam.de> <20190228205451.Horde.tBOWJjnj4hjTh4TJUw1N8l8@mail.das-netzwerkteam.de> <20190228214326.GA24302@eldamar.local> <20190228205451.Horde.tBOWJjnj4hjTh4TJUw1N8l8@mail.das-netzwerkteam.de> <20190228220537.GA11888@lorien.valinor.li> <20190228205451.Horde.tBOWJjnj4hjTh4TJUw1N8l8@mail.das-netzwerkteam.de>

On Thu, Feb 28, 2019 at 11:05:37PM +0100, Salvatore Bonaccorso wrote:
> Colin, but please double check if this is enough. A server which sends
> an additional malicious file is blocked by that (and the patch is not
> following git-dpm workflow as I'm unfamiliar with it).

Cherry-picked as follows, given an up-to-date upstream remote:

  $ git-dpm checkout-patched
  Switched to a new branch 'patched'
  You are now in branch 'patched'
  $ git cherry-pick 3d896c157c722bc47adca51a58dca859225b5874
  error: could not apply 3d896c157... upstream: when checking that filenames sent by the server side
  hint: after resolving the conflicts, mark the corrected paths
  hint: with 'git add <paths>' or 'git rm <paths>'
  hint: and commit the result with 'git commit'
  [... resolve conflicts in scp.c ...]
  $ git add scp.c
  $ git cherry-pick --continue
  [... in the above, edit the commit message to add DEP-3 headers ...]
  $ git-dpm update-patches
  $ dch
  [... add changelog entry ...]
  $ git commit --amend
  [... amends git-dpm's merge commit to include changelog entry ...]

(You can combine the last three steps using "git-dpm dch".  I do it this
way because I normally prefer to edit debian/changelog using my normal
editor.)

And yes, it looks OK - I'll upload it to unstable shortly.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible
  - From: Mike Gabriel <sunweaver@debian.org>

Prev by Date: Processed: tagging 923486
Next by Date: Bug#923486: marked as done (CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible)
Previous by thread: Processed: tagging 923486
Next by thread: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible
Index(es):
- Date
- Thread