[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#923486: marked as done (CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible)

Your message dated Thu, 07 Mar 2019 21:32:24 +0000
with message-id <E1h20cq-000Cb2-CR@fasolo.debian.org>
and subject line Bug#923486: fixed in openssh 1:7.4p1-10+deb9u6
has caused the Debian Bug report #923486,
regarding CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
923486: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923486
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: openssh
Version: 1:7.9p1-7
Severity: important
Tags: security
Control: found -1 1:7.9p1-6
Control: found -1 1:7.4p1-10+deb9u5
Control: found -1 1:6.7p1-5+deb8u7

Hi,

while working on a fixed openssh version for Debian jessie LTS regarding

  CVE-2019-6110
  CVE-2019-6111
  CVE-2018-20685
after several checks, code readings, double checking, I am pretty sure that CVE-2019-6111 is still not yet fixed. Neither in Debian, nor openssh upstream (though I haven't tested that, only from code readings I assume that). 

What I tested this with is this piece of Python code:
https://www.exploit-db.com/exploits/46193
In fact, the sshtranger_things.py script needs a little bit of patching, to not throw unwanted exceptions: 

```
--- sshtranger_things.py.orig	2019-02-28 21:48:41.868955825 +0100
+++ sshtranger_things.py	2019-02-28 20:47:01.456096511 +0100
@@ -85,7 +85,10 @@
         return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED

     def check_channel_exec_request(self, channel, command):
-        command = command.decode('ascii')
+        try:
+            command = command.decode('ascii')
+        except:
+            pass
         logging.info('Approving exec request: %s', command)
         parts = command.split(' ')
         # Make sure that this is a request to get a file:
```
Can someone please double-check this with a second pair of eyes? I guess this needs to be communicated back to upstream. Can this be handled by the security team and/or the package maintainers? 

Thanks+Greets,
Mike
--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: pgp_kAIS0Ib3h.pgp
Description: Digitale PGP-Signatur


--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:7.4p1-10+deb9u6

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 923486@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Mar 2019 17:19:28 +0100
Source: openssh
Architecture: source
Version: 1:7.4p1-10+deb9u6
Distribution: stretch-security
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 923486
Changes:
 openssh (1:7.4p1-10+deb9u6) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Apply upstream patch to make scp handle shell-style brace expansions
     when checking that filenames sent by the server match what the client
     requested (closes: #923486).
Checksums-Sha1: 
 69bbef5108f86cad3dd4086c3393832633d97b7f 3079 openssh_7.4p1-10+deb9u6.dsc
 771c24434cb69527dc463b4d303ceecd86a9a7e5 170724 openssh_7.4p1-10+deb9u6.debian.tar.xz
Checksums-Sha256: 
 fa095ccdb143684092f0ca9671d46cd9587872324846e20ad6b022704557c403 3079 openssh_7.4p1-10+deb9u6.dsc
 e5b5fb4bbcb11134d9c666e6763d8a2b0a097efe389013447bddcb39a261bc94 170724 openssh_7.4p1-10+deb9u6.debian.tar.xz
Files: 
 3cdeb02effad9e1cd5298376fb796d19 3079 net standard openssh_7.4p1-10+deb9u6.dsc
 a32ca694f98c8104a7e853ae096ac3a3 170724 net standard openssh_7.4p1-10+deb9u6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlx5Xy9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E00IP/RiHkO7EypiOyebN+R4hUh9nv40QjFLX
N1UmTQiQ0XmRTZEpsaaHEGA+47BTTo11UpAZQkmdtrTJ7kBLHwGcWkIYWnEe62AO
7E55DCx/V9JjbxGbdgoDb0gB2IYPYix8UH1J8/6yuz/xJ1r5apnui0YLuWzOCUGh
IZnPCyfdHgmwCY4N8HWMFdhwYR4WSFjn0vQeOxjfZA5UY0b4B9KdUgJySPqain+y
yNEWhTtRiH4tbQFDKiCwNOYXQTk1fFFG5jxPjPcFZ76bbo7VyV3N8TuDzDPZOFIQ
k7fijvTK9JkpuN9oLfG9wlzumJ/xd795mLRnemkje5WLNAmZbAHlnVFuXhFSMnvD
Ir+Hpn1k8yR5qt+tq31RvBzMJas8zalwdLNoWKCE/ax6chHF6w6ZJFmXMHfg751G
p2lXbMUb5uDej14yjLN2rj/CQbdt004hit3EhrIr0d/hMRPzO+VBn6rtOcR6XP5U
qf71qKvVyvHuGmzO4XXUye31p36Zg6HHerLyLafeipQkJZtMC9H/hvtAxcgyzTjT
2HoAUnfMWdUts/Opt1UoMLqyWSvif2GbaRrl4m8pO21PY26GqB3tnT5PjFpLvPJk
74NuC7/z9dQUxt5nj7BUksSe4xCgdUucMSJsYRTY33t8GnuY3CTcDHYTggvuahLI
WHmGV7sO/yeo
=8TYQ
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: