Your message dated Thu, 07 Mar 2019 21:32:24 +0000 with message-id <E1h20cq-000Cb2-CR@fasolo.debian.org> and subject line Bug#923486: fixed in openssh 1:7.4p1-10+deb9u6 has caused the Debian Bug report #923486, regarding CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 923486: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923486 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible
- From: Mike Gabriel <sunweaver@debian.org>
- Date: Thu, 28 Feb 2019 20:54:51 +0000
- Message-id: <20190228205451.Horde.tBOWJjnj4hjTh4TJUw1N8l8@mail.das-netzwerkteam.de>
Source: openssh Version: 1:7.9p1-7 Severity: important Tags: security Control: found -1 1:7.9p1-6 Control: found -1 1:7.4p1-10+deb9u5 Control: found -1 1:6.7p1-5+deb8u7 Hi, while working on a fixed openssh version for Debian jessie LTS regarding CVE-2019-6110 CVE-2019-6111 CVE-2018-20685after several checks, code readings, double checking, I am pretty sure that CVE-2019-6111 is still not yet fixed. Neither in Debian, nor openssh upstream (though I haven't tested that, only from code readings I assume that).What I tested this with is this piece of Python code: https://www.exploit-db.com/exploits/46193In fact, the sshtranger_things.py script needs a little bit of patching, to not throw unwanted exceptions:``` --- sshtranger_things.py.orig 2019-02-28 21:48:41.868955825 +0100 +++ sshtranger_things.py 2019-02-28 20:47:01.456096511 +0100 @@ -85,7 +85,10 @@ return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED def check_channel_exec_request(self, channel, command): - command = command.decode('ascii') + try: + command = command.decode('ascii') + except: + pass logging.info('Approving exec request: %s', command) parts = command.split(' ') # Make sure that this is a request to get a file: ```Can someone please double-check this with a second pair of eyes? I guess this needs to be communicated back to upstream. Can this be handled by the security team and/or the package maintainers?Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.netAttachment: pgp_kAIS0Ib3h.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
- To: 923486-close@bugs.debian.org
- Subject: Bug#923486: fixed in openssh 1:7.4p1-10+deb9u6
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 07 Mar 2019 21:32:24 +0000
- Message-id: <E1h20cq-000Cb2-CR@fasolo.debian.org>
Source: openssh Source-Version: 1:7.4p1-10+deb9u6 We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 923486@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <carnil@debian.org> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 01 Mar 2019 17:19:28 +0100 Source: openssh Architecture: source Version: 1:7.4p1-10+deb9u6 Distribution: stretch-security Urgency: high Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 923486 Changes: openssh (1:7.4p1-10+deb9u6) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Apply upstream patch to make scp handle shell-style brace expansions when checking that filenames sent by the server match what the client requested (closes: #923486). Checksums-Sha1: 69bbef5108f86cad3dd4086c3393832633d97b7f 3079 openssh_7.4p1-10+deb9u6.dsc 771c24434cb69527dc463b4d303ceecd86a9a7e5 170724 openssh_7.4p1-10+deb9u6.debian.tar.xz Checksums-Sha256: fa095ccdb143684092f0ca9671d46cd9587872324846e20ad6b022704557c403 3079 openssh_7.4p1-10+deb9u6.dsc e5b5fb4bbcb11134d9c666e6763d8a2b0a097efe389013447bddcb39a261bc94 170724 openssh_7.4p1-10+deb9u6.debian.tar.xz Files: 3cdeb02effad9e1cd5298376fb796d19 3079 net standard openssh_7.4p1-10+deb9u6.dsc a32ca694f98c8104a7e853ae096ac3a3 170724 net standard openssh_7.4p1-10+deb9u6.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlx5Xy9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E00IP/RiHkO7EypiOyebN+R4hUh9nv40QjFLX N1UmTQiQ0XmRTZEpsaaHEGA+47BTTo11UpAZQkmdtrTJ7kBLHwGcWkIYWnEe62AO 7E55DCx/V9JjbxGbdgoDb0gB2IYPYix8UH1J8/6yuz/xJ1r5apnui0YLuWzOCUGh IZnPCyfdHgmwCY4N8HWMFdhwYR4WSFjn0vQeOxjfZA5UY0b4B9KdUgJySPqain+y yNEWhTtRiH4tbQFDKiCwNOYXQTk1fFFG5jxPjPcFZ76bbo7VyV3N8TuDzDPZOFIQ k7fijvTK9JkpuN9oLfG9wlzumJ/xd795mLRnemkje5WLNAmZbAHlnVFuXhFSMnvD Ir+Hpn1k8yR5qt+tq31RvBzMJas8zalwdLNoWKCE/ax6chHF6w6ZJFmXMHfg751G p2lXbMUb5uDej14yjLN2rj/CQbdt004hit3EhrIr0d/hMRPzO+VBn6rtOcR6XP5U qf71qKvVyvHuGmzO4XXUye31p36Zg6HHerLyLafeipQkJZtMC9H/hvtAxcgyzTjT 2HoAUnfMWdUts/Opt1UoMLqyWSvif2GbaRrl4m8pO21PY26GqB3tnT5PjFpLvPJk 74NuC7/z9dQUxt5nj7BUksSe4xCgdUucMSJsYRTY33t8GnuY3CTcDHYTggvuahLI WHmGV7sO/yeo =8TYQ -----END PGP SIGNATURE-----
--- End Message ---