Your message dated Sun, 03 May 2026 16:32:06 +0000
with message-id <[email protected]>
and subject line Bug#1133122: fixed in cockpit 337-1+deb13u1
has caused the Debian Bug report #1133122,
regarding trixie-pu: package cockpit/337-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133122
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:cockpit
User: [email protected]
Usertags: pu
[ Reason ]
Cockpit recently did a security fix for CVE-2026-4631 for defending against
injecting ssh options for remote host logins, potentially leading to remote
code execution [1]. This was also reported against Debian [2] but Salvatore
from the security team pointed out that our openssh already mitigates this [3]
so this cannot actually be reproduced/exploited on Debian.
I'd still like to apply the fix, for "defense in depth", and frankly also just
to quiesce security scanners and afraid users.
[1]
https://github.com/cockpit-project/cockpit/security/advisories/GHSA-m4gv-x78h-3427
[2] https://bugs.debian.org/1133022
[3] https://github.com/openssh/openssh-portable/commit/7ef3787
[ Impact ]
Calling ssh with an explicit `--` before the host name stops command line
injection attempts at the source. Since host names don't start with `-`, there
is no impact for real systems.
[ Tests ]
I built athe package locally and ran its autopkgtests in a trixie container.
Moreoveer, I ran the cockpit binaries on my trixie server and tried to connect
to a remote ssh host.
[ Risks ]
Very low. The change was thoroughly tested upstream with its very extensive
test suite, as well as manually against good (localhost and piware.de:659,
works) and "exploit-y" (piware.de.659 -foo, fails with "authentication not
available") hostnames.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Targeted backport of the upstream fix which calls `ssh` with `--` before the
host name.
[ Other info ]
Nothing I can think of.
Best regards,
Pitti
diff -Nru cockpit-337/debian/changelog cockpit-337/debian/changelog
--- cockpit-337/debian/changelog 2025-04-23 16:11:05.000000000 +0200
+++ cockpit-337/debian/changelog 2026-04-09 05:29:56.000000000 +0200
@@ -1,3 +1,10 @@
+cockpit (337-1+deb13u1) trixie; urgency=medium
+
+ * ws: Be more explicit when handling hostnames on cli.
+ [CVE-2026-4631] (Closes: #1133022)
+
+ -- Martin Pitt <[email protected]> Thu, 09 Apr 2026 05:29:56 +0200
+
cockpit (337-1) unstable; urgency=medium
* New upstream release:
diff -Nru cockpit-337/debian/gbp.conf cockpit-337/debian/gbp.conf
--- cockpit-337/debian/gbp.conf 2023-06-14 13:51:32.000000000 +0200
+++ cockpit-337/debian/gbp.conf 2026-04-09 05:12:12.000000000 +0200
@@ -1,4 +1,4 @@
[DEFAULT]
pristine-tar = True
patch-numbers = False
-debian-branch = master
+debian-branch = trixie
diff -Nru cockpit-337/debian/patches/series cockpit-337/debian/patches/series
--- cockpit-337/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ cockpit-337/debian/patches/series 2026-04-09 05:23:29.000000000 +0200
@@ -0,0 +1 @@
+ws-be-more-explicit-when-handling-hostnames-on-cli.patch
diff -Nru
cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch
cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch
---
cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch
1970-01-01 01:00:00.000000000 +0100
+++
cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch
2026-04-09 05:23:29.000000000 +0200
@@ -0,0 +1,80 @@
+From: Allison Karlitskaya <[email protected]>
+Date: Tue, 24 Mar 2026 15:44:15 +0100
+Subject: ws: be more explicit when handling hostnames on cli
+
+`cockpit-ws` has never protected hostnames from being interpreted as cli
+options when passing them to the auth commands (`cockpit-session`,
+`cockpit-ssh`, `cockpit.beiboot`). There have been a couple of relevant
+changes over the years:
+
+ - our move to using cockpit-session via unix socket has removed
+ exposure to this problem for `cockpit-session`
+
+ - our move from `cockpit-ssh` (glib argument parser) to
+ `cockpit.beiboot` (Python argparse) has unfortunately exposed us to
+ https://github.com/python/cpython/issues/66623 which means (due to a
+ strange heuristic) that arguments starting with '-' can be
+ interpreted as positionals if they also have spaces in them
+
+This gives a way to get a hostname starting with a `-` to ssh (where it
+*will* be interpreted as an option) and the following argument (the
+python invocation on the remote) will be interpreted as the hostname.
+Fortunately, new versions of ssh will reject this hostname. In any
+case, we should firm up the code here and add `--` to ensure that it's
+definitely interpreted as a hostname by ssh.
+
+For a similar reason add a `--` to the ssh command in `cockpit-ws`.
+
+CVE-2026-4631
+
+Origin: https://github.com/cockpit-project/cockpit/commit/9d0695647
+Origin-ferny: https://github.com/allisonkarlitskaya/ferny/commit/44ec511c99
+Bug-Debian: https://bugs.debian.org/1133022
+---
+ src/cockpit/_vendor/ferny/session.py | 2 +-
+ src/cockpit/beiboot.py | 4 ++--
+ src/ws/cockpitauth.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/cockpit/_vendor/ferny/session.py
b/src/cockpit/_vendor/ferny/session.py
+index d142bdb..ac4616d 100644
+--- a/src/cockpit/_vendor/ferny/session.py
++++ b/src/cockpit/_vendor/ferny/session.py
+@@ -145,7 +145,7 @@ class Session(SubprocessContext, InteractionHandler):
+
+ # SSH_ASKPASS_REQUIRE is not generally available, so use setsid
+ process = await asyncio.create_subprocess_exec(
+- *('/usr/bin/ssh', *args, destination), env=env,
++ *('/usr/bin/ssh', *args, '--', destination), env=env,
+ start_new_session=True, stdin=asyncio.subprocess.DEVNULL,
+ stdout=asyncio.subprocess.DEVNULL, stderr=agent, # type: ignore
+ preexec_fn=lambda: prctl(PR_SET_PDEATHSIG, signal.SIGKILL))
+diff --git a/src/cockpit/beiboot.py b/src/cockpit/beiboot.py
+index 12e369a..0d2a5fe 100644
+--- a/src/cockpit/beiboot.py
++++ b/src/cockpit/beiboot.py
+@@ -274,9 +274,9 @@ def via_ssh(cmd: Sequence[str], dest: str, ssh_askpass:
Path, *ssh_opts: str) ->
+ # strip off [] IPv6 brackets
+ if host.startswith('[') and host.endswith(']'):
+ host = host[1:-1]
+- destination = ['-p', port, host]
++ destination = ['-p', port, '--', host]
+ else:
+- destination = [dest]
++ destination = ['--', dest]
+
+ return (
+ 'ssh', *ssh_opts, *destination, shlex.join(cmd)
+diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
+index 3574189..6fd75be 100644
+--- a/src/ws/cockpitauth.c
++++ b/src/ws/cockpitauth.c
+@@ -51,7 +51,7 @@
+
+ /* we only support beibooting machines with a known/vetted OS, as it's
impossible to guarantee
+ * forward compatibility for all pages */
+-const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m
cockpit.beiboot --remote-bridge=supported";
++const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m
cockpit.beiboot --remote-bridge=supported --";
+
+ /* Some tunables that can be set from tests */
+ const gchar *cockpit_ws_session_program = NULL;
--- End Message ---
--- Begin Message ---
Source: cockpit
Source-Version: 337-1+deb13u1
Done: Martin Pitt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cockpit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <[email protected]> (supplier of updated cockpit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 09 Apr 2026 05:29:56 +0200
Source: cockpit
Architecture: source
Version: 337-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Martin Pitt <[email protected]>
Closes: 1133022 1133122
Changes:
cockpit (337-1+deb13u1) trixie; urgency=medium
.
* ws: Be more explicit when handling hostnames on cli.
[CVE-2026-4631] (Closes: #1133022, #1133122)
Checksums-Sha1:
9c7054ef095498027951bf2191eb9f570010644d 3006 cockpit_337-1+deb13u1.dsc
e1ffa80b5d327d1d1cb189435fc81a0c62f64e2e 23776
cockpit_337-1+deb13u1.debian.tar.xz
a37dd4dac9887f34af9b04054a5ff4cbd05f9e19 6276
cockpit_337-1+deb13u1_source.buildinfo
Checksums-Sha256:
78ac930c795aecc06a8237daa47a3f808603ac2c7ca5b7afd22cef99d68fc516 3006
cockpit_337-1+deb13u1.dsc
f4c0903e4a56ac5b1574468972e417579ec5c31ceb49913ad829c1792daed999 23776
cockpit_337-1+deb13u1.debian.tar.xz
ba6327c1c92daa96e8db44b6d344cd37d48c614e1f98e2217bee2a5b423589fb 6276
cockpit_337-1+deb13u1_source.buildinfo
Files:
5f150847ff0a9e9fdd014714ebc99cda 3006 admin optional cockpit_337-1+deb13u1.dsc
8d5d7acf928d535b14dd6aa77b9eec74 23776 admin optional
cockpit_337-1+deb13u1.debian.tar.xz
65c4188e39b30739c51c7efb1391425b 6276 admin optional
cockpit_337-1+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEbEuHi35jHxYFV8PN7nvd5LhrVxMFAmn3S2kACgkQ7nvd5Lhr
VxP6yxAA0LFa5DJrU/kwQdsMGyb9BbdazzTgg2lUNs8fKSusiY/NJFsYtN8OQOMH
3VrDsEtFR3yU0EcqbntZGXdSLnW+S7HPcJ9LCo8UH48FYgA5N44BJ9FHFmdvFjah
Hphy0M8rmmL9YG2tAsi/chKC2reYVuyoBDx6T4o7UXtSu1KEUtCNrywx/OhEQaOo
BAzVeVKUkcc6VwgltCv0nMrpEFUynQggpFyAwJzD59rsppS6AKCOL6ZgtMafzXDX
iVWBlOPOTWPVR2SeVIkIJhs0WO5s8xhK+Q66zFEdQO0GRypVz6gKtdXrBsdHth7w
KUm8g7Vn8+SNpZyGFCTLpGmPsAF8kUCiRMii3R8puvIp6NzVba9WOwRS6K71l0Rt
55V2tLR669GOkBNUd34KtC0eJlf4vHCk1c8hAi4u8S4hjSph+JEPWVVz9kFLG30Z
uolJCrpDiqwzT8V+u8wIHTN8KGA+7f/71HHdzf0OUPd81+9UTUDYhLwsWWKviZMd
zcMksAPfWbzmufXOOVfxNc0ZlPZ8rbA+JT+Ys8erccplsPOI0zWbS9c1D1bTy3AA
SR6tUfPa+JGtAC4MeVz0+cOPoDWypyN27g2nW312hDBrTO+JhGGHHBDW/QpHx9to
vtvM1i0z1Zc6JcFjGBY28G8Jd4JZ/tTGm49dYwrZN6czcKs/bSM=
=bDUV
-----END PGP SIGNATURE-----
pgpCXVRawA4Qt.pgp
Description: PGP signature
--- End Message ---
