Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:ckermit
User: [email protected]
Usertags: pu
* CVE-2025-68920: Block remote control of the local kermit by default.
Closes: #1123025
* Permanently disable OpenSSL version check. Closes: #1118629.
The OpenSSL version check is currently a problem for the trixie
package in trixie.
diffstat for ckermit-416~beta12 ckermit-416~beta12
NEWS | 11 ++++
changelog | 11 ++++
patches/openssl-check-disable | 85 ++++++++++++++++++++++++++++++++++
patches/remote-security.patch | 104 ++++++++++++++++++++++++++++++++++++++++++
patches/series | 2
5 files changed, 213 insertions(+)
diff -Nru ckermit-416~beta12/debian/changelog
ckermit-416~beta12/debian/changelog
--- ckermit-416~beta12/debian/changelog 2025-04-05 07:59:58.000000000 +0300
+++ ckermit-416~beta12/debian/changelog 2026-03-04 19:30:35.000000000 +0200
@@ -1,3 +1,14 @@
+ckermit (416~beta12-1+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ John Goerzen ]
+ * CVE-2025-68920: Block remote control of the local kermit by default.
+ Closes: #1123025
+ * Permanently disable OpenSSL version check. Closes: #1118629.
+
+ -- Adrian Bunk <[email protected]> Wed, 04 Mar 2026 19:30:35 +0200
+
ckermit (416~beta12-1) unstable; urgency=medium
* New upstream release
diff -Nru ckermit-416~beta12/debian/NEWS ckermit-416~beta12/debian/NEWS
--- ckermit-416~beta12/debian/NEWS 1970-01-01 02:00:00.000000000 +0200
+++ ckermit-416~beta12/debian/NEWS 2026-03-04 19:30:35.000000000 +0200
@@ -0,0 +1,11 @@
+ckermit (416~beta12-1+deb13u1) trixie; urgency=medium
+
+ The default permissions have changed such that a remote kermit can no longer
+ turn around a connection and control a local kermit. Furthermore, the
default
+ settings no longer permits overwriting a local file. Both address security
+ vulnerabilities.
+
+ For further information, including information on restoring previous
defaults,
+ see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025
+
+ -- John Goerzen <[email protected]> Mon, 15 Dec 2025 19:11:21 -0600
diff -Nru ckermit-416~beta12/debian/patches/openssl-check-disable
ckermit-416~beta12/debian/patches/openssl-check-disable
--- ckermit-416~beta12/debian/patches/openssl-check-disable 1970-01-01
02:00:00.000000000 +0200
+++ ckermit-416~beta12/debian/patches/openssl-check-disable 2026-03-04
19:30:35.000000000 +0200
@@ -0,0 +1,85 @@
+--- a/ck_ssl.c
++++ b/ck_ssl.c
+@@ -1529,82 +1529,6 @@
+ debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_CFLAGS),0);
+ debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_PLATFORM),0);
+
+- /* The following test is suggested by Richard Levitte */
+- /* if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f) */
+- /* Modified by Adam Friedlander for OpenSSL >= 1.0.0 */
+- if (OPENSSL_VERSION_NUMBER > SSLeay()
+- || ((OPENSSL_VERSION_NUMBER ^ SSLeay()) & COMPAT_VERSION_MASK)
+-#ifdef OS2
+-/* DG 2024-08-05: Not sure what the point of this was. Presumably the goal was
+- * to prevent updated OpenSSL libraries from being used, though why you'd
+- * want to do that I'm not sure. Might have been to do with how Kermit 95s
+- * SSH code was built way back in the early 2000s I guess. Today Kermit 95s
+- * use of OpenSSL is largely the same as how C-Kermit uses it on other
+- * platforms so I don't see any reason to treat it differently here.
+- || ckstrcmp(OPENSSL_VERSION_TEXT,(char
*)SSLeay_version(SSLEAY_VERSION),-1,1)
+-*/
+-#endif /* OS2 */
+- ) {
+- ssl_installed = 0;
+- debug(F111,"OpenSSL Version does not match. Built with",
+- SSLeay_version(SSLEAY_VERSION),SSLEAY_VERSION_NUMBER);
+- printf("?OpenSSL libraries do not match required version:\r\n");
+- printf(" . C-Kermit built with %s\r\n",OPENSSL_VERSION_TEXT);
+- printf(" . Version found %s\r\n",SSLeay_version(SSLEAY_VERSION));
+-#ifdef OPENSSL_100
+- printf(" OpenSSL versions 1.0.0 or newer must be the same\r\n");
+- printf(" major and minor version number, and Kermit may not\r\n");
+- printf(" be used with a version of OpenSSL older than the one\r\n");
+- printf(" supplied at compile time.\r\n");
+-#else
+- printf(" OpenSSL versions prior to 1.0.0 must be the same.\r\n");
+-#endif /* OPENSSL_100 */
+-
+- s = "R";
+-#ifdef SOLARIS
+- printf(" Set CD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
+- s = " Or r";
+-#endif /* SOLARIS */
+-
+-#ifdef HPUX
+- printf(" Set SHLIB_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
+- s = " Or r";
+-#endif /* HPUX */
+-
+-#ifdef AIX
+- printf(" Set LIBPATH for %s.\r\n",OPENSSL_VERSION_TEXT);
+- s = " Or r";
+-#endif /* AIX */
+-
+-#ifdef LINUX
+- printf(" Set LD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT);
+- s = " Or r";
+-#endif /* LINUX */
+-
+- printf(" %sebuild C-Kermit from source on this computer to make \
+-versions agree.\r\n",s);
+-
+-#ifdef KTARGET
+- {
+- char * s;
+- s = KTARGET;
+- if (!s) s = "";
+- if (!*s) s = "(unknown)";
+- printf(" C-Kermit makefile target: %s\r\n",s);
+- }
+-#endif /* KTARGET */
+- printf(" Or if that is what you did then try to find out why\r\n");
+- printf(" the program loader (image activator) is choosing a\r\n");
+- printf(" different OpenSSL library than the one specified in \
+-the build.\r\n\r\n");
+- printf(" All SSL/TLS features disabled.\r\n\r\n");
+- bleep(BP_FAIL);
+-#ifdef SSLDLL
+- ck_ssl_unloaddll();
+- ck_crypto_unloaddll();
+-#endif /* SSLDLL */
+- return;
+- }
+ #endif /* OS2ONLY */
+
+ /* init things so we will get meaningful error messages
diff -Nru ckermit-416~beta12/debian/patches/remote-security.patch
ckermit-416~beta12/debian/patches/remote-security.patch
--- ckermit-416~beta12/debian/patches/remote-security.patch 1970-01-01
02:00:00.000000000 +0200
+++ ckermit-416~beta12/debian/patches/remote-security.patch 2026-03-04
19:30:35.000000000 +0200
@@ -0,0 +1,104 @@
+Description: Fix remote security hole
+Author: John Goerzen <[email protected]>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025
+Last-Update: 2025-12-15
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+
+Fix insecure defaults
+
+This can lead to data exfiltration and compromise
+
+Further information at http://bugs.debian.org/1123025
+--- a/ckcmai.c
++++ b/ckcmai.c
+@@ -724,7 +724,7 @@
+ #ifdef VMS /* Default filename collision action
*/
+ XYFX_X, /* REPLACE for VAX/VMS */
+ #else
+- XYFX_B, /* BACKUP for everybody else */
++ XYFX_D, /* REJECT for everybody else */
+ #endif /* VMS */
+
+ #ifdef OS2 /* Flag for file name conversion */
+@@ -1574,37 +1574,37 @@
+ only as initial (default) values.
+ */
+ int en_xit = 2; /* EXIT */
+-int en_cwd = 3; /* CD/CWD */
+-int en_cpy = 3; /* COPY */
++int en_cwd = 2; /* CD/CWD */
++int en_cpy = 2; /* COPY */
+ int en_del = 2; /* DELETE */
+-int en_mkd = 3; /* MKDIR */
++int en_mkd = 2; /* MKDIR */
+ int en_rmd = 2; /* RMDIR */
+-int en_dir = 3; /* DIRECTORY */
+-int en_fin = 3; /* FINISH */
+-int en_get = 3; /* GET */
++int en_dir = 2; /* DIRECTORY */
++int en_fin = 2; /* FINISH */
++int en_get = 2; /* GET */
+ #ifndef NOPUSH
+ int en_hos = 2; /* HOST enabled */
+ #else
+ int en_hos = 0; /* HOST disabled */
+ #endif /* NOPUSH */
+-int en_ren = 3; /* RENAME */
+-int en_sen = 3; /* SEND */
+-int en_set = 3; /* SET */
+-int en_spa = 3; /* SPACE */
+-int en_typ = 3; /* TYPE */
+-int en_who = 3; /* WHO */
++int en_ren = 2; /* RENAME */
++int en_sen = 2; /* SEND */
++int en_set = 2; /* SET */
++int en_spa = 2; /* SPACE */
++int en_typ = 2; /* TYPE */
++int en_who = 2; /* WHO */
+ #ifdef datageneral
+ /* Data General AOS/VS can't do this */
+ int en_bye = 0; /* BYE */
+ #else
+ int en_bye = 2; /* PCs in local mode... */
+ #endif /* datageneral */
+-int en_asg = 3; /* ASSIGN */
+-int en_que = 3; /* QUERY */
++int en_asg = 2; /* ASSIGN */
++int en_que = 2; /* QUERY */
+ int en_ret = 2; /* RETRIEVE */
+-int en_mai = 3; /* MAIL */
+-int en_pri = 3; /* PRINT */
+-int en_ena = 3; /* ENABLE */
++int en_mai = 2; /* MAIL */
++int en_pri = 2; /* PRINT */
++int en_ena = 2; /* ENABLE */
+ #else
+ int en_xit = 0, en_cwd = 0, en_cpy = 0, en_del = 0, en_mkd = 0, en_rmd = 0,
+ en_dir = 0, en_fin = 0, en_get = 0, en_hos = 0, en_ren = 0, en_sen = 0,
+--- a/ckuus2.c
++++ b/ckuus2.c
+@@ -4138,12 +4138,12 @@
+ "SET FILE COLLISION option",
+ " Tells what to do when a file arrives that has the same name as",
+ " an existing file. The options are:",
+-" BACKUP (default) - Rename the old file to a new, unique name and store",
++" BACKUP - Rename the old file to a new, unique name and store",
+ " the incoming file under the name it was sent with.",
+ " OVERWRITE - Overwrite (replace) the existing file; doesn't work for",
+ " a Kermit server unless you also tell it to ENABLE DELETE.",
+ " APPEND - Append the incoming file to the end of the existing file.",
+-" REJECT - Refuse and/or discard the incoming file (= DISCARD).",
++" REJECT (default) - Refuse and/or discard the incoming file (= DISCARD).",
+ " RENAME - Give the incoming file a unique name.",
+ " UPDATE - Accept the incoming file only if newer than the existing file.",
+ " ",
+@@ -7929,7 +7929,7 @@
+ "SET TERMINAL AUTODOWNLOAD { ON, OFF, ERROR { STOP, CONTINUE } }",
+ " enables/disables automatic switching into file-transfer mode when a
Kermit",
+ " or ZMODEM file transfer has been detected during CONNECT mode or while",
+-" an INPUT command is active. Default is OFF.",
++" an INPUT command is active. Default is ON.",
+ #else
+ "SET TERMINAL AUTODOWNLOAD { ON, OFF, ERROR { STOP, CONTINUE } }",
+ " enables/disables automatic switching into file-transfer mode when a
Kermit",
diff -Nru ckermit-416~beta12/debian/patches/series
ckermit-416~beta12/debian/patches/series
--- ckermit-416~beta12/debian/patches/series 2025-04-05 07:59:58.000000000
+0300
+++ ckermit-416~beta12/debian/patches/series 2026-03-04 19:30:35.000000000
+0200
@@ -1,2 +1,4 @@
+openssl-check-disable
ck_patch.patch
cflags.patch
+remote-security.patch
