Your message dated Sat, 16 May 2026 10:23:16 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1133122,
regarding trixie-pu: package cockpit/337-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133122
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:cockpit
User: [email protected]
Usertags: pu
[ Reason ]
Cockpit recently did a security fix for CVE-2026-4631 for defending against
injecting ssh options for remote host logins, potentially leading to remote
code execution [1]. This was also reported against Debian [2] but Salvatore
from the security team pointed out that our openssh already mitigates this [3]
so this cannot actually be reproduced/exploited on Debian.
I'd still like to apply the fix, for "defense in depth", and frankly also just
to quiesce security scanners and afraid users.
[1]
https://github.com/cockpit-project/cockpit/security/advisories/GHSA-m4gv-x78h-3427
[2] https://bugs.debian.org/1133022
[3] https://github.com/openssh/openssh-portable/commit/7ef3787
[ Impact ]
Calling ssh with an explicit `--` before the host name stops command line
injection attempts at the source. Since host names don't start with `-`, there
is no impact for real systems.
[ Tests ]
I built athe package locally and ran its autopkgtests in a trixie container.
Moreoveer, I ran the cockpit binaries on my trixie server and tried to connect
to a remote ssh host.
[ Risks ]
Very low. The change was thoroughly tested upstream with its very extensive
test suite, as well as manually against good (localhost and piware.de:659,
works) and "exploit-y" (piware.de.659 -foo, fails with "authentication not
available") hostnames.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Targeted backport of the upstream fix which calls `ssh` with `--` before the
host name.
[ Other info ]
Nothing I can think of.
Best regards,
Pitti
diff -Nru cockpit-337/debian/changelog cockpit-337/debian/changelog
--- cockpit-337/debian/changelog 2025-04-23 16:11:05.000000000 +0200
+++ cockpit-337/debian/changelog 2026-04-09 05:29:56.000000000 +0200
@@ -1,3 +1,10 @@
+cockpit (337-1+deb13u1) trixie; urgency=medium
+
+ * ws: Be more explicit when handling hostnames on cli.
+ [CVE-2026-4631] (Closes: #1133022)
+
+ -- Martin Pitt <[email protected]> Thu, 09 Apr 2026 05:29:56 +0200
+
cockpit (337-1) unstable; urgency=medium
* New upstream release:
diff -Nru cockpit-337/debian/gbp.conf cockpit-337/debian/gbp.conf
--- cockpit-337/debian/gbp.conf 2023-06-14 13:51:32.000000000 +0200
+++ cockpit-337/debian/gbp.conf 2026-04-09 05:12:12.000000000 +0200
@@ -1,4 +1,4 @@
[DEFAULT]
pristine-tar = True
patch-numbers = False
-debian-branch = master
+debian-branch = trixie
diff -Nru cockpit-337/debian/patches/series cockpit-337/debian/patches/series
--- cockpit-337/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ cockpit-337/debian/patches/series 2026-04-09 05:23:29.000000000 +0200
@@ -0,0 +1 @@
+ws-be-more-explicit-when-handling-hostnames-on-cli.patch
diff -Nru
cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch
cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch
---
cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch
1970-01-01 01:00:00.000000000 +0100
+++
cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch
2026-04-09 05:23:29.000000000 +0200
@@ -0,0 +1,80 @@
+From: Allison Karlitskaya <[email protected]>
+Date: Tue, 24 Mar 2026 15:44:15 +0100
+Subject: ws: be more explicit when handling hostnames on cli
+
+`cockpit-ws` has never protected hostnames from being interpreted as cli
+options when passing them to the auth commands (`cockpit-session`,
+`cockpit-ssh`, `cockpit.beiboot`). There have been a couple of relevant
+changes over the years:
+
+ - our move to using cockpit-session via unix socket has removed
+ exposure to this problem for `cockpit-session`
+
+ - our move from `cockpit-ssh` (glib argument parser) to
+ `cockpit.beiboot` (Python argparse) has unfortunately exposed us to
+ https://github.com/python/cpython/issues/66623 which means (due to a
+ strange heuristic) that arguments starting with '-' can be
+ interpreted as positionals if they also have spaces in them
+
+This gives a way to get a hostname starting with a `-` to ssh (where it
+*will* be interpreted as an option) and the following argument (the
+python invocation on the remote) will be interpreted as the hostname.
+Fortunately, new versions of ssh will reject this hostname. In any
+case, we should firm up the code here and add `--` to ensure that it's
+definitely interpreted as a hostname by ssh.
+
+For a similar reason add a `--` to the ssh command in `cockpit-ws`.
+
+CVE-2026-4631
+
+Origin: https://github.com/cockpit-project/cockpit/commit/9d0695647
+Origin-ferny: https://github.com/allisonkarlitskaya/ferny/commit/44ec511c99
+Bug-Debian: https://bugs.debian.org/1133022
+---
+ src/cockpit/_vendor/ferny/session.py | 2 +-
+ src/cockpit/beiboot.py | 4 ++--
+ src/ws/cockpitauth.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/cockpit/_vendor/ferny/session.py
b/src/cockpit/_vendor/ferny/session.py
+index d142bdb..ac4616d 100644
+--- a/src/cockpit/_vendor/ferny/session.py
++++ b/src/cockpit/_vendor/ferny/session.py
+@@ -145,7 +145,7 @@ class Session(SubprocessContext, InteractionHandler):
+
+ # SSH_ASKPASS_REQUIRE is not generally available, so use setsid
+ process = await asyncio.create_subprocess_exec(
+- *('/usr/bin/ssh', *args, destination), env=env,
++ *('/usr/bin/ssh', *args, '--', destination), env=env,
+ start_new_session=True, stdin=asyncio.subprocess.DEVNULL,
+ stdout=asyncio.subprocess.DEVNULL, stderr=agent, # type: ignore
+ preexec_fn=lambda: prctl(PR_SET_PDEATHSIG, signal.SIGKILL))
+diff --git a/src/cockpit/beiboot.py b/src/cockpit/beiboot.py
+index 12e369a..0d2a5fe 100644
+--- a/src/cockpit/beiboot.py
++++ b/src/cockpit/beiboot.py
+@@ -274,9 +274,9 @@ def via_ssh(cmd: Sequence[str], dest: str, ssh_askpass:
Path, *ssh_opts: str) ->
+ # strip off [] IPv6 brackets
+ if host.startswith('[') and host.endswith(']'):
+ host = host[1:-1]
+- destination = ['-p', port, host]
++ destination = ['-p', port, '--', host]
+ else:
+- destination = [dest]
++ destination = ['--', dest]
+
+ return (
+ 'ssh', *ssh_opts, *destination, shlex.join(cmd)
+diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
+index 3574189..6fd75be 100644
+--- a/src/ws/cockpitauth.c
++++ b/src/ws/cockpitauth.c
+@@ -51,7 +51,7 @@
+
+ /* we only support beibooting machines with a known/vetted OS, as it's
impossible to guarantee
+ * forward compatibility for all pages */
+-const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m
cockpit.beiboot --remote-bridge=supported";
++const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m
cockpit.beiboot --remote-bridge=supported --";
+
+ /* Some tunables that can be set from tests */
+ const gchar *cockpit_ws_session_program = NULL;
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
