Your message dated Thu, 07 Mar 2019 21:32:24 +0000
with message-id <[email protected]>
and subject line Bug#923486: fixed in openssh 1:7.4p1-10+deb9u6
has caused the Debian Bug report #923486,
regarding CVE-2019-6111 not fixed, file transfer of unwanted files by malicious
SSH server still possible
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
923486: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923486
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssh
Version: 1:7.9p1-7
Severity: important
Tags: security
Control: found -1 1:7.9p1-6
Control: found -1 1:7.4p1-10+deb9u5
Control: found -1 1:6.7p1-5+deb8u7
Hi,
while working on a fixed openssh version for Debian jessie LTS regarding
CVE-2019-6110
CVE-2019-6111
CVE-2018-20685
after several checks, code readings, double checking, I am pretty sure
that CVE-2019-6111 is still not yet fixed. Neither in Debian, nor
openssh upstream (though I haven't tested that, only from code
readings I assume that).
What I tested this with is this piece of Python code:
https://www.exploit-db.com/exploits/46193
In fact, the sshtranger_things.py script needs a little bit of
patching, to not throw unwanted exceptions:
```
--- sshtranger_things.py.orig 2019-02-28 21:48:41.868955825 +0100
+++ sshtranger_things.py 2019-02-28 20:47:01.456096511 +0100
@@ -85,7 +85,10 @@
return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
def check_channel_exec_request(self, channel, command):
- command = command.decode('ascii')
+ try:
+ command = command.decode('ascii')
+ except:
+ pass
logging.info('Approving exec request: %s', command)
parts = command.split(' ')
# Make sure that this is a request to get a file:
```
Can someone please double-check this with a second pair of eyes? I
guess this needs to be communicated back to upstream. Can this be
handled by the security team and/or the package maintainers?
Thanks+Greets,
Mike
--
mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://sunweavers.net
pgptCShCSvwcb.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:7.4p1-10+deb9u6
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 Mar 2019 17:19:28 +0100
Source: openssh
Architecture: source
Version: 1:7.4p1-10+deb9u6
Distribution: stretch-security
Urgency: high
Maintainer: Debian OpenSSH Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 923486
Changes:
openssh (1:7.4p1-10+deb9u6) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Apply upstream patch to make scp handle shell-style brace expansions
when checking that filenames sent by the server match what the client
requested (closes: #923486).
Checksums-Sha1:
69bbef5108f86cad3dd4086c3393832633d97b7f 3079 openssh_7.4p1-10+deb9u6.dsc
771c24434cb69527dc463b4d303ceecd86a9a7e5 170724
openssh_7.4p1-10+deb9u6.debian.tar.xz
Checksums-Sha256:
fa095ccdb143684092f0ca9671d46cd9587872324846e20ad6b022704557c403 3079
openssh_7.4p1-10+deb9u6.dsc
e5b5fb4bbcb11134d9c666e6763d8a2b0a097efe389013447bddcb39a261bc94 170724
openssh_7.4p1-10+deb9u6.debian.tar.xz
Files:
3cdeb02effad9e1cd5298376fb796d19 3079 net standard openssh_7.4p1-10+deb9u6.dsc
a32ca694f98c8104a7e853ae096ac3a3 170724 net standard
openssh_7.4p1-10+deb9u6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlx5Xy9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E00IP/RiHkO7EypiOyebN+R4hUh9nv40QjFLX
N1UmTQiQ0XmRTZEpsaaHEGA+47BTTo11UpAZQkmdtrTJ7kBLHwGcWkIYWnEe62AO
7E55DCx/V9JjbxGbdgoDb0gB2IYPYix8UH1J8/6yuz/xJ1r5apnui0YLuWzOCUGh
IZnPCyfdHgmwCY4N8HWMFdhwYR4WSFjn0vQeOxjfZA5UY0b4B9KdUgJySPqain+y
yNEWhTtRiH4tbQFDKiCwNOYXQTk1fFFG5jxPjPcFZ76bbo7VyV3N8TuDzDPZOFIQ
k7fijvTK9JkpuN9oLfG9wlzumJ/xd795mLRnemkje5WLNAmZbAHlnVFuXhFSMnvD
Ir+Hpn1k8yR5qt+tq31RvBzMJas8zalwdLNoWKCE/ax6chHF6w6ZJFmXMHfg751G
p2lXbMUb5uDej14yjLN2rj/CQbdt004hit3EhrIr0d/hMRPzO+VBn6rtOcR6XP5U
qf71qKvVyvHuGmzO4XXUye31p36Zg6HHerLyLafeipQkJZtMC9H/hvtAxcgyzTjT
2HoAUnfMWdUts/Opt1UoMLqyWSvif2GbaRrl4m8pO21PY26GqB3tnT5PjFpLvPJk
74NuC7/z9dQUxt5nj7BUksSe4xCgdUucMSJsYRTY33t8GnuY3CTcDHYTggvuahLI
WHmGV7sO/yeo
=8TYQ
-----END PGP SIGNATURE-----
--- End Message ---
