Bug#873088: git-annex security issue backports
On Oct/26, Antoine Beaupré wrote: > Right, how does that look then? > > https://gitlab.com/anarcat/git-annex/commit/b21ccd25ecd4cad0efcc8f4f0c94ad99ce32cd04 Nah, +deb8u1 ;) > Then I can just upload this to security-master? Yep. Cheers, --Seb
Bug#873088: git-annex security issue backports
On 2017-10-26 11:14:34, Sébastien Delafond wrote: > On Oct/26, Antoine Beaupré wrote: >> I have also backported joey's patch to jessie. It was simpler than >> wheezy because the code is much more similar. The resulting patch is >> available here: >> >> https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265 >> >> As expected, the patch Joey provided applies fine on stretch and >> should be applied and uploaded as-is. This time, it's in >> debian/patches because the package is non-native since stretch: >> >> https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d >> >> I can do the upload if you authorize me. The above are not *exactly* >> debdiffs, but they are pretty close, so I hope that's sufficient for >> review. > > Thank you for backporting those. > > For the jessie debdiff, please change the version to 5.20141125+deb8u1, > and target jessie-security. The stretch one looks good as is. > > Make sure you build both with -sa, and then you can upload. Right, how does that look then? https://gitlab.com/anarcat/git-annex/commit/b21ccd25ecd4cad0efcc8f4f0c94ad99ce32cd04 Then I can just upload this to security-master? A. -- In god we trust, others pay cash. - Richard Desjardins, Miami
Bug#873088: git-annex security issue backports
On Oct/26, Antoine Beaupré wrote: > I have also backported joey's patch to jessie. It was simpler than > wheezy because the code is much more similar. The resulting patch is > available here: > > https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265 > > As expected, the patch Joey provided applies fine on stretch and > should be applied and uploaded as-is. This time, it's in > debian/patches because the package is non-native since stretch: > > https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d > > I can do the upload if you authorize me. The above are not *exactly* > debdiffs, but they are pretty close, so I hope that's sufficient for > review. Thank you for backporting those. For the jessie debdiff, please change the version to 5.20141125+deb8u1, and target jessie-security. The stretch one looks good as is. Make sure you build both with -sa, and then you can upload. Cheers, --Seb
Bug#873088: git-annex security issue backports
On 2017-10-23 09:26:28, Antoine Beaupré wrote: >> What's the status? > > I'm resuming work on this now, and I'll see how I can backport this to > wheezy, which should helpfully give some help/nudge to the jessie > version as well. Hi, I have pushed DLA-1144-1 for git-annex in wheezy after summary tests. I have also backported joey's patch to jessie. It was simpler than wheezy because the code is much more similar. The resulting patch is available here: https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265 As expected, the patch Joey provided applies fine on stretch and should be applied and uploaded as-is. This time, it's in debian/patches because the package is non-native since stretch: https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d I can do the upload if you authorize me. The above are not *exactly* debdiffs, but they are pretty close, so I hope that's sufficient for review. A. -- In serious work commanding and discipline are of little avail. - Peter Kropotkin
Bug#873088: git-annex security issue backports
On 2017-10-12 20:53:13, Moritz Mühlenhoff wrote: > On Fri, Sep 29, 2017 at 06:56:32PM +0200, Salvatore Bonaccorso wrote: >> Hi Antoine, >> >> On Thu, Sep 28, 2017 at 01:53:06PM -0400, Antoine Beaupré wrote: >> > Hi again, >> > >> > I reached out to joeyh to see how we could backport git-annex security >> > patches to wheezy. He responded by sharing the attached patch he sent to >> > the git-annex maintainer that backports the fixes to stretch. I figured >> > it would be useful for the core secteam to have visibilty on this... >> > >> > He also validated the approach i suggested of "grep for ssh and backport >> > the SshHost construct" to fix the issue in earlier version. >> >> Thanks. Indeed we were already in contact with Richard. >> >> Richard, friendly ping, did you had a chance to continue working on >> the jessie- and stretch-security upload? > > What's the status? I'm resuming work on this now, and I'll see how I can backport this to wheezy, which should helpfully give some help/nudge to the jessie version as well. A. -- It is a miracle that curiosity survives formal education - Albert Einstein
Bug#873088: git-annex security issue backports
On Fri, Sep 29, 2017 at 06:56:32PM +0200, Salvatore Bonaccorso wrote: > Hi Antoine, > > On Thu, Sep 28, 2017 at 01:53:06PM -0400, Antoine Beaupré wrote: > > Hi again, > > > > I reached out to joeyh to see how we could backport git-annex security > > patches to wheezy. He responded by sharing the attached patch he sent to > > the git-annex maintainer that backports the fixes to stretch. I figured > > it would be useful for the core secteam to have visibilty on this... > > > > He also validated the approach i suggested of "grep for ssh and backport > > the SshHost construct" to fix the issue in earlier version. > > Thanks. Indeed we were already in contact with Richard. > > Richard, friendly ping, did you had a chance to continue working on > the jessie- and stretch-security upload? What's the status? Cheers, Moritz
Bug#873088: git-annex security issue backports
Hi Antoine, On Thu, Sep 28, 2017 at 01:53:06PM -0400, Antoine Beaupré wrote: > Hi again, > > I reached out to joeyh to see how we could backport git-annex security > patches to wheezy. He responded by sharing the attached patch he sent to > the git-annex maintainer that backports the fixes to stretch. I figured > it would be useful for the core secteam to have visibilty on this... > > He also validated the approach i suggested of "grep for ssh and backport > the SshHost construct" to fix the issue in earlier version. Thanks. Indeed we were already in contact with Richard. Richard, friendly ping, did you had a chance to continue working on the jessie- and stretch-security upload? Regards, Salvatore
Bug#873088: git-annex security issue backports
Hi again, I reached out to joeyh to see how we could backport git-annex security patches to wheezy. He responded by sharing the attached patch he sent to the git-annex maintainer that backports the fixes to stretch. I figured it would be useful for the core secteam to have visibilty on this... He also validated the approach i suggested of "grep for ssh and backport the SshHost construct" to fix the issue in earlier version. I may look at this again tomorrow, otherwise next week. A. -- Celui qui sait jouir du peu qu'il a est toujours assez riche. - Démocrite --- Begin Message --- - Forwarded message from Joey Hess- Date: Thu, 17 Aug 2017 22:42:27 -0400 From: Joey Hess To: Richard Hartmann Subject: heads up: git-annex security hole User-Agent: NeoMutt/20170609 (1.8.3) I'll be releasing a new version of git-annex tomorrow fixing a remotely exploitable security hole, the same class of vulnerability that recently afflicted git. Patch is attached. This affects all versions of git-annex, so will need backporting. I've also attached a version of the patch that will apply cleanly to 6.20170101 in stable. -- see shy jo - End forwarded message - -- see shy jo From cb521ac529f7072ed94d5cece78a098eac1aa715 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 17 Aug 2017 22:39:23 -0400 Subject: [PATCH] (stable) avoid the dashed ssh hostname class of security holes Security fix: Disallow hostname starting with a dash, which would get passed to ssh and be treated an option. This could be used by an attacker who provides a crafted ssh url (for eg a git remote) to execute arbitrary code via ssh -oProxyCommand. No CVE has yet been assigned for this hole. The same class of security hole recently affected git itself, CVE-2017-1000117. Method: Identified all places where ssh is run, by git grep '"ssh"' Converted them all to use a SshHost, if they did not already, for specifying the hostname. SshHost was made a data type with a smart constructor, which rejects hostnames starting with '-'. Note that git-annex already contains extensive use of Utility.SafeCommand, which fixes a similar class of problem where a filename starting with a dash gets passed to a program which treats it as an option. --- Annex/Ssh.hs | 15 +++- Assistant/Pairing/MakeRemote.hs | 4 ++-- Assistant/Ssh.hs | 11 + Assistant/WebApp/Configurators/Ssh.hs | 44 +-- CHANGELOG | 10 Remote/Ddar.hs| 10 Remote/GCrypt.hs | 6 +++-- Remote/Helper/Ssh.hs | 8 +-- Remote/Rsync.hs | 4 +++- Utility/SshHost.hs| 29 +++ git-annex.cabal | 1 + 11 files changed, 98 insertions(+), 44 deletions(-) create mode 100644 Utility/SshHost.hs diff --git a/Annex/Ssh.hs b/Annex/Ssh.hs index 512f0375c..6bd1eeb32 100644 --- a/Annex/Ssh.hs +++ b/Annex/Ssh.hs @@ -34,6 +34,7 @@ import Config import Annex.Path import Utility.Env import Utility.FileSystemEncoding +import Utility.SshHost import Types.CleanupActions import Git.Env #ifndef mingw32_HOST_OS @@ -43,7 +44,7 @@ import Annex.LockPool {- Generates parameters to ssh to a given host (or user@host) on a given - port. This includes connection caching parameters, and any ssh-options. -} -sshOptions :: (String, Maybe Integer) -> RemoteGitConfig -> [CommandParam] -> Annex [CommandParam] +sshOptions :: (SshHost, Maybe Integer) -> RemoteGitConfig -> [CommandParam] -> Annex [CommandParam] sshOptions (host, port) gc opts = go =<< sshCachingInfo (host, port) where go (Nothing, params) = ret params @@ -60,7 +61,7 @@ sshOptions (host, port) gc opts = go =<< sshCachingInfo (host, port) {- Returns a filename to use for a ssh connection caching socket, and - parameters to enable ssh connection caching. -} -sshCachingInfo :: (String, Maybe Integer) -> Annex (Maybe FilePath, [CommandParam]) +sshCachingInfo :: (SshHost, Maybe Integer) -> Annex (Maybe FilePath, [CommandParam]) sshCachingInfo (host, port) = go =<< sshCacheDir where go Nothing = return (Nothing, []) @@ -201,9 +202,10 @@ forceStopSsh socketfile = do - of the path to a socket file. At the same time, it needs to be unique - for each host. -} -hostport2socket :: String -> Maybe Integer -> FilePath -hostport2socket host Nothing = hostport2socket' host -hostport2socket host (Just port) = hostport2socket' $ host ++ "!" ++ show port +hostport2socket :: SshHost -> Maybe Integer -> FilePath +hostport2socket host Nothing = hostport2socket' $ fromSshHost host +hostport2socket host (Just port) = hostport2socket' $ + fromSshHost host ++ "!" ++ show port hostport2socket' :: String -> FilePath hostport2socket' s | length s >