Debian Bug report logs - #919101

openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictions

Reported by: Salvatore Bonaccorso <carnil@debian.org> Date: Sat, 12 Jan 2019 17:33:04 UTC Severity: important Tags: patch, security, upstream Found in versions openssh/1:7.4p1-10, openssh/1:7.9p1-4, openssh/1:7.4p1-10+deb9u4 Fixed in versions openssh/1:7.9p1-5, openssh/1:7.4p1-10+deb9u5 Done: Yves-Alexis Perez <corsac@debian.org> Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> :

Bug#919101 ; Package src:openssh . (Sat, 12 Jan 2019 17:33:07 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org> :

New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> . (Sat, 12 Jan 2019 17:33:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictions Date: Sat, 12 Jan 2019 18:02:33 +0100

Source: openssh Version: 1:7.9p1-4 Severity: important Tags: patch security upstream Control: found -1 1:7.4p1-10 Control: found -1 1:7.4p1-10+deb9u4 Hi, The following vulnerability was published for openssh. CVE-2018-20685[0]: | In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to | bypass intended access restrictions via the filename of . or an empty | filename. More information are found in [1], where upstream fixed it in [2]. There are related issues described in [1] which I explicitly do not track in this bug as they are yet not addressed upstream (and did not want to mix report). They are described in [1] as issues #2, #3 and #4 and got own CVEs (CVE-2019-6109, CVE-2019-6110, CVE-2019-6111). Not sure if upstream intends to adress those as well. The described vulnerabilities would require that a victim accepts the wrong host fingerpring though of a man-in-the mittle attacker server. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20685 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685 [1] https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt [2] https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

Marked as found in versions openssh/1:7.4p1-10. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org . (Sat, 12 Jan 2019 17:33:07 GMT) (full text, mbox, link).

Marked as found in versions openssh/1:7.4p1-10+deb9u4. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org . (Sat, 12 Jan 2019 17:33:07 GMT) (full text, mbox, link).

Message sent on to Salvatore Bonaccorso <carnil@debian.org> :

Bug#919101. (Sat, 12 Jan 2019 18:51:08 GMT) (full text, mbox, link).

Message #12 received at 919101-submitter@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org> To: 919101-submitter@bugs.debian.org Subject: Bug #919101 in openssh marked as pending Date: Sat, 12 Jan 2019 18:50:05 +0000

Control: tag -1 pending Hello, Bug #919101 in openssh reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/ssh-team/openssh/commit/7e34cc252e1c42369aaaa8e1c379699ccf8c9e0e ------------------------------------------------------------------------ scp: disallow empty incoming filename or "." Closes: #919101 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/919101

Added tag(s) pending. Request was from Colin Watson <cjwatson@debian.org> to 919101-submitter@bugs.debian.org . (Sat, 12 Jan 2019 18:51:08 GMT) (full text, mbox, link).

Reply sent to Colin Watson <cjwatson@debian.org> :

You have taken responsibility. (Sun, 13 Jan 2019 11:39:11 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org> :

Bug acknowledged by developer. (Sun, 13 Jan 2019 11:39:11 GMT) (full text, mbox, link).

Message #19 received at 919101-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org> To: 919101-close@bugs.debian.org Subject: Bug#919101: fixed in openssh 1:7.9p1-5 Date: Sun, 13 Jan 2019 11:34:35 +0000

Source: openssh Source-Version: 1:7.9p1-5 We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 919101@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <cjwatson@debian.org> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 13 Jan 2019 11:22:45 +0000 Source: openssh Binary: openssh-client openssh-server openssh-sftp-server openssh-tests ssh ssh-askpass-gnome openssh-client-udeb openssh-server-udeb Architecture: source Version: 1:7.9p1-5 Distribution: unstable Urgency: high Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh - secure shell client and server (metapackage) ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 858050 917342 919101 Changes: openssh (1:7.9p1-5) unstable; urgency=high . * Move /etc/ssh/moduli to openssh-server, since it's reasonably large and only used by sshd (closes: #858050). * Drop obsolete alternate build-dependency on libssl1.0-dev (closes: #917342). * CVE-2018-20685: Apply upstream scp patch to disallow empty incoming filename or ones that refer to the current directory (closes: #919101). Checksums-Sha1: 56030638b63a0eabce49d3bc2ec8c2678353a737 3161 openssh_7.9p1-5.dsc 80820a167f8e3c44dae97654b0b7d26f5258330d 164044 openssh_7.9p1-5.debian.tar.xz 1c498fcf40f73d2247b2c30e28d9d657ff74504f 15036 openssh_7.9p1-5_source.buildinfo Checksums-Sha256: 44303f4d41790bcc973ef1c5c8b70ed78fbcbfeed9f356e2c1d3b656ffeaf0f6 3161 openssh_7.9p1-5.dsc f2fb52ee1d4c31d36ff985d1abb297d0640fc3a8919cac7495d4cf9265e63ce6 164044 openssh_7.9p1-5.debian.tar.xz e2637a17039b25090103c00f0ee66f262cfcaa63451ca5892d0c75ccc063b5da 15036 openssh_7.9p1-5_source.buildinfo Files: 358f18fc048e1de456a819c2642c3f2b 3161 net standard openssh_7.9p1-5.dsc 5c59b88d1b520342bb945962c2002793 164044 net standard openssh_7.9p1-5.debian.tar.xz a32d80ccd3a0673d480f10c6f33f35b7 15036 net standard openssh_7.9p1-5_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlw7H5MACgkQOTWH2X2G UAvIGA/+K94glNrQzGIILQIUzZTWBqmqyizYm8/WHN7OcwkGkWJQKStq69Zzr3S+ QIDSlKyG0kPbJjC+PnhHvXQPNH2GtUaS4wYf+TcGVSVTOFngLo9snr8fZNOlkhFv P1iMeeUHrq1Efy7JWS3kz73ymbb0cczd/Znuemy4H2JcscKIq0/YIdOo60sGguYu /ph/38WkZyideQykjTNxDE1moT3j84XSFZ9Li6xcFUzUxuzXzZ8q0fYClSA2ROgP VTQSjODd/+D2PeldV3O4m/tk8XxPkp5LFThWTiFbSRjhetyvJCqh7nqskoltC9TL UqB5hnwGhBzk6tu7M96RER1ZwGBpZp/ciU7DnhTpeiJm0eR5KTCXQn4o28X8b+Ab RhSqdBi81mxiNaIiQu0vmydjBDQbZ4VZhLHp0hKxnp3zvZI/qmHQv8+TRHPTPXk7 xv0hRw8K2WJO6vCEglMg5+9vfUgyfBveh+H0W2Y5HW/1PMoc8hV7YlLgTiL8hzrb xJjSs84u0qTyzcS7FuN+xVljQ10iUKLr6PumdJWS80nH4uQ/Ykh9V1reS+Vx/euW uqIJybKjFUlH2oCVhtTTWwRZsY//260u71Z1FN2T/Ham1telawOa3TqF4n03RMi4 E7FkRW6emZU6T5CqCsJkAzBHVZbjLASX3jgS4nh4WWNLWMqnezU= =2wRG -----END PGP SIGNATURE-----

Reply sent to Yves-Alexis Perez <corsac@debian.org> :

You have taken responsibility. (Sat, 09 Feb 2019 21:51:46 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org> :

Bug acknowledged by developer. (Sat, 09 Feb 2019 21:51:46 GMT) (full text, mbox, link).

Message #24 received at 919101-close@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org> To: 919101-close@bugs.debian.org Subject: Bug#919101: fixed in openssh 1:7.4p1-10+deb9u5 Date: Sat, 09 Feb 2019 21:47:35 +0000

Source: openssh Source-Version: 1:7.4p1-10+deb9u5 We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 919101@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yves-Alexis Perez <corsac@debian.org> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 08 Feb 2019 15:25:55 +0100 Source: openssh Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb Architecture: source Version: 1:7.4p1-10+deb9u5 Distribution: stretch-security Urgency: high Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Yves-Alexis Perez <corsac@debian.org> Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot ssh - secure shell client and server (metapackage) ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad ssh-krb5 - secure shell client and server (transitional package) Closes: 793412 919101 Changes: openssh (1:7.4p1-10+deb9u5) stretch; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2018-20685: disallow empty filenames or ones that refer to the current directory (Closes: #919101) * CVE-2019-6109: sanitize scp filenames via snmprintf (Closes: #793412) * CVE-2019-6111: check in scp client that filenames sent during remote->local directory copies satisfy the wildcards specified by the user Checksums-Sha1: 2d038f4859239b51adbee98682205f463261b664 2579 openssh_7.4p1-10+deb9u5.dsc 72bea04dd41ffc65144ab64ac403736a22f39c2a 168672 openssh_7.4p1-10+deb9u5.debian.tar.xz Checksums-Sha256: ee597af8d79c7d06c861d6b93c0a0815043bb3af38610a1fccc75586025cdf26 2579 openssh_7.4p1-10+deb9u5.dsc 9f7c9e08e1a3b4dfe974a700be18919c2f03e6e22d1284999c101147d2f636f7 168672 openssh_7.4p1-10+deb9u5.debian.tar.xz Files: 17d02f62aa25e2294dfd4c66ac32a57b 2579 net standard openssh_7.4p1-10+deb9u5.dsc 7cc33cd435d3811e856ba631724620da 168672 net standard openssh_7.4p1-10+deb9u5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlxeupoACgkQ3rYcyPpX RFtqTQgA5zlaJqHdhZx9zHnYHT+oKswV+A06XwgFieQXMeqNlSaPidSv0m+vzYAD UP3cBeC6Sse8beVtdkngCr+SzHWtAePxgL1pmS/9fY9B0Jl9iJQ6X8D3wYnAZhFa Gde7vHkeUMg8ToVPnxQ+hsCkwQ85mqj60r489udBePcbXFQhziiUZzYxUcq3/t8O hc4134tfl2BhCWwMrI/gvFd/daqrWm6S0drL/CnUS3LJ+5DvQJq68nS+K2Nq3Q3h REddZ8XZSQIokw0TswFELsCWGI+RflxxQmvzRs+NUugLjGLSosV4fXroh5QjMTZs C02dEH/xsY+1MWGuBn9v5cIUw8hGJw== =lF3o -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org . (Mon, 11 Mar 2019 07:25:09 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.