CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Debian Bug report logs - #923486
CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Date: Thu, 28 Feb 2019 20:54:51 +0000

[Message part 1 (text/plain, inline)]

Source: openssh
Version: 1:7.9p1-7
Severity: important
Tags: security
Control: found -1 1:7.9p1-6
Control: found -1 1:7.4p1-10+deb9u5
Control: found -1 1:6.7p1-5+deb8u7

Hi,

while working on a fixed openssh version for Debian jessie LTS regarding

  CVE-2019-6110
  CVE-2019-6111
  CVE-2018-20685

after several checks, code readings, double checking, I am pretty sure  
that CVE-2019-6111 is still not yet fixed. Neither in Debian, nor  
openssh upstream (though I haven't tested that, only from code  
readings I assume that).

What I tested this with is this piece of Python code:
https://www.exploit-db.com/exploits/46193

In fact, the sshtranger_things.py script needs a little bit of  
patching, to not throw unwanted exceptions:

```
--- sshtranger_things.py.orig	2019-02-28 21:48:41.868955825 +0100
+++ sshtranger_things.py	2019-02-28 20:47:01.456096511 +0100
@@ -85,7 +85,10 @@
         return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED

     def check_channel_exec_request(self, channel, command):
-        command = command.decode('ascii')
+        try:
+            command = command.decode('ascii')
+        except:
+            pass
         logging.info('Approving exec request: %s', command)
         parts = command.split(' ')
         # Make sure that this is a request to get a file:
```

Can someone please double-check this with a second pair of eyes? I  
guess this needs to be communicated back to upstream. Can this be  
handled by the security team and/or the package maintainers?

Thanks+Greets,
Mike
-- 

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

[Message part 2 (application/pgp-signature, inline)]

Message #16 received at 923486@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Mike Gabriel <sunweaver@debian.org>, 923486@bugs.debian.org

Subject: Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Date: Thu, 28 Feb 2019 22:43:26 +0100

Hi

Unchecked yet, but there was a related follow up commit upstream as
per https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874

Regards,
Salvatore

Message #21 received at 923486@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 923486@bugs.debian.org

Subject: Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Date: Thu, 28 Feb 2019 21:49:57 +0000

[Message part 1 (text/plain, inline)]

Hi Salvatore,

On  Do 28 Feb 2019 22:43:26 CET, Salvatore Bonaccorso wrote:

> Hi
>
> Unchecked yet, but there was a related follow up commit upstream as
> per  
> https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874
>
> Regards,
> Salvatore

will rebase that against my jessie version and try it out tomorrow.

Thanks!
Mike
-- 

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

[Message part 2 (application/pgp-signature, inline)]

Message #28 received at 923486@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 923486@bugs.debian.org

Cc: Mike Gabriel <sunweaver@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Date: Thu, 28 Feb 2019 23:05:37 +0100

[Message part 1 (text/plain, inline)]

Hi

Attached the patch and debdiff for unstable which fixes this issue.

Colin, but please double check if this is enough. A server which sends
an additional malicious file is blocked by that (and the patch is not
following git-dpm workflow as I'm unfamiliar with it).

dummy@sid:~$ scp -P 2222 foo@localhost:test.txt .
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
RSA key fingerprint is SHA256:BCYLeKMU5zuQ/Xd2Xc8sur4Mp7pQTMHcpwQkfAAmeXM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
foo@localhost's password: 
test.txt                                              100%   32     0.7KB/s   00:00    
protocol error: filename does not match request
dummy@sid:~$

Regards,
Salvatore

[openssh_7.9p1-8.1.debdiff (text/plain, attachment)]

[upstream-when-checking-that-filenames-sent-by-the-se.patch (text/x-diff, attachment)]

Message #37 received at 923486@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 923486@bugs.debian.org

Cc: Mike Gabriel <sunweaver@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Date: Fri, 1 Mar 2019 12:24:30 +0000

On Thu, Feb 28, 2019 at 11:05:37PM +0100, Salvatore Bonaccorso wrote:
> Colin, but please double check if this is enough. A server which sends
> an additional malicious file is blocked by that (and the patch is not
> following git-dpm workflow as I'm unfamiliar with it).

Cherry-picked as follows, given an up-to-date upstream remote:

  $ git-dpm checkout-patched
  Switched to a new branch 'patched'
  You are now in branch 'patched'
  $ git cherry-pick 3d896c157c722bc47adca51a58dca859225b5874
  error: could not apply 3d896c157... upstream: when checking that filenames sent by the server side
  hint: after resolving the conflicts, mark the corrected paths
  hint: with 'git add <paths>' or 'git rm <paths>'
  hint: and commit the result with 'git commit'
  [... resolve conflicts in scp.c ...]
  $ git add scp.c
  $ git cherry-pick --continue
  [... in the above, edit the commit message to add DEP-3 headers ...]
  $ git-dpm update-patches
  $ dch
  [... add changelog entry ...]
  $ git commit --amend
  [... amends git-dpm's merge commit to include changelog entry ...]

(You can combine the last three steps using "git-dpm dch".  I do it this
way because I normally prefer to edit debian/changelog using my normal
editor.)

And yes, it looks OK - I'll upload it to unstable shortly.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #42 received at 923486-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 923486-close@bugs.debian.org

Subject: Bug#923486: fixed in openssh 1:7.9p1-9

Date: Fri, 01 Mar 2019 12:50:22 +0000

Source: openssh
Source-Version: 1:7.9p1-9

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 923486@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Mar 2019 12:23:36 +0000
Source: openssh
Architecture: source
Version: 1:7.9p1-9
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 923486
Changes:
 openssh (1:7.9p1-9) unstable; urgency=medium
 .
   * Apply upstream patch to make scp handle shell-style brace expansions
     when checking that filenames sent by the server match what the client
     requested (closes: #923486).
Checksums-Sha1:
 741dc3e94df0acbbc62996ebc738c888d447d0ca 3161 openssh_7.9p1-9.dsc
 7bcb465855526f695b25b6f3d00eb517284f88f6 172068 openssh_7.9p1-9.debian.tar.xz
 a42c00e6d15c98e797a8b38b02b3ee0a1d23258c 15011 openssh_7.9p1-9_source.buildinfo
Checksums-Sha256:
 32cfc26396623401cd92b06cad191c55ee8a41dba91ca012ec30412991f8233c 3161 openssh_7.9p1-9.dsc
 11972b804f024f1d7559d4a3d6be0dba61c90c6072ce3d5977c22e55f834a17b 172068 openssh_7.9p1-9.debian.tar.xz
 8078bcadae0993879047bd50640e837ffe32f4b017c6377bb6967a379d2a5ecb 15011 openssh_7.9p1-9_source.buildinfo
Files:
 ca9c0934aeaa1f52ef984f2e77507643 3161 net standard openssh_7.9p1-9.dsc
 f00ac1ae10dc47a06be2b04f2f95a6ec 172068 net standard openssh_7.9p1-9.debian.tar.xz
 8e378119ca1029e1d69feb242b2a689a 15011 net standard openssh_7.9p1-9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlx5JGUACgkQOTWH2X2G
UAs5SQ//Sat9RmhmY4dgDbb2F1r+bfrEJwS/COYjnrbD4U0gpCltFhe3cVe1hLgS
SsMGlgY8jqZVQZpv1ea89Ei5NxsSg9otkk7gC8cAn73kQY6k9CrUAd9ETt1B1XhS
MFcAnU1z/QQL9QYRwkqJ2bgXiZj/2FB5F3wVuOIJ/szGSpZAdjSWTz7tJnvFUWWY
mdb1bi5/nWVkJaiFd1mC1aLVMIFotWtChLkYMFOZ+vrYp0B3oRwst+ZkV5C0Oqmt
bnAZNzvqlWgQvNyaUrVoHW/P18F8wVme/MWzfdM+WVwW+xGWqWjY0K2EP6TBMHaJ
HUfgEM5mR7fUKaJxY4n7GU/0c/KbM0sm1+JA7VyCzngxX/jmnvRqHE0AiVtEEIP1
jM7ffX6wtZg+9i8V0gsEJP2XbbgPo2c1HXrN2IfJM2ji9sOqj12Il3uND55UYwpu
tvOJRBZvIZQUSHiKMp4FaxgrAs4LXOMxS9AfvYOfCTAVKy32DWKekmBd4EB+OGgg
2XA8ItIXKpGqUEZkQ8s5qfkJHB7yJzbDzrecbzfQ5SCl7XBTCVyEVeZ0zugh53Fm
P1qlIlAgcCqchyAdGVb88r+TBBH7cnAJV0Y+huk9qjuyeohFwxh+ptH8oCapYXGS
4M/+tFBEJ/Mkcfhn7epDpxSlruc0yyaGcdR1vnKptt1Co37bLL0=
=zH1J
-----END PGP SIGNATURE-----

Message #47 received at 923486-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 923486-close@bugs.debian.org

Subject: Bug#923486: fixed in openssh 1:7.4p1-10+deb9u6

Date: Thu, 07 Mar 2019 21:32:24 +0000

Source: openssh
Source-Version: 1:7.4p1-10+deb9u6

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 923486@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Mar 2019 17:19:28 +0100
Source: openssh
Architecture: source
Version: 1:7.4p1-10+deb9u6
Distribution: stretch-security
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 923486
Changes:
 openssh (1:7.4p1-10+deb9u6) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Apply upstream patch to make scp handle shell-style brace expansions
     when checking that filenames sent by the server match what the client
     requested (closes: #923486).
Checksums-Sha1: 
 69bbef5108f86cad3dd4086c3393832633d97b7f 3079 openssh_7.4p1-10+deb9u6.dsc
 771c24434cb69527dc463b4d303ceecd86a9a7e5 170724 openssh_7.4p1-10+deb9u6.debian.tar.xz
Checksums-Sha256: 
 fa095ccdb143684092f0ca9671d46cd9587872324846e20ad6b022704557c403 3079 openssh_7.4p1-10+deb9u6.dsc
 e5b5fb4bbcb11134d9c666e6763d8a2b0a097efe389013447bddcb39a261bc94 170724 openssh_7.4p1-10+deb9u6.debian.tar.xz
Files: 
 3cdeb02effad9e1cd5298376fb796d19 3079 net standard openssh_7.4p1-10+deb9u6.dsc
 a32ca694f98c8104a7e853ae096ac3a3 170724 net standard openssh_7.4p1-10+deb9u6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlx5Xy9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E00IP/RiHkO7EypiOyebN+R4hUh9nv40QjFLX
N1UmTQiQ0XmRTZEpsaaHEGA+47BTTo11UpAZQkmdtrTJ7kBLHwGcWkIYWnEe62AO
7E55DCx/V9JjbxGbdgoDb0gB2IYPYix8UH1J8/6yuz/xJ1r5apnui0YLuWzOCUGh
IZnPCyfdHgmwCY4N8HWMFdhwYR4WSFjn0vQeOxjfZA5UY0b4B9KdUgJySPqain+y
yNEWhTtRiH4tbQFDKiCwNOYXQTk1fFFG5jxPjPcFZ76bbo7VyV3N8TuDzDPZOFIQ
k7fijvTK9JkpuN9oLfG9wlzumJ/xd795mLRnemkje5WLNAmZbAHlnVFuXhFSMnvD
Ir+Hpn1k8yR5qt+tq31RvBzMJas8zalwdLNoWKCE/ax6chHF6w6ZJFmXMHfg751G
p2lXbMUb5uDej14yjLN2rj/CQbdt004hit3EhrIr0d/hMRPzO+VBn6rtOcR6XP5U
qf71qKvVyvHuGmzO4XXUye31p36Zg6HHerLyLafeipQkJZtMC9H/hvtAxcgyzTjT
2HoAUnfMWdUts/Opt1UoMLqyWSvif2GbaRrl4m8pO21PY26GqB3tnT5PjFpLvPJk
74NuC7/z9dQUxt5nj7BUksSe4xCgdUucMSJsYRTY33t8GnuY3CTcDHYTggvuahLI
WHmGV7sO/yeo
=8TYQ
-----END PGP SIGNATURE-----

Message #52 received at 923486@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>

To: Colin Watson <cjwatson@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 923486@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Date: Fri, 08 Mar 2019 22:40:52 +0000

[Message part 1 (text/plain, inline)]

Hi Colin, hi Debian LTS team,

On  Fr 01 Mär 2019 13:24:30 CET, Colin Watson wrote:

> And yes, it looks OK - I'll upload it to unstable shortly.

I have prepared a backport of this newly added patch [1] (see #923486  
for details) to openssh in Debian jessie LTS, but with that patch  
backported to openssh in Debian jessie, I get a segmentation fault  
whenever I copy something using the scp cmdline tool (I have of course  
backported all other patches regarding CVE-2019-6109 and CVE-2019-6111).

I have attached the complete .debdiff between openssh 1:6.7p1-5+deb8u7  
(in jessie-security) and my (not-yet-)proposal for 1:6.7p1-5+deb8u8.

The critical patch is CVE-2019-6111-2.patch. With that patch added I  
get segfaults with scp. Without that patch scp works, but is  
susceptible to the earlier mentioned exploit for CVE-2019-6111.

I am a bit lost here and would appreciate some ideas about what is  
going wrong here.

I will only be able to continue on this on Monday, but maybe someone  
else can offer some genuine input over the weekend. Will be much  
appreciated.

Thanks+Greets,
Mike

[1]  
https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874
-- 

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

[openssh_6.7p1-5+deb8u7_deb8u8.debdiff (text/plain, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #57 received at 923486@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Mike Gabriel <sunweaver@debian.org>

Cc: Colin Watson <cjwatson@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, 923486@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Date: Mon, 11 Mar 2019 00:09:05 +0100

[Message part 1 (text/plain, inline)]

Hi Mike

I have had a look at this. First of all I do not think the CVE is
completely fixed even with the additional patch. I also do not fully
understand how 6111-2.patch is supposed to work. More about this below.
Let us give some example commands.

[1] scp host:/foobar/a* b
[2] scp host:a* b
[3] scp -r host /foobar/a* b
[4] scp -r host a* b

My understanding is that only case 1 is protected by 6111-1.patch
6111-2.patch seems to protect against case 2.

But to my understanding we do not protect against 3 and 4. Am I missing
something?

Anyway I have tried to see if I could reproduce the segfault. I do not know
fully how you have tested it so I decided to copy the new code to a new
test.c file and test different patterns.
The functionality as such seems to be working fine.

I did one change though to make it work. I changed xstrdup to strdup
because I could not find link against it for some reason. Could that be
your problem too?

Essentially my test.c file looks like this:
#include <sys/types.h>
#include <stdlib.h>
#include <bsd/stdlib.h>
#include <string.h>
#include <publib.h>
#define fatal sprintf

... the new functions code here ...

int testpattern(char* pattern) {
  char **patterns = NULL;
  size_t npatterns = 0;
  int i = 0;
  printf("==== Test pattern %s ====\n", pattern);
  brace_expand(pattern, &patterns, &npatterns);
  for (i = 0; i < npatterns; i++) {
    printf("Pattern %d: %s\n", i, patterns[i]);
  }
}

int main(int argc, char** argv) {
  testpattern("filea");
  testpattern("dira/filea");
  testpattern("dira/file{a,b}");
  testpattern("file{a,b}");
  testpattern("file*");
  testpattern("file{a,b}{c,d}");
  testpattern("file{a,b}*");
  testpattern("dir{a,b}*/d");
  testpattern("dir{a,b}/file*{a,b}*");
}

I could not reproduce the crash. How did you reproduce it?

Best regards

// Ola


On Fri, 8 Mar 2019 at 23:41, Mike Gabriel <sunweaver@debian.org> wrote:

> Hi Colin, hi Debian LTS team,
>
> On  Fr 01 Mär 2019 13:24:30 CET, Colin Watson wrote:
>
> > And yes, it looks OK - I'll upload it to unstable shortly.
>
> I have prepared a backport of this newly added patch [1] (see #923486
> for details) to openssh in Debian jessie LTS, but with that patch
> backported to openssh in Debian jessie, I get a segmentation fault
> whenever I copy something using the scp cmdline tool (I have of course
> backported all other patches regarding CVE-2019-6109 and CVE-2019-6111).
>
> I have attached the complete .debdiff between openssh 1:6.7p1-5+deb8u7
> (in jessie-security) and my (not-yet-)proposal for 1:6.7p1-5+deb8u8.
>
> The critical patch is CVE-2019-6111-2.patch. With that patch added I
> get segfaults with scp. Without that patch scp works, but is
> susceptible to the earlier mentioned exploit for CVE-2019-6111.
>
> I am a bit lost here and would appreciate some ideas about what is
> going wrong here.
>
> I will only be able to continue on this on Monday, but maybe someone
> else can offer some genuine input over the weekend. Will be much
> appreciated.
>
> Thanks+Greets,
> Mike
>
> [1]
>
> https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874
> --
>
> mike gabriel aka sunweaver (Debian Developer)
> mobile: +49 (1520) 1976 148
> landline: +49 (4354) 8390 139
>
> GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
> mail: sunweaver@debian.org, http://sunweavers.net
>
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #62 received at 923486@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Ola Lundqvist <ola@inguza.com>

Cc: Mike Gabriel <sunweaver@debian.org>, Colin Watson <cjwatson@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, 923486@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Date: Mon, 11 Mar 2019 00:27:09 +0100

[Message part 1 (text/plain, inline)]

Hi again

I finally found out why I could not use xstrdup so with that fixed I run
the tests again. No crash. My guess is that the crash is some other part of
the code and not the newly introduced functions.

// Ola

On Mon, 11 Mar 2019 at 00:09, Ola Lundqvist <ola@inguza.com> wrote:

> Hi Mike
>
> I have had a look at this. First of all I do not think the CVE is
> completely fixed even with the additional patch. I also do not fully
> understand how 6111-2.patch is supposed to work. More about this below.
> Let us give some example commands.
>
> [1] scp host:/foobar/a* b
> [2] scp host:a* b
> [3] scp -r host /foobar/a* b
> [4] scp -r host a* b
>
> My understanding is that only case 1 is protected by 6111-1.patch
> 6111-2.patch seems to protect against case 2.
>
> But to my understanding we do not protect against 3 and 4. Am I missing
> something?
>
> Anyway I have tried to see if I could reproduce the segfault. I do not
> know fully how you have tested it so I decided to copy the new code to a
> new test.c file and test different patterns.
> The functionality as such seems to be working fine.
>
> I did one change though to make it work. I changed xstrdup to strdup
> because I could not find link against it for some reason. Could that be
> your problem too?
>
> Essentially my test.c file looks like this:
> #include <sys/types.h>
> #include <stdlib.h>
> #include <bsd/stdlib.h>
> #include <string.h>
> #include <publib.h>
> #define fatal sprintf
>
> ... the new functions code here ...
>
> int testpattern(char* pattern) {
>   char **patterns = NULL;
>   size_t npatterns = 0;
>   int i = 0;
>   printf("==== Test pattern %s ====\n", pattern);
>   brace_expand(pattern, &patterns, &npatterns);
>   for (i = 0; i < npatterns; i++) {
>     printf("Pattern %d: %s\n", i, patterns[i]);
>   }
> }
>
> int main(int argc, char** argv) {
>   testpattern("filea");
>   testpattern("dira/filea");
>   testpattern("dira/file{a,b}");
>   testpattern("file{a,b}");
>   testpattern("file*");
>   testpattern("file{a,b}{c,d}");
>   testpattern("file{a,b}*");
>   testpattern("dir{a,b}*/d");
>   testpattern("dir{a,b}/file*{a,b}*");
> }
>
> I could not reproduce the crash. How did you reproduce it?
>
> Best regards
>
> // Ola
>
>
> On Fri, 8 Mar 2019 at 23:41, Mike Gabriel <sunweaver@debian.org> wrote:
>
>> Hi Colin, hi Debian LTS team,
>>
>> On  Fr 01 Mär 2019 13:24:30 CET, Colin Watson wrote:
>>
>> > And yes, it looks OK - I'll upload it to unstable shortly.
>>
>> I have prepared a backport of this newly added patch [1] (see #923486
>> for details) to openssh in Debian jessie LTS, but with that patch
>> backported to openssh in Debian jessie, I get a segmentation fault
>> whenever I copy something using the scp cmdline tool (I have of course
>> backported all other patches regarding CVE-2019-6109 and CVE-2019-6111).
>>
>> I have attached the complete .debdiff between openssh 1:6.7p1-5+deb8u7
>> (in jessie-security) and my (not-yet-)proposal for 1:6.7p1-5+deb8u8.
>>
>> The critical patch is CVE-2019-6111-2.patch. With that patch added I
>> get segfaults with scp. Without that patch scp works, but is
>> susceptible to the earlier mentioned exploit for CVE-2019-6111.
>>
>> I am a bit lost here and would appreciate some ideas about what is
>> going wrong here.
>>
>> I will only be able to continue on this on Monday, but maybe someone
>> else can offer some genuine input over the weekend. Will be much
>> appreciated.
>>
>> Thanks+Greets,
>> Mike
>>
>> [1]
>>
>> https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874
>> --
>>
>> mike gabriel aka sunweaver (Debian Developer)
>> mobile: +49 (1520) 1976 148
>> landline: +49 (4354) 8390 139
>>
>> GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
>> mail: sunweaver@debian.org, http://sunweavers.net
>>
>>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> |  ola@inguza.com                    opal@debian.org            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>  ---------------------------------------------------------------
>
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #67 received at 923486@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Mike Gabriel <sunweaver@debian.org>

Cc: 923486@bugs.debian.org

Subject: Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Date: Wed, 20 Mar 2019 13:36:01 +0100

[Message part 1 (text/plain, inline)]

Hi Mike,

On Fri, 08 Mar 2019 22:40:52 +0000 Mike Gabriel <sunweaver@debian.org>
wrote:
[...]
> The critical patch is CVE-2019-6111-2.patch. With that patch added I  
> get segfaults with scp. Without that patch scp works, but is  
> susceptible to the earlier mentioned exploit for CVE-2019-6111.
> 
> I am a bit lost here and would appreciate some ideas about what is  
> going wrong here.

[...]

I think I have found the root cause of the segfault. In order to fix
CVE-2019-6111 we have to backport two functions, reallocarray and
recallocarray. There are some conditionals which must be defined first,
otherwise those functions won't be compiled and are not available at
runtime.

For instance

ifndef HAVE_REALLOCARRAY

So the solution is to define them in openbsd-compat/openbsd-compat.h

#ifndef HAVE_REALLOCARRAY
void *reallocarray(void *, size_t, size_t);
#endif

#ifndef HAVE_RECALLOCARRAY
void *recallocarray(void *, size_t, size_t, size_t);
#endif

and in config.h.in add

/* Define to 1 if you have the `reallocarray' function. */
#undef HAVE_REALLOCARRAY

/* Define to 1 if you have the `recallocarray' function. */
#undef HAVE_RECALLOCARRAY

After that all patches work as intended and I consider this issue to be
resolved for Wheezy. I'm going to upload a new revision now.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #72 received at 923486@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>

To: Markus Koschany <apo@debian.org>

Cc: 923486@bugs.debian.org

Subject: Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

Date: Wed, 20 Mar 2019 13:44:47 +0000

[Message part 1 (text/plain, inline)]

Hi Markus,

On  Mi 20 Mär 2019 13:36:01 CET, Markus Koschany wrote:

> Hi Mike,
>
> On Fri, 08 Mar 2019 22:40:52 +0000 Mike Gabriel <sunweaver@debian.org>
> wrote:
> [...]
>> The critical patch is CVE-2019-6111-2.patch. With that patch added I
>> get segfaults with scp. Without that patch scp works, but is
>> susceptible to the earlier mentioned exploit for CVE-2019-6111.
>>
>> I am a bit lost here and would appreciate some ideas about what is
>> going wrong here.
>
> [...]
>
> I think I have found the root cause of the segfault. In order to fix
> CVE-2019-6111 we have to backport two functions, reallocarray and
> recallocarray. There are some conditionals which must be defined first,
> otherwise those functions won't be compiled and are not available at
> runtime.
>
> For instance
>
> ifndef HAVE_REALLOCARRAY
>
> So the solution is to define them in openbsd-compat/openbsd-compat.h
>
> #ifndef HAVE_REALLOCARRAY
> void *reallocarray(void *, size_t, size_t);
> #endif
>
> #ifndef HAVE_RECALLOCARRAY
> void *recallocarray(void *, size_t, size_t, size_t);
> #endif
>
> and in config.h.in add
>
> /* Define to 1 if you have the `reallocarray' function. */
> #undef HAVE_REALLOCARRAY
>
> /* Define to 1 if you have the `recallocarray' function. */
> #undef HAVE_RECALLOCARRAY
>
> After that all patches work as intended and I consider this issue to be
> resolved for Wheezy. I'm going to upload a new revision now.
>
> Regards,
>
> Markus

Ok. I will look at your modifications and upload the same to jessie.

Mike
-- 

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.