Package: openssh-client
Version: 1:7.5p1-7
Severity: grave
Tags: upstream security
Justification: user security hole
Dear Debian maintainer,
I was intending to report this upstream, but, contrary to the documentation
* [9]openssh-unix-...@mindrot.org This is a public list and is open to
posting from non-subscribed
users.
on https://www.openssh.com/report.html the upstream mailing list is not
open for postings, as I got a rejection message…
> Posting by non-members to openssh-unix-...@mindrot.org is currently
> disabled, sorry.
… so please forward this upstream, as is a package maintainer’s duty.
Original message follows:
-----cutting here may damage your screen surface-----
From: Thorsten Glaser <t.gla...@tarent.de>
Message-ID: <alpine.deb.2.20.1708251545580.2...@tglase.lan.tarent.de>
To: openssh-unix-...@mindrot.org
Date: Fri, 25 Aug 2017 15:57:47 +0200 (CEST)
Subject: command line parsing with -- between option and non-option arguments
completely broken
Hi,
in the process of me fixing CVE-2017-12836 a user noticed a
problem with OpenSSH’s command line parsing.
I’ve verified these on OpenSSH 5.3 (MirBSD) and 7.5p1 (Debian).
So, to begin with, this command _should_ spawn xeyes:
$ ssh -oProxyCommand=xeyes vuxu.org
This command _could_ spawn xeyes on glibc systems, but
probably shouldn’t on POSIX or BSD systems:
$ ssh vuxu.org -oProxyCommand=xeyes
This command properly does not spawn xeyes but tries to
resolve “-oProxyCommand=xeyes” as hostname, correctly failing:
$ ssh -- -oProxyCommand=xeyes
This command *must not* spawn xeyes, but does:
$ ssh -- vuxu.org -oProxyCommand=xeyes
This instead must execute “-oProxyCommand=xeyes” as command
on the remote side.
Interestingly enough, this command works the same and also
mustn’t but also doesn’t:
$ ssh vuxu.org -- -oProxyCommand=xeyes
Now it gets completely weird, this doesn’t spawn xeyes either:
$ ssh -- vuxu.org -- -oProxyCommand=xeyes
This “should” execute “--” as command with “-oProxyCommand=xeyes”
as its first option on the remote site, but judging from the error
| mksh: ProxyCommand=xeyes: unknown option
it instead passes “-oProxyCommand=xeyes” as option to a shell on
the remote side.
I don’t do the security theatre, but this could perhaps be considered
missing command escaping on the remote side (passing what would be a
command as an option to the remote shell) in addition to completely
fucked up option parsing on the local side.
This was first reported by nickserv-auth’d user jn__ on #musl on
Freenode IRC, and leah2 forwarded it to me as current de-facto
maintainer of GNU CVS because I considered adding “--” between
option and nōn-option arguments sufficient for fixing the afore‐
mentioned CVE, judging this effective enough with normal command
line parsing rules (as in getopt(3) on OpenBSD) and given the
.Sx SYNOPSIS
in the ssh manpage.
bye,
//mirabilos
PS: Please keep me in Cc, I’m not subscribed to the list.
-----cutting here may damage your screen surface-----
Thanks!
PS: This affects cvs in wheezy, jessie and stretch but not sid.
-- System Information:
Debian Release: buster/sid
APT prefers unreleased
APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64
Kernel: Linux 4.11.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Versions of packages openssh-client depends on:
ii adduser 3.116
ii dpkg 1.18.24
ii libc6 2.24-14
ii libedit2 3.1-20170329-1
ii libgssapi-krb5-2 1.15.1-2
ii libselinux1 2.6-3+b2
ii libssl1.0.2 1.0.2l-2
ii passwd 1:4.4-4.1
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages openssh-client recommends:
ii xauth 1:1.0.9-1
Versions of packages openssh-client suggests:
pn keychain <none>
ii kwalletcli [ssh-askpass] 3.00-1
pn libpam-ssh <none>
pn monkeysphere <none>
-- Configuration Files:
/etc/ssh/moduli changed [not included]
/etc/ssh/ssh_config changed [not included]
-- no debconf information
