Your message dated Mon, 30 Dec 2024 15:17:23 +0000
with message-id <e1tshwf-0020aw...@fasolo.debian.org>
and subject line Bug#1087883: fixed in gh 2.46.0-2
has caused the Debian Bug report #1087883,
regarding gh: CVE-2024-52308
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1087883: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087883
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gh
Version: 2.46.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for gh.
CVE-2024-52308[0]:
| The GitHub CLI version 2.6.1 and earlier are vulnerable to remote
| code execution through a malicious codespace SSH server when using
| `gh codespace ssh` or `gh codespace logs` commands. This has been
| patched in the cli v2.62.0. Developers connect to remote codespaces
| through an SSH server running within the devcontainer, which is
| generally provided through the [default devcontainer image](
| https://docs.github.com/en/codespaces/setting-up-your-project-for-
| codespaces/adding-a-dev-container-...
| https://docs.github.com/en/codespaces/setting-up-your-project-for-
| codespaces/adding-a-dev-container-configuration/introduction-to-dev-
| containers#using-the-default-dev-container-configuration) . GitHub
| CLI [retrieves SSH connection details]( https://github.com/cli/cli/b
| lob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc
| /inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144
| 300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as
| remote username, which is used in [executing `ssh` commands]( https:
| //github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/p
| kg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c6
| 9a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 )
| for `gh codespace ssh` or `gh codespace logs` commands. This
| exploit occurs when a malicious third-party devcontainer contains a
| modified SSH server that injects `ssh` arguments within the SSH
| connection details. `gh codespace ssh` and `gh codespace logs`
| commands could execute arbitrary code on the user's workstation if
| the remote username contains something like `-oProxyCommand="echo
| hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the
| provided command while `#` shell comment causes any other `ssh`
| arguments to be ignored. In `2.62.0`, the remote username
| information is being validated before being used.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-52308
https://www.cve.org/CVERecord?id=CVE-2024-52308
[1] https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gh
Source-Version: 2.46.0-2
Done: Santiago Vila <sanv...@debian.org>
We believe that the bug you reported is fixed in the latest version of
gh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1087...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <sanv...@debian.org> (supplier of updated gh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Dec 2024 14:10:00 +0100
Source: gh
Architecture: source
Version: 2.46.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Santiago Vila <sanv...@debian.org>
Closes: 1087883 1091585
Changes:
gh (2.46.0-2) unstable; urgency=medium
.
* Team upload.
[ Otto Kekäläinen ]
* Update test to be compatible with Glamour v0.8.0. Closes: #1091585.
[ Santiago Vila ]
* Update build-dependency on golang-github-charmbracelet-glamour-dev.
[ Loren M. Lang ]
* Apply patch to fix CVE-2024-52308. Closes: #1087883.
Checksums-Sha1:
b532ad944e5a33d2ab843c57f548099abf02b9e6 3702 gh_2.46.0-2.dsc
908da8113d23e5a5f60ded836d2756cc42f41e26 942092 gh_2.46.0-2.debian.tar.xz
52d29e9e9db77977be9886f0576ee9309d5a4da6 15407 gh_2.46.0-2_source.buildinfo
Checksums-Sha256:
3831d1622f247b2d53f7eba2cc38aaa8037b2750bb54fc9e2f58acf2907c4744 3702
gh_2.46.0-2.dsc
a91fe55177669e9e2edd9723bcd87fce4aa7d9e10770a4decfd081a36791d135 942092
gh_2.46.0-2.debian.tar.xz
ccf625cd60dcbba7748ceb262e1f7e673c037f373358a9f5c8b0d16feee50d20 15407
gh_2.46.0-2_source.buildinfo
Files:
03608c6d8f08a87e92a573adbbb896e5 3702 golang optional gh_2.46.0-2.dsc
30e75e4e07ea645b8aa19e1e11cd8b4a 942092 golang optional
gh_2.46.0-2.debian.tar.xz
be7d2b34e6bb37d5acea4925774b48a0 15407 golang optional
gh_2.46.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAmdyoLoACgkQQc5/C58b
izL4uggAhRuVPiexhb3iRrGNmZxokto95zJY3HHrsSOYHB59eUTCePZWCcXZPJnS
WWqY421ZXzT0cPX+S1Pt9XI8BYOfiT5pY2YbRCX6mY0Tuz12sgiR2JLB8w2KfLaW
GZDfTnEIT5TWn0+xWqjIgYqbZI3X4mqs8p3gyY/kSzbwwnhvhAiuFvzjBHiXRR9S
09Xc9/+PBVg6e/QEEqcjg7XY+CLKMge0jRjUJDxUiVsburQKye0O8co8KZobkZfz
MqW2c+LXFvV/fujgC6ED05UOD/JVpnugitlYN8uM/WNcxxHmI8w6zbr0FgRjfJEX
ewhT9H5HWlLvJ4pe9Qo3MS93248YWA==
=N55Y
-----END PGP SIGNATURE-----
pgpYyuDhPY1D_.pgp
Description: PGP signature
--- End Message ---
