Bug#919101: marked as done (openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictions)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#919101: marked as done (openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictions)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 13 Jan 2019 11:39:11 +0000
Message-id: <[🔎] handler.919101.D919101.154737927831453.ackdone@bugs.debian.org>
Reply-to: 919101@bugs.debian.org
References: <E1gie2F-0006yD-If@fasolo.debian.org> <[🔎] 154731255317.28292.8921071185574311493.reportbug@eldamar.local>

Your message dated Sun, 13 Jan 2019 11:34:35 +0000
with message-id <E1gie2F-0006yD-If@fasolo.debian.org>
and subject line Bug#919101: fixed in openssh 1:7.9p1-5
has caused the Debian Bug report #919101,
regarding openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
919101: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919101
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictions
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 12 Jan 2019 18:02:33 +0100
Message-id: <[🔎] 154731255317.28292.8921071185574311493.reportbug@eldamar.local>

Source: openssh
Version: 1:7.9p1-4
Severity: important
Tags: patch security upstream
Control: found -1 1:7.4p1-10
Control: found -1 1:7.4p1-10+deb9u4

Hi,

The following vulnerability was published for openssh.

CVE-2018-20685[0]:
| In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to
| bypass intended access restrictions via the filename of . or an empty
| filename.

More information are found in [1], where upstream fixed it in [2].
There are related issues described in [1] which I explicitly do not
track in this bug as they are yet not addressed upstream (and did not
want to mix report). They are described in [1] as issues #2, #3 and #4
and got own CVEs (CVE-2019-6109, CVE-2019-6110, CVE-2019-6111). Not
sure if upstream intends to adress those as well.

The described vulnerabilities would require that a victim accepts the
wrong host fingerpring though of a man-in-the mittle attacker server.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-20685
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685
[1] https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
[2] https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 919101-close@bugs.debian.org
Subject: Bug#919101: fixed in openssh 1:7.9p1-5
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 13 Jan 2019 11:34:35 +0000
Message-id: <E1gie2F-0006yD-If@fasolo.debian.org>

Source: openssh
Source-Version: 1:7.9p1-5

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 919101@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 13 Jan 2019 11:22:45 +0000
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server openssh-tests ssh ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.9p1-5
Distribution: unstable
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 858050 917342 919101
Changes:
 openssh (1:7.9p1-5) unstable; urgency=high
 .
   * Move /etc/ssh/moduli to openssh-server, since it's reasonably large and
     only used by sshd (closes: #858050).
   * Drop obsolete alternate build-dependency on libssl1.0-dev (closes:
     #917342).
   * CVE-2018-20685: Apply upstream scp patch to disallow empty incoming
     filename or ones that refer to the current directory (closes: #919101).
Checksums-Sha1:
 56030638b63a0eabce49d3bc2ec8c2678353a737 3161 openssh_7.9p1-5.dsc
 80820a167f8e3c44dae97654b0b7d26f5258330d 164044 openssh_7.9p1-5.debian.tar.xz
 1c498fcf40f73d2247b2c30e28d9d657ff74504f 15036 openssh_7.9p1-5_source.buildinfo
Checksums-Sha256:
 44303f4d41790bcc973ef1c5c8b70ed78fbcbfeed9f356e2c1d3b656ffeaf0f6 3161 openssh_7.9p1-5.dsc
 f2fb52ee1d4c31d36ff985d1abb297d0640fc3a8919cac7495d4cf9265e63ce6 164044 openssh_7.9p1-5.debian.tar.xz
 e2637a17039b25090103c00f0ee66f262cfcaa63451ca5892d0c75ccc063b5da 15036 openssh_7.9p1-5_source.buildinfo
Files:
 358f18fc048e1de456a819c2642c3f2b 3161 net standard openssh_7.9p1-5.dsc
 5c59b88d1b520342bb945962c2002793 164044 net standard openssh_7.9p1-5.debian.tar.xz
 a32d80ccd3a0673d480f10c6f33f35b7 15036 net standard openssh_7.9p1-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlw7H5MACgkQOTWH2X2G
UAvIGA/+K94glNrQzGIILQIUzZTWBqmqyizYm8/WHN7OcwkGkWJQKStq69Zzr3S+
QIDSlKyG0kPbJjC+PnhHvXQPNH2GtUaS4wYf+TcGVSVTOFngLo9snr8fZNOlkhFv
P1iMeeUHrq1Efy7JWS3kz73ymbb0cczd/Znuemy4H2JcscKIq0/YIdOo60sGguYu
/ph/38WkZyideQykjTNxDE1moT3j84XSFZ9Li6xcFUzUxuzXzZ8q0fYClSA2ROgP
VTQSjODd/+D2PeldV3O4m/tk8XxPkp5LFThWTiFbSRjhetyvJCqh7nqskoltC9TL
UqB5hnwGhBzk6tu7M96RER1ZwGBpZp/ciU7DnhTpeiJm0eR5KTCXQn4o28X8b+Ab
RhSqdBi81mxiNaIiQu0vmydjBDQbZ4VZhLHp0hKxnp3zvZI/qmHQv8+TRHPTPXk7
xv0hRw8K2WJO6vCEglMg5+9vfUgyfBveh+H0W2Y5HW/1PMoc8hV7YlLgTiL8hzrb
xJjSs84u0qTyzcS7FuN+xVljQ10iUKLr6PumdJWS80nH4uQ/Ykh9V1reS+Vx/euW
uqIJybKjFUlH2oCVhtTTWwRZsY//260u71Z1FN2T/Ham1telawOa3TqF4n03RMi4
E7FkRW6emZU6T5CqCsJkAzBHVZbjLASX3jgS4nh4WWNLWMqnezU=
=2wRG
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#919101: openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictions
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#917342: marked as done (Obsolete build dependency on libssl1.0-dev)
Next by Date: Processing of openssh_7.9p1-5_source.changes
Previous by thread: Processed: Bug #919101 in openssh marked as pending
Next by thread: Bug#858050: marked as done (/etc/ssh/moduli membership)
Index(es):
- Date
- Thread