Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 815010 - <net-misc/openssh-8.8_p1: Multiple vulnerabilities
Summary: <net-misc/openssh-8.8_p1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 829386
Blocks:
  Show dependency tree
 
Reported: 2021-09-26 17:04 UTC by Sam James
Modified: 2022-12-28 20:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-26 17:04:25 UTC 
From 8.8 release notes:
```
Security
========

sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).
```
Comment 1 Larry the Git Cow gentoo-dev 2021-10-01 01:08:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9431f858b4b325c47d87a82490ad35a978cfc8fb

commit 9431f858b4b325c47d87a82490ad35a978cfc8fb
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2021-10-01 01:06:30 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-10-01 01:08:08 +0000

    net-misc/openssh-8.8_p1: Version bump, no X509
    
    Bug: https://bugs.gentoo.org/815010
    Package-Manager: Portage-3.0.26, Repoman-3.0.3
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-misc/openssh/Manifest                          |   2 +
 .../files/openssh-8.8_p1-hpn-15.2-glue.patch       |   1 +
 net-misc/openssh/openssh-8.8_p1.ebuild             | 513 +++++++++++++++++++++
 3 files changed, 516 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 20:28:53 UTC 
GLSA request filed. We should get a CVE for this.
Comment 3 Larry the Git Cow gentoo-dev 2022-12-28 18:59:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4bba232aa0519e18c1541480c7f0b8dcb717ecb2

commit 4bba232aa0519e18c1541480c7f0b8dcb717ecb2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-12-28 18:57:54 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-28 18:59:24 +0000

    [ GLSA 202212-06 ] OpenSSH: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/733802
    Bug: https://bugs.gentoo.org/815010
    Bug: https://bugs.gentoo.org/874876
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202212-06.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-28 19:12:38 UTC 
GLSA released, all done!