Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 784896

Summary: <net-misc/openssh-8.6_p1: theoretical sandbox escape in rare logging configuration
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: base-system
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/23403
Whiteboard: B? [noglsa]
Package list:
net-misc/openssh-8.6_p1-r2
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-22 03:19:25 UTC
From release notes (https://www.openssh.com/txt/release-8.6): Security
========

 * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this
   option was enabled with a set of patterns that activated logging
   in code that runs in the low-privilege sandboxed sshd process, the
   log messages were constructed in such a way that printf(3) format
   strings could effectively be specified the low-privilege code.

   An attacker who had sucessfully exploited the low-privilege
   process could use this to escape OpenSSH's sandboxing and attack
   the high-privilege process. Exploitation of this weakness is
   highly unlikely in practice as the LogVerbose option is not
   enabled by default and is typically only used for debugging. No
   vulnerabilities in the low-privilege process are currently known
   to exist.

   Thanks to Ilja Van Sprundel for reporting this bug.
Comment 1 Larry the Git Cow gentoo-dev 2021-04-23 23:14:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd069ebac8b0f15edc1dee19bb77f9611b5a812a

commit dd069ebac8b0f15edc1dee19bb77f9611b5a812a
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2021-04-23 23:14:10 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-04-23 23:14:16 +0000

    net-misc/openssh-8.6_p1: revbump, add X509 patch
    
    Bug: https://bugs.gentoo.org/785034
    Bug: https://bugs.gentoo.org/784896
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-misc/openssh/Manifest                          |   1 +
 .../files/openssh-8.6_p1-X509-glue-13.1.patch      |  72 +++++
 .../files/openssh-8.6_p1-hpn-15.2-X509-glue.patch  | 357 +++++++++++++++++++++
 ...nssh-8.6_p1.ebuild => openssh-8.6_p1-r1.ebuild} |   4 +-
 4 files changed, 432 insertions(+), 2 deletions(-)
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-24 00:46:41 UTC
No CVE. Gentoo became "affected" when 8.5 was stabilized via bug 774090. Upstream fix is https://github.com/openssh/openssh-portable/commit/faf2b86a46c9281d237bcdec18c99e94a4eb820a. However, there is no known way to trigger this. Even when all pre requirements are met (running with LogVerbose) you still need to find a way to exploit the low-privilege process which would be an own vulnerability.

We will stabilize 8.6 due to this but no GLSA until CVE/situation will change.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-24 01:37:05 UTC
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-24 01:44:49 UTC
arm64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-24 02:03:55 UTC
amd64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-24 02:04:17 UTC
arm done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-25 11:05:43 UTC
sparc done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-25 16:54:38 UTC
ppc done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-27 19:20:17 UTC
ppc64 done
Comment 10 Rolf Eike Beer archtester 2021-05-27 19:37:28 UTC
hppa done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-27 19:39:14 UTC
Please cleanup.
Comment 12 NATTkA bot gentoo-dev 2021-06-17 22:20:29 UTC
Unable to check for sanity:

> no match for package: net-misc/openssh-8.6_p1-r1
Comment 13 Larry the Git Cow gentoo-dev 2021-12-19 01:10:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=307230a6d1ac9ebf6a354de7f4ed60a4879e2fdc

commit 307230a6d1ac9ebf6a354de7f4ed60a4879e2fdc
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-12-18 05:11:36 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-12-19 01:10:04 +0000

    net-misc/openssh: drop 8.5_p1-r2
    
    Bug: https://bugs.gentoo.org/784896
    Acked-By: Sam James <sam@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-misc/openssh/Manifest                 |   3 -
 net-misc/openssh/openssh-8.5_p1-r2.ebuild | 510 ------------------------------
 2 files changed, 513 deletions(-)
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-19 01:11:10 UTC
Cleaned up. No GLSA, so all done!