Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 815010

Summary: <net-misc/openssh-8.8_p1: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: base-system, hydrapolic
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 829386    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-26 17:04:25 UTC 
From 8.8 release notes:
```
Security
========

sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).
```
Comment 1 Larry the Git Cow gentoo-dev 2021-10-01 01:08:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9431f858b4b325c47d87a82490ad35a978cfc8fb

commit 9431f858b4b325c47d87a82490ad35a978cfc8fb
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2021-10-01 01:06:30 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-10-01 01:08:08 +0000

    net-misc/openssh-8.8_p1: Version bump, no X509
    
    Bug: https://bugs.gentoo.org/815010
    Package-Manager: Portage-3.0.26, Repoman-3.0.3
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-misc/openssh/Manifest                          |   2 +
 .../files/openssh-8.8_p1-hpn-15.2-glue.patch       |   1 +
 net-misc/openssh/openssh-8.8_p1.ebuild             | 513 +++++++++++++++++++++
 3 files changed, 516 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 20:28:53 UTC 
GLSA request filed. We should get a CVE for this.
Comment 3 Larry the Git Cow gentoo-dev 2022-12-28 18:59:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4bba232aa0519e18c1541480c7f0b8dcb717ecb2

commit 4bba232aa0519e18c1541480c7f0b8dcb717ecb2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-12-28 18:57:54 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-28 18:59:24 +0000

    [ GLSA 202212-06 ] OpenSSH: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/733802
    Bug: https://bugs.gentoo.org/815010
    Bug: https://bugs.gentoo.org/874876
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202212-06.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-28 19:12:38 UTC 
GLSA released, all done!