Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 920724 (CVE-2023-6004)

Summary: <net-libs/libssh-0.10.6: ProxyCommand/ProxyJump features enable to inject malicious code through hostname
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal Keywords: PullRequest
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 920726    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-26 17:07:57 UTC

Per the second link, this affects libssh too.

Using the ProxyCommand or the ProxyJump feature enables users to exploit
unchecked hostname syntax on the client, which enables to inject malicious code
into the command of the above-mentioned features through the hostname parameter.

User interaction is required to exploit this issue.
Comment 1 Larry the Git Cow gentoo-dev 2023-12-28 02:22:12 UTC
The bug has been referenced in the following commit(s):

commit b5fd84fed4c7e7ddb236f13fb5044cc546ce7c6c
Author:     GLSAMaker <>
AuthorDate: 2023-12-28 02:21:11 +0000
Commit:     Sam James <>
CommitDate: 2023-12-28 02:22:08 +0000

    [ GLSA 202312-16 ] libssh: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Sam James <>

 glsa-202312-16.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-01-03 23:01:23 UTC
The bug has been referenced in the following commit(s):

commit e1565810cb6fde75c0271f52eaf08f28d1548b66
Author:     Andreas Sturmlechner <>
AuthorDate: 2024-01-03 22:28:41 +0000
Commit:     Andreas Sturmlechner <>
CommitDate: 2024-01-03 23:00:47 +0000

    net-libs/libssh: Cleanup vulnerable 0.10.5
    Signed-off-by: Andreas Sturmlechner <>

 net-libs/libssh/Manifest             |   1 -
 net-libs/libssh/libssh-0.10.5.ebuild | 135 -----------------------------------
 2 files changed, 136 deletions(-)
Comment 3 Andreas Sturmlechner gentoo-dev 2024-01-03 23:02:33 UTC
Cleanup done, kde proj out.