Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 920724 (CVE-2023-6004)

Summary: <net-libs/libssh-0.10.6: ProxyCommand/ProxyJump features enable to inject malicious code through hostname
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Keywords: PullRequest
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.libssh.org/security/advisories/CVE-2023-6004.txt
See Also: https://bugs.gentoo.org/show_bug.cgi?id=920722
https://github.com/gentoo/gentoo/pull/34627
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 920726    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-26 17:07:57 UTC 
* https://threatprotect.qualys.com/2023/12/26/ssh-proxycommand-unexpected-code-execution-vulnerability-cve-2023-51385/
* https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html

Per the second link, this affects libssh too.

"""
Using the ProxyCommand or the ProxyJump feature enables users to exploit
unchecked hostname syntax on the client, which enables to inject malicious code
into the command of the above-mentioned features through the hostname parameter.

User interaction is required to exploit this issue.
"""
Comment 1 Larry the Git Cow gentoo-dev 2023-12-28 02:22:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b5fd84fed4c7e7ddb236f13fb5044cc546ce7c6c

commit b5fd84fed4c7e7ddb236f13fb5044cc546ce7c6c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-28 02:21:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-12-28 02:22:08 +0000

    [ GLSA 202312-16 ] libssh: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/920291
    Bug: https://bugs.gentoo.org/920724
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202312-16.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-01-03 23:01:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1565810cb6fde75c0271f52eaf08f28d1548b66

commit e1565810cb6fde75c0271f52eaf08f28d1548b66
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-01-03 22:28:41 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-01-03 23:00:47 +0000

    net-libs/libssh: Cleanup vulnerable 0.10.5
    
    Bug: https://bugs.gentoo.org/920291
    Bug: https://bugs.gentoo.org/920724
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 net-libs/libssh/Manifest             |   1 -
 net-libs/libssh/libssh-0.10.5.ebuild | 135 -----------------------------------
 2 files changed, 136 deletions(-)
Comment 3 Andreas Sturmlechner gentoo-dev 2024-01-03 23:02:33 UTC 
Cleanup done, kde proj out.