Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 784896 - <net-misc/openssh-8.6_p1: theoretical sandbox escape in rare logging configuration
Summary: <net-misc/openssh-8.6_p1: theoretical sandbox escape in rare logging configur...
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B? [noglsa cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-22 03:19 UTC by Sam James
Modified: 2021-06-17 22:23 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/openssh-8.6_p1-r2
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-04-22 03:19:25 UTC
From release notes (https://www.openssh.com/txt/release-8.6): Security
========

 * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this
   option was enabled with a set of patterns that activated logging
   in code that runs in the low-privilege sandboxed sshd process, the
   log messages were constructed in such a way that printf(3) format
   strings could effectively be specified the low-privilege code.

   An attacker who had sucessfully exploited the low-privilege
   process could use this to escape OpenSSH's sandboxing and attack
   the high-privilege process. Exploitation of this weakness is
   highly unlikely in practice as the LogVerbose option is not
   enabled by default and is typically only used for debugging. No
   vulnerabilities in the low-privilege process are currently known
   to exist.

   Thanks to Ilja Van Sprundel for reporting this bug.
Comment 1 Larry the Git Cow gentoo-dev 2021-04-23 23:14:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd069ebac8b0f15edc1dee19bb77f9611b5a812a

commit dd069ebac8b0f15edc1dee19bb77f9611b5a812a
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2021-04-23 23:14:10 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-04-23 23:14:16 +0000

    net-misc/openssh-8.6_p1: revbump, add X509 patch
    
    Bug: https://bugs.gentoo.org/785034
    Bug: https://bugs.gentoo.org/784896
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-misc/openssh/Manifest                          |   1 +
 .../files/openssh-8.6_p1-X509-glue-13.1.patch      |  72 +++++
 .../files/openssh-8.6_p1-hpn-15.2-X509-glue.patch  | 357 +++++++++++++++++++++
 ...nssh-8.6_p1.ebuild => openssh-8.6_p1-r1.ebuild} |   4 +-
 4 files changed, 432 insertions(+), 2 deletions(-)
Comment 2 Thomas Deutschmann gentoo-dev Security 2021-05-24 00:46:41 UTC
No CVE. Gentoo became "affected" when 8.5 was stabilized via bug 774090. Upstream fix is https://github.com/openssh/openssh-portable/commit/faf2b86a46c9281d237bcdec18c99e94a4eb820a. However, there is no known way to trigger this. Even when all pre requirements are met (running with LogVerbose) you still need to find a way to exploit the low-privilege process which would be an own vulnerability.

We will stabilize 8.6 due to this but no GLSA until CVE/situation will change.
Comment 3 Sam James archtester gentoo-dev Security 2021-05-24 01:37:05 UTC
x86 done
Comment 4 Sam James archtester gentoo-dev Security 2021-05-24 01:44:49 UTC
arm64 done
Comment 5 Sam James archtester gentoo-dev Security 2021-05-24 02:03:55 UTC
amd64 done
Comment 6 Sam James archtester gentoo-dev Security 2021-05-24 02:04:17 UTC
arm done
Comment 7 Sam James archtester gentoo-dev Security 2021-05-25 11:05:43 UTC
sparc done
Comment 8 Sam James archtester gentoo-dev Security 2021-05-25 16:54:38 UTC
ppc done
Comment 9 Sam James archtester gentoo-dev Security 2021-05-27 19:20:17 UTC
ppc64 done
Comment 10 Rolf Eike Beer archtester 2021-05-27 19:37:28 UTC
hppa done
Comment 11 Sam James archtester gentoo-dev Security 2021-05-27 19:39:14 UTC
Please cleanup.
Comment 12 NATTkA bot gentoo-dev 2021-06-17 22:20:29 UTC
Unable to check for sanity:

> no match for package: net-misc/openssh-8.6_p1-r1