815010 – <net-misc/openssh-8.8_p1: Multiple vulnerabilities

Bug 815010 - <net-misc/openssh-8.8_p1: Multiple vulnerabilities

Summary: <net-misc/openssh-8.8_p1: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+]
Keywords:

Depends on:	829386
Blocks:
	Show dependency tree

Reported:	2021-09-26 17:04 UTC by Sam James
Modified:	2022-12-28 20:41 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-09-26 17:04:25 UTC

From 8.8 release notes:
```
Security
========

sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).
```

Comment 1 Larry the Git Cow gentoo-dev

2021-10-01 01:08:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9431f858b4b325c47d87a82490ad35a978cfc8fb

commit 9431f858b4b325c47d87a82490ad35a978cfc8fb
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2021-10-01 01:06:30 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-10-01 01:08:08 +0000

    net-misc/openssh-8.8_p1: Version bump, no X509
    
    Bug: https://bugs.gentoo.org/815010
    Package-Manager: Portage-3.0.26, Repoman-3.0.3
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-misc/openssh/Manifest                          |   2 +
 .../files/openssh-8.8_p1-hpn-15.2-glue.patch       |   1 +
 net-misc/openssh/openssh-8.8_p1.ebuild             | 513 +++++++++++++++++++++
 3 files changed, 516 insertions(+)

Comment 2 John Helmert III archtester

2022-12-19 20:28:53 UTC

GLSA request filed. We should get a CVE for this.

Comment 3 Larry the Git Cow gentoo-dev

2022-12-28 18:59:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4bba232aa0519e18c1541480c7f0b8dcb717ecb2

commit 4bba232aa0519e18c1541480c7f0b8dcb717ecb2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-12-28 18:57:54 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-28 18:59:24 +0000

    [ GLSA 202212-06 ] OpenSSH: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/733802
    Bug: https://bugs.gentoo.org/815010
    Bug: https://bugs.gentoo.org/874876
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202212-06.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

Comment 4 John Helmert III archtester

2022-12-28 19:12:38 UTC

GLSA released, all done!