920724 – (CVE-2023-6004) <net-libs/libssh-0.10.6: ProxyCommand/ProxyJump features enable to inject malicious code through hostname

Bug 920724 (CVE-2023-6004) - <net-libs/libssh-0.10.6: ProxyCommand/ProxyJump features enable to inject malicious code through hostname

Summary: <net-libs/libssh-0.10.6: ProxyCommand/ProxyJump features enable to inject mal...

Status:	RESOLVED FIXED

Alias:	CVE-2023-6004

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://www.libssh.org/security/advis...
Whiteboard:	A2 [glsa+]
Keywords:	PullRequest

Depends on:	920726
Blocks:
	Show dependency tree

Reported:	2023-12-26 17:07 UTC by Sam James
Modified:	2024-01-21 11:16 UTC (History)
CC List:	0 users

See Also:	CVE-2023-51385 https://github.com/gentoo/gentoo/pull/34627
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-12-26 17:07:57 UTC

* https://threatprotect.qualys.com/2023/12/26/ssh-proxycommand-unexpected-code-execution-vulnerability-cve-2023-51385/
* https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html

Per the second link, this affects libssh too.

"""
Using the ProxyCommand or the ProxyJump feature enables users to exploit
unchecked hostname syntax on the client, which enables to inject malicious code
into the command of the above-mentioned features through the hostname parameter.

User interaction is required to exploit this issue.
"""

Comment 1 Larry the Git Cow gentoo-dev

2023-12-28 02:22:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b5fd84fed4c7e7ddb236f13fb5044cc546ce7c6c

commit b5fd84fed4c7e7ddb236f13fb5044cc546ce7c6c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-28 02:21:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-12-28 02:22:08 +0000

    [ GLSA 202312-16 ] libssh: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/920291
    Bug: https://bugs.gentoo.org/920724
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202312-16.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2024-01-03 23:01:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1565810cb6fde75c0271f52eaf08f28d1548b66

commit e1565810cb6fde75c0271f52eaf08f28d1548b66
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-01-03 22:28:41 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-01-03 23:00:47 +0000

    net-libs/libssh: Cleanup vulnerable 0.10.5
    
    Bug: https://bugs.gentoo.org/920291
    Bug: https://bugs.gentoo.org/920724
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 net-libs/libssh/Manifest             |   1 -
 net-libs/libssh/libssh-0.10.5.ebuild | 135 -----------------------------------
 2 files changed, 136 deletions(-)

Comment 3 Andreas Sturmlechner gentoo-dev

2024-01-03 23:02:33 UTC

Cleanup done, kde proj out.