Your message dated Sat, 17 May 2025 09:37:58 +0000
with message-id <[email protected]>
and subject line Close 1103979
has caused the Debian Bug report #1103979,
regarding bookworm-pu: package openssh/1:9.2p1-2+deb12u6
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1103979: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103979
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:openssh
User: [email protected]
Usertags: pu
[ Reason ]
The security team marked CVE-2025-32728 (#1102603) as no-dsa, but I'd
like to at least get the fix into the next stable point release.
The bug is not a regression from any version I know of; it's present
back to at least stretch.
[ Impact ]
The DisableForwarding option in sshd_config doesn't do what it says in
the documentation in terms of disabling X11 and agent forwarding (both
of which are enabled by default in Debian; in the former case this is
Debian-specific).
[ Tests ]
There are no particular automated tests, but I've manually tested that
"DisableForwarding yes" didn't disable X11 or agent forwarding with the
old version and that it now does.
[ Risks ]
The change just adds a single extra option check to two conditions, so I
consider it low-risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
fix-disable-forwarding.patch adds options.disable_forwarding checks to
the agent and X11 forwarding paths.
There's a bit of noise due to git deciding to serialize the existing
CVE-2023-48795.patch and gssapi.patch, but the actual code there is
unchanged.
Thanks,
--
Colin Watson (he/him) [[email protected]]
diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
--- openssh-9.2p1/debian/.git-dpm 2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/.git-dpm 2025-04-15 12:07:49.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-b430b77904fa045d5753bad32f6c8a582396db57
-b430b77904fa045d5753bad32f6c8a582396db57
+cf9b65754f0e54de11d075fc7317ae90a1ae4389
+cf9b65754f0e54de11d075fc7317ae90a1ae4389
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
openssh_9.2p1.orig.tar.gz
diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
--- openssh-9.2p1/debian/changelog 2025-02-14 13:06:51.000000000 +0000
+++ openssh-9.2p1/debian/changelog 2025-04-15 12:07:53.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:9.2p1-2+deb12u6) UNRELEASED; urgency=medium
+
+ * CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which was
+ failing to disable X11 forwarding and agent forwarding as documented
+ (closes: #1102603).
+
+ -- Colin Watson <[email protected]> Tue, 15 Apr 2025 12:07:53 +0100
+
openssh (1:9.2p1-2+deb12u5) bookworm-security; urgency=medium
* CVE-2025-26465: Fix MitM in verify_host_key_callback.
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-48795.patch
openssh-9.2p1/debian/patches/CVE-2023-48795.patch
--- openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2025-02-14
13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2025-04-15
12:07:49.000000000 +0100
@@ -307,7 +307,7 @@
+ if (*typep == 0) {
+ /* no message ready */
+ return 0;
-+ }
+ }
+ state->keep_alive_timeouts = 0;
+ DBG(debug("received packet type %d", *typep));
+
@@ -325,7 +325,7 @@
+ ssh_remote_port(ssh), reason, msg);
+ free(msg);
+ return SSH_ERR_DISCONNECTED;
- }
++ }
+
+ /*
+ * Do not implicitly handle any messages here during initial
diff -Nru openssh-9.2p1/debian/patches/fix-disable-forwarding.patch
openssh-9.2p1/debian/patches/fix-disable-forwarding.patch
--- openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 1970-01-01
01:00:00.000000000 +0100
+++ openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 2025-04-15
12:07:49.000000000 +0100
@@ -0,0 +1,42 @@
+From cf9b65754f0e54de11d075fc7317ae90a1ae4389 Mon Sep 17 00:00:00 2001
+From: "[email protected]" <[email protected]>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: upstream: Fix logic error in DisableForwarding option. This option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+
+Origin: upstream,
https://anongit.mindrot.org/openssh.git/commit/?id=fc86875e6acb36401dfc1dfb6b628a9d1460f367
+Bug-Debian: https://bugs.debian.org/1102603
+Last-Update: 2025-04-15
+
+Patch-Name: fix-disable-forwarding.patch
+---
+ session.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/session.c b/session.c
+index 492463529..3414ddd49 100644
+--- a/session.c
++++ b/session.c
+@@ -2191,7 +2191,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ if (!auth_opts->permit_agent_forwarding_flag ||
+- !options.allow_agent_forwarding) {
++ !options.allow_agent_forwarding ||
++ options.disable_forwarding) {
+ debug_f("agent forwarding disabled");
+ return 0;
+ }
+@@ -2579,7 +2580,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ ssh_packet_send_debug(ssh, "X11 forwarding disabled by key
options.");
+ return 0;
+ }
+- if (!options.x11_forwarding) {
++ if (!options.x11_forwarding || options.disable_forwarding) {
+ debug("X11 forwarding disabled in server configuration file.");
+ return 0;
+ }
diff -Nru openssh-9.2p1/debian/patches/gssapi.patch
openssh-9.2p1/debian/patches/gssapi.patch
--- openssh-9.2p1/debian/patches/gssapi.patch 2025-02-14 13:06:46.000000000
+0000
+++ openssh-9.2p1/debian/patches/gssapi.patch 2025-04-15 12:07:49.000000000
+0100
@@ -36,7 +36,7 @@
configure.ac | 24 ++
gss-genr.c | 297 +++++++++++++++++++++++-
gss-serv-krb5.c | 87 ++++++-
- gss-serv.c | 205 +++++++++++++++--
+ gss-serv.c | 207 +++++++++++++++--
kex.c | 66 +++++-
kex.h | 29 +++
kexdh.c | 10 +
@@ -64,7 +64,7 @@
sshd_config.5 | 30 +++
sshkey.c | 8 +-
sshkey.h | 1 +
- 39 files changed, 2769 insertions(+), 165 deletions(-)
+ 39 files changed, 2770 insertions(+), 166 deletions(-)
create mode 100644 kexgssc.c
create mode 100644 kexgsss.c
create mode 100644 ssh-null.c
@@ -1144,7 +1144,8 @@
+ int equal = 0;
+ gss_name_t new_name = GSS_C_NO_NAME;
+ gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
-+
+
+- gss_buffer_desc ename;
+ if (options.gss_store_rekey && client->used && ctx->client_creds) {
+ if (client->mech->oid.length != ctx->oid->length ||
+ (memcmp(client->mech->oid.elements,
@@ -1159,8 +1160,7 @@
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
+ }
-
-- gss_buffer_desc ename;
++
+ ctx->major = gss_compare_name(&ctx->minor, client->name,
+ new_name, &equal);
+
@@ -1270,6 +1270,9 @@
-/* Privileged */
-OM_uint32
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+-{
+- ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+- gssbuf, gssmic, NULL);
+/* These bits are only used for rekeying. The unpriviledged child is running
+ * as the user, the monitor is root.
+ *
@@ -1277,20 +1280,18 @@
+ * *) Ask the monitor to store our credentials into the store we specify
+ * *) If it succeeds, maybe do a PAM update
+ */
-+
+
+- return (ctx->major);
+/* Stuff for PAM */
+
+#ifdef USE_PAM
+static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg,
+ struct pam_response **resp, void *data)
- {
-- ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
-- gssbuf, gssmic, NULL);
++{
+ return (PAM_CONV_ERR);
+}
+#endif
-
-- return (ctx->major);
++
+void
+ssh_gssapi_rekey_creds(void) {
+ int ok;
diff -Nru openssh-9.2p1/debian/patches/series
openssh-9.2p1/debian/patches/series
--- openssh-9.2p1/debian/patches/series 2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/patches/series 2025-04-15 12:07:49.000000000 +0100
@@ -37,3 +37,4 @@
sntrup761x25519-sha512.patch
CVE-2025-26465.patch
incorrect-return-values.patch
+fix-disable-forwarding.patch
--- End Message ---
--- Begin Message ---
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
