Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 641
    • Issues 641
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 194
    • Merge Requests 194
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #9995

Closed
Open
Opened Feb 20, 2019 by Alicha CH@alichaReporter

openssh: Multiple vulnerabilities (CVE-2018-20685, CVE-2019-6109, CVE-2019-6111)

CVE-2018-20685: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the
filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-20685
https://marc.info/?l=oss-security&m=154745764812881&w=2

Patch:

https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2

CVE-2019-6109: An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-6109
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Patch:

https://github.com/openssh/openssh-portable/commit/8976f1c4b2721c26e878151f52bdf346dfe2d54c
possibly additionally needed: https://github.com/openssh/openssh-portable/commit/bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb

CVE-2019-6111: An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-6111

Patch:

https://github.com/openssh/openssh-portable/commit/391ffc4b9d31fa1f4ad566499fef9176ff8a07dc

(from redmine: issue id 9995, created on 2019-02-20, closed on 2019-03-05)

  • Relations:
    • child #9996 (closed)
    • child #9997 (closed)
    • child #9998 (closed)
    • child #9999 (closed)
    • child #10000 (closed)
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/aports#9995