according to this article: https://www.theregister.co.uk/2019/01/15/scp_vulnerability/ OpenSSH 7.9 and earlier contain a set of vulnerabilities that date back to 1983. These are: CVE-2018-20685 - server can alter directory permissions on the client CVE-2019-6111 - server can send arbitrary files not requested by the client, even overwriting files in the client's file system. CVE-2019-6109, CVE-2019-6110 - server can alter the object name or output display on the ssh client to hide files being copied There is apparently a patch available, linked to from the article mentioned above, which appears to apply to -CURRENT from a few days ago. I have not attempted to build the source. however, the patch is available here: https://sintonen.fi/advisories/scp-name-validator.patch Since I have only verified that the code in the FreeBSD crypto/openssh tree does not appear to have been patched for these vulnerabilities, I can not for certain say that they exist; however, it is extremely likely and needs to be brought to the attention of the appropriate people.
CC'ING secteam, perhaps
base r343043 by emaste@ addressed one of the issues (CVE-2018-20685) CC bdrewery (security/openssh-portable maintainer) According to the article/announcement details, openssh is vulnerable to all four CVE's. I'd use this as a parent coordinator issue, with separate sub issues created for each of base openssh and ports openssh being tracked separately for clarity of merges (base issues only multiple MFC flags, ports issues have a single merge quarterly flag), and given base and ports components have different maintainers.
Hi! When in releng?
Patch in review https://reviews.freebsd.org/D19076
Does ports-secteam have to be active here?
A commit references this bug: Author: emaste Date: Thu Feb 21 22:45:55 UTC 2019 New revision: 344449 URL: https://svnweb.freebsd.org/changeset/base/344449 Log: scp: validate filenames provided by server against wildcard in client OpenSSH-portable commits: check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda Minor patch conflict (getopt) resolved. Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc scp: add -T to usage(); OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899 Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8 PR: 234965 Approved by: des MFC after: 3 days Obtained from: OpenSSH-portable 391ffc4b9d, 2c21b75a7b Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19076 Changes: _U head/crypto/openssh/ head/crypto/openssh/scp.1 head/crypto/openssh/scp.c
A commit references this bug: Author: emaste Date: Thu Mar 7 20:12:51 UTC 2019 New revision: 344897 URL: https://svnweb.freebsd.org/changeset/base/344897 Log: MFC r344449: scp: validate filenames provided by server against wildcard ... in client OpenSSH-portable commits: check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda Minor patch conflict (getopt) resolved. Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc scp: add -T to usage(); OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899 Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8 PR: 234965 Sponsored by: The FreeBSD Foundation Changes: _U stable/12/ stable/12/crypto/openssh/scp.1 stable/12/crypto/openssh/scp.c
When in releng?
A commit references this bug: Author: emaste Date: Tue May 7 19:48:40 UTC 2019 New revision: 347232 URL: https://svnweb.freebsd.org/changeset/base/347232 Log: MFC r345576: Merge r345574 from vendor-crypto: upstream: when checking that filenames sent by the server side match what the client requested, be prepared to handle shell-style brace alternations, e.g. "{foo,bar}". "looks good to me" millert@ + in snaps for the last week courtesy deraadt@ OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e PR: 234965 Discussed with: des Obtained from: OpenSSH-portable 3d896c157c722bc47adca51a58dca859225b5874 Changes: _U stable/12/ stable/12/crypto/openssh/scp.c
The change is in FreeBSD 12.0; it does not apply to the older version of scp in 11.3 and will probably not be backported.