Bug#1058624: CVE-2023-5616: if sshd is enabled but socket-activated, control-center will say it's disabled

Salvatore Bonaccorso carnil at debian.org
Wed Dec 13 19:24:16 GMT 2023 

Hi Simon,

On Wed, Dec 13, 2023 at 06:13:41PM +0000, Simon McVittie wrote:
> Package: gnome-control-center
> Version: 1:45.1-1
> Severity: important
> Tags: upstream security
> Forwarded: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/2794
> X-Debbugs-Cc: team at security.debian.org
> Control: found -1 1:3.30.3-2~deb10u1
> Control: found -1 1:3.38.4-1
> Control: found -1 1:43.6-2~deb12u1
> 
> If ssh.service is disabled but ssh.socket is enabled, as documented
> in file:///usr/share/doc/openssh-client/README.Debian.gz section
> "Socket-based activation with systemd", then gnome-control-center's
> Sharing panel will indicate that remote login via ssh is
> disabled. This was originally reported to Ubuntu by Zygmunt Krynicki in
> https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/2039577.
> 
> Ubuntu have treated this as a security issue, on the basis that users
> who have been misinformed about the status of remote login might make
> security-sensitive assumptions that are, in fact, untrue. I'm not really
> convinced that this is a serious security issue, and Ubuntu seem to
> have been treating this as an Ubuntu-specific thing rather than talking
> to upstream about it, so I've reported it here as important rather
> than grave.
> 
> A mitigation is that in Debian (unlike Ubuntu), socket activation for
> sshd is not the default - I suspect that might be why Ubuntu treated
> this as Ubuntu-specific.
> 
> I think older Debian suites are *probably* affected, hence marking this
> bug as Found in all older releases, but I have not verified this: it's
> possible that there is some reason why they are unaffected.
> 
> Unless the security team have reasons to want this to be treated as
> urgent, I would suggest that instead of rushing to apply Ubuntu's
> solution, we should see what happens upstream, and then follow that in
> Debian when the dust has settled.

Thanks for filling the bugreport. Indeed I added this morning the CVE
to the tracker: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49490cb8e169308cd6130d0e0a9c02af53d5408f

I do agree with you, let that first fix upstream and then we can go
top down in Debian as well with the regular supported suites. 

Thanks for your diligent work!

Regards,
Salvatore

More information about the pkg-gnome-maintainers mailing list