Hello Salvatore, Salvatore Bonaccorso [2026-04-08 22:20 +0200]: > The following vulnerability was published for cockpit. > > CVE-2026-4631 [...]:
I uploaded the new upstream version 360 to unstable, which includes the fix. For trixie, I prepared a backport. Debdiff attached, happy to upload on your mark. Please double-check the version number, I'm not that experienced in security updates. > Please adjust the affected versions in the BTS as needed. I am not yet sure if this affects bookworm/bullseye at all, as this does not yet have cockpit-beiboot, but the older cockpit-ssh program. I asked Allison in https://github.com/cockpit-project/cockpit/pull/23105#issuecomment-4211122656 I'll find out about the test case situation and will mark oldstable/oldoldstable as affected or not appropriately. Thanks, Martin
diff -Nru cockpit-337/debian/changelog cockpit-337/debian/changelog --- cockpit-337/debian/changelog 2025-04-23 16:11:05.000000000 +0200 +++ cockpit-337/debian/changelog 2026-04-09 05:29:56.000000000 +0200 @@ -1,3 +1,10 @@ +cockpit (337-1+deb13u1) unstable; urgency=medium + + * ws: Be more explicit when handling hostnames on cli. + [CVE-2026-4631] (Closes: #1133022) + + -- Martin Pitt <[email protected]> Thu, 09 Apr 2026 05:29:56 +0200 + cockpit (337-1) unstable; urgency=medium * New upstream release: diff -Nru cockpit-337/debian/gbp.conf cockpit-337/debian/gbp.conf --- cockpit-337/debian/gbp.conf 2023-06-14 13:51:32.000000000 +0200 +++ cockpit-337/debian/gbp.conf 2026-04-09 05:12:12.000000000 +0200 @@ -1,4 +1,4 @@ [DEFAULT] pristine-tar = True patch-numbers = False -debian-branch = master +debian-branch = trixie diff -Nru cockpit-337/debian/patches/series cockpit-337/debian/patches/series --- cockpit-337/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ cockpit-337/debian/patches/series 2026-04-09 05:23:29.000000000 +0200 @@ -0,0 +1 @@ +ws-be-more-explicit-when-handling-hostnames-on-cli.patch diff -Nru cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch --- cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch 1970-01-01 01:00:00.000000000 +0100 +++ cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch 2026-04-09 05:23:29.000000000 +0200 @@ -0,0 +1,80 @@ +From: Allison Karlitskaya <[email protected]> +Date: Tue, 24 Mar 2026 15:44:15 +0100 +Subject: ws: be more explicit when handling hostnames on cli + +`cockpit-ws` has never protected hostnames from being interpreted as cli +options when passing them to the auth commands (`cockpit-session`, +`cockpit-ssh`, `cockpit.beiboot`). There have been a couple of relevant +changes over the years: + + - our move to using cockpit-session via unix socket has removed + exposure to this problem for `cockpit-session` + + - our move from `cockpit-ssh` (glib argument parser) to + `cockpit.beiboot` (Python argparse) has unfortunately exposed us to + https://github.com/python/cpython/issues/66623 which means (due to a + strange heuristic) that arguments starting with '-' can be + interpreted as positionals if they also have spaces in them + +This gives a way to get a hostname starting with a `-` to ssh (where it +*will* be interpreted as an option) and the following argument (the +python invocation on the remote) will be interpreted as the hostname. +Fortunately, new versions of ssh will reject this hostname. In any +case, we should firm up the code here and add `--` to ensure that it's +definitely interpreted as a hostname by ssh. + +For a similar reason add a `--` to the ssh command in `cockpit-ws`. + +CVE-2026-4631 + +Origin: https://github.com/cockpit-project/cockpit/commit/9d0695647 +Origin-ferny: https://github.com/allisonkarlitskaya/ferny/commit/44ec511c99 +Bug-Debian: https://bugs.debian.org/1133022 +--- + src/cockpit/_vendor/ferny/session.py | 2 +- + src/cockpit/beiboot.py | 4 ++-- + src/ws/cockpitauth.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/cockpit/_vendor/ferny/session.py b/src/cockpit/_vendor/ferny/session.py +index d142bdb..ac4616d 100644 +--- a/src/cockpit/_vendor/ferny/session.py ++++ b/src/cockpit/_vendor/ferny/session.py +@@ -145,7 +145,7 @@ class Session(SubprocessContext, InteractionHandler): + + # SSH_ASKPASS_REQUIRE is not generally available, so use setsid + process = await asyncio.create_subprocess_exec( +- *('/usr/bin/ssh', *args, destination), env=env, ++ *('/usr/bin/ssh', *args, '--', destination), env=env, + start_new_session=True, stdin=asyncio.subprocess.DEVNULL, + stdout=asyncio.subprocess.DEVNULL, stderr=agent, # type: ignore + preexec_fn=lambda: prctl(PR_SET_PDEATHSIG, signal.SIGKILL)) +diff --git a/src/cockpit/beiboot.py b/src/cockpit/beiboot.py +index 12e369a..0d2a5fe 100644 +--- a/src/cockpit/beiboot.py ++++ b/src/cockpit/beiboot.py +@@ -274,9 +274,9 @@ def via_ssh(cmd: Sequence[str], dest: str, ssh_askpass: Path, *ssh_opts: str) -> + # strip off [] IPv6 brackets + if host.startswith('[') and host.endswith(']'): + host = host[1:-1] +- destination = ['-p', port, host] ++ destination = ['-p', port, '--', host] + else: +- destination = [dest] ++ destination = ['--', dest] + + return ( + 'ssh', *ssh_opts, *destination, shlex.join(cmd) +diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c +index 3574189..6fd75be 100644 +--- a/src/ws/cockpitauth.c ++++ b/src/ws/cockpitauth.c +@@ -51,7 +51,7 @@ + + /* we only support beibooting machines with a known/vetted OS, as it's impossible to guarantee + * forward compatibility for all pages */ +-const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m cockpit.beiboot --remote-bridge=supported"; ++const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m cockpit.beiboot --remote-bridge=supported --"; + + /* Some tunables that can be set from tests */ + const gchar *cockpit_ws_session_program = NULL;
