Bug#1058624: CVE-2023-5616: if sshd is enabled but socket-activated, control-center will say it's disabled
Simon McVittie
smcv at debian.org
Wed Dec 13 18:13:41 GMT 2023
Package: gnome-control-center
Version: 1:45.1-1
Severity: important
Tags: upstream security
Forwarded: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/2794
X-Debbugs-Cc: team at security.debian.org
Control: found -1 1:3.30.3-2~deb10u1
Control: found -1 1:3.38.4-1
Control: found -1 1:43.6-2~deb12u1
If ssh.service is disabled but ssh.socket is enabled, as documented
in file:///usr/share/doc/openssh-client/README.Debian.gz section
"Socket-based activation with systemd", then gnome-control-center's
Sharing panel will indicate that remote login via ssh is
disabled. This was originally reported to Ubuntu by Zygmunt Krynicki in
https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/2039577.
Ubuntu have treated this as a security issue, on the basis that users
who have been misinformed about the status of remote login might make
security-sensitive assumptions that are, in fact, untrue. I'm not really
convinced that this is a serious security issue, and Ubuntu seem to
have been treating this as an Ubuntu-specific thing rather than talking
to upstream about it, so I've reported it here as important rather
than grave.
A mitigation is that in Debian (unlike Ubuntu), socket activation for
sshd is not the default - I suspect that might be why Ubuntu treated
this as Ubuntu-specific.
I think older Debian suites are *probably* affected, hence marking this
bug as Found in all older releases, but I have not verified this: it's
possible that there is some reason why they are unaffected.
Unless the security team have reasons to want this to be treated as
urgent, I would suggest that instead of rushing to apply Ubuntu's
solution, we should see what happens upstream, and then follow that in
Debian when the dust has settled.
smcv
More information about the pkg-gnome-maintainers
mailing list