[Pkg-utopia-maintainers] Bug#1133122: trixie-pu: package cockpit/337-1+deb13u1

Fri Apr 10 06:20:52 BST 2026

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: cockpit at packages.debian.org
Control: affects -1 + src:cockpit
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
Cockpit recently did a security fix for CVE-2026-4631 for defending against
injecting ssh options for remote host logins, potentially leading to remote
code execution [1]. This was also reported against Debian [2] but Salvatore
from the security team pointed out that our openssh already mitigates this [3]
so this cannot actually be reproduced/exploited on Debian.

I'd still like to apply the fix, for "defense in depth", and frankly also just
to quiesce security scanners and afraid users.

[1] https://github.com/cockpit-project/cockpit/security/advisories/GHSA-m4gv-x78h-3427
[2] https://bugs.debian.org/1133022
[3] https://github.com/openssh/openssh-portable/commit/7ef3787

[ Impact ]
Calling ssh with an explicit `--` before the host name stops command line
injection attempts at the source. Since host names don't start with `-`, there
is no impact for real systems.

[ Tests ]
I built athe package locally and ran its autopkgtests in a trixie container.
Moreoveer, I ran the cockpit binaries on my trixie server and tried to connect
to a remote ssh host.

[ Risks ]

Very low. The change was thoroughly tested upstream with its very extensive
test suite, as well as manually against good (localhost and piware.de:659,
works) and "exploit-y" (piware.de.659 -foo, fails with "authentication not
available") hostnames.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Targeted backport of the upstream fix which calls `ssh` with `--` before the
host name.

[ Other info ]
Nothing I can think of.

Best regards,

Pitti
-------------- next part --------------
diff -Nru cockpit-337/debian/changelog cockpit-337/debian/changelog

--- cockpit-337/debian/changelog	2025-04-23 16:11:05.000000000 +0200
+++ cockpit-337/debian/changelog	2026-04-09 05:29:56.000000000 +0200
@@ -1,3 +1,10 @@
+cockpit (337-1+deb13u1) trixie; urgency=medium
+
+  * ws: Be more explicit when handling hostnames on cli.
+    [CVE-2026-4631] (Closes: #1133022)
+
+ -- Martin Pitt <mpitt at debian.org>  Thu, 09 Apr 2026 05:29:56 +0200
+
 cockpit (337-1) unstable; urgency=medium
 
   * New upstream release:
diff -Nru cockpit-337/debian/gbp.conf cockpit-337/debian/gbp.conf
--- cockpit-337/debian/gbp.conf	2023-06-14 13:51:32.000000000 +0200
+++ cockpit-337/debian/gbp.conf	2026-04-09 05:12:12.000000000 +0200
@@ -1,4 +1,4 @@
 [DEFAULT]
 pristine-tar = True
 patch-numbers = False
-debian-branch = master
+debian-branch = trixie
diff -Nru cockpit-337/debian/patches/series cockpit-337/debian/patches/series
--- cockpit-337/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ cockpit-337/debian/patches/series	2026-04-09 05:23:29.000000000 +0200
@@ -0,0 +1 @@
+ws-be-more-explicit-when-handling-hostnames-on-cli.patch
diff -Nru cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch
--- cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch	1970-01-01 01:00:00.000000000 +0100
+++ cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch	2026-04-09 05:23:29.000000000 +0200
@@ -0,0 +1,80 @@
+From: Allison Karlitskaya <allison.karlitskaya at redhat.com>
+Date: Tue, 24 Mar 2026 15:44:15 +0100
+Subject: ws: be more explicit when handling hostnames on cli
+
+`cockpit-ws` has never protected hostnames from being interpreted as cli
+options when passing them to the auth commands (`cockpit-session`,
+`cockpit-ssh`, `cockpit.beiboot`).  There have been a couple of relevant
+changes over the years:
+
+  - our move to using cockpit-session via unix socket has removed
+    exposure to this problem for `cockpit-session`
+
+  - our move from `cockpit-ssh` (glib argument parser) to
+    `cockpit.beiboot` (Python argparse) has unfortunately exposed us to
+    https://github.com/python/cpython/issues/66623 which means (due to a
+    strange heuristic) that arguments starting with '-' can be
+    interpreted as positionals if they also have spaces in them
+
+This gives a way to get a hostname starting with a `-` to ssh (where it
+*will* be interpreted as an option) and the following argument (the
+python invocation on the remote) will be interpreted as the hostname.
+Fortunately, new versions of ssh will reject this hostname.  In any
+case, we should firm up the code here and add `--` to ensure that it's
+definitely interpreted as a hostname by ssh.
+
+For a similar reason add a `--` to the ssh command in `cockpit-ws`.
+
+CVE-2026-4631
+
+Origin: https://github.com/cockpit-project/cockpit/commit/9d0695647
+Origin-ferny: https://github.com/allisonkarlitskaya/ferny/commit/44ec511c99
+Bug-Debian: https://bugs.debian.org/1133022
+---
+ src/cockpit/_vendor/ferny/session.py | 2 +-
+ src/cockpit/beiboot.py               | 4 ++--
+ src/ws/cockpitauth.c                 | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/cockpit/_vendor/ferny/session.py b/src/cockpit/_vendor/ferny/session.py
+index d142bdb..ac4616d 100644
+--- a/src/cockpit/_vendor/ferny/session.py
++++ b/src/cockpit/_vendor/ferny/session.py
+@@ -145,7 +145,7 @@ class Session(SubprocessContext, InteractionHandler):
+ 
+         # SSH_ASKPASS_REQUIRE is not generally available, so use setsid
+         process = await asyncio.create_subprocess_exec(
+-            *('/usr/bin/ssh', *args, destination), env=env,
++            *('/usr/bin/ssh', *args, '--', destination), env=env,
+             start_new_session=True, stdin=asyncio.subprocess.DEVNULL,
+             stdout=asyncio.subprocess.DEVNULL, stderr=agent,  # type: ignore
+             preexec_fn=lambda: prctl(PR_SET_PDEATHSIG, signal.SIGKILL))
+diff --git a/src/cockpit/beiboot.py b/src/cockpit/beiboot.py
+index 12e369a..0d2a5fe 100644
+--- a/src/cockpit/beiboot.py
++++ b/src/cockpit/beiboot.py
+@@ -274,9 +274,9 @@ def via_ssh(cmd: Sequence[str], dest: str, ssh_askpass: Path, *ssh_opts: str) ->
+         # strip off [] IPv6 brackets
+         if host.startswith('[') and host.endswith(']'):
+             host = host[1:-1]
+-        destination = ['-p', port, host]
++        destination = ['-p', port, '--', host]
+     else:
+-        destination = [dest]
++        destination = ['--', dest]
+ 
+     return (
+         'ssh', *ssh_opts, *destination, shlex.join(cmd)
+diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
+index 3574189..6fd75be 100644
+--- a/src/ws/cockpitauth.c
++++ b/src/ws/cockpitauth.c
+@@ -51,7 +51,7 @@
+ 
+ /* we only support beibooting machines with a known/vetted OS, as it's impossible to guarantee
+  * forward compatibility for all pages */
+-const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m cockpit.beiboot --remote-bridge=supported";
++const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m cockpit.beiboot --remote-bridge=supported --";
+ 
+ /* Some tunables that can be set from tests */
+ const gchar *cockpit_ws_session_program = NULL;
