Bug#1064898: /usr/bin/sshd: mktemp - literal X-s in /tmp directory names

To: Csillag Tamas <cstamas+debian@cstamas.hu>, 1064898@bugs.debian.org
Subject: Bug#1064898: /usr/bin/sshd: mktemp - literal X-s in /tmp directory names
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 3 Mar 2024 19:27:28 +0000
Message-id: <[🔎] ZeTPIMuSjLIDFkKE@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 1064898@bugs.debian.org
In-reply-to: <Zd3N_2d2kl2ahL1B@shire.localdomain>
References: <Zd3N_2d2kl2ahL1B@shire.localdomain> <Zd3N_2d2kl2ahL1B@shire.localdomain>

On Tue, Feb 27, 2024 at 12:56:47PM +0100, Csillag Tamas wrote:
>    * What led up to the situation?
>      After upgrading to debian 12 I am seeing directories in /tmp like:
>      ssh-XXXXXXnOKqkt, ssh-XXXXXXtGmfLV
>    * What was the outcome of this action?
>    * What outcome did you expect instead?
>      These directories are created by sshd.
>      In oldstable and OpenBSD the directories are as expected:
>      ssh-LwxtSMoGSV, ssh-JPcQMaBN6s
> 
>      The regression might be only in openssh-portable?
> 
> As there are still 6 variable characters this might not be easily exploitable
> security-wise and it used to be 10 just as in OpenBSD current.

This is the same as https://bugs.debian.org/1001186; it's fixed for the
next development release, but not yet for bookworm.

Since this doesn't appear to be immediately serious, my inclination is
to queue this up to fix along with the next bookworm openssh security
update (whenever that might be), but not to trouble the security team
with it right away.  Does that sound reasonable?

Thanks,

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Bug#1064898: /usr/bin/sshd: mktemp - literal X-s in /tmp directory names
  - From: Csillag Tamás <cstamas+debian@cstamas.hu>

Next by Date: Processed: Bug#1064898 marked as pending in openssh
Next by thread: Bug#1064898: /usr/bin/sshd: mktemp - literal X-s in /tmp directory names
Index(es):
- Date
- Thread