[SOLVED] Devuan bug #858 - just a heads-up

Altoid · 2024-09-04 10:36:57

Hello:

Just received this.

My box runs on Devuan Daedalus, upgraded yesterday to 6.1.106-3:

~$ uname -a
Linux devuan 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 GNU/Linux
~$

I ran the test and it seems my system suffers from this bug*:
*?

~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected
~$ uname -a

Like the subject reads, this is just a heads-up on my behalf.
I know zilch about all this ie: is it really a concern?
So I'll have to start reading up on it now, but not after I take my daily ration of espresso. 8^°

Opinions/suggestions on how to proceed from those who understand this better are welcome.
In any case, my workstation has no ssh access (port 22 closed), only the headless VM running PiHole+Unbound.

Thanks in advance,

A.

Last edited by Altoid (2024-09-04 11:10:00)

stargate-sg1-cheyenne-mtn · 2024-09-04 11:03:15

thanks for posting this! we'll keep watching for thread updates!

Altoid · 2024-09-04 11:38:59

Hello:

sg1 wrote:

thanks ...
... we'll keep watching ...

You're welcome.

Concurrently with the bug report to Devuan, this was posted to the [devuan-dev] list.
So I expect that comments/clarifications will get posted there first.

I wonder ...

Does this only affect Devuan? Debian is not affected?

Best,

A.

Last edited by Altoid (2024-09-04 11:39:49)

delgado · 2024-09-04 11:57:51

Hi,

I'm confused about the ssh version. https://pkginfo.devuan.org/cgi-bin/poli … r&x=submit
Affected is version 6.7 or earlier, which would mean jessie (devuan 1 / debian 8) ?

Altoid · 2024-09-04 12:11:56

Hello:

Delgado wrote:

Affected is version 6.7 or earlier ...

The article at arstechnica makes reference to an issue from ~15 years ago, (apparently) still unpatched.

If so, yes.
If it is from as far back as 2019, it would affect Devuan from Jesse onwards.

Best,

A.

golinux · 2024-09-04 14:10:50

Resolved: https://lists.dyne.org/lurker/message/2 … e0.en.html

I think you have missed the point that all current Devuan releases ship more
recent versions of OpenSSH than required by this test (6.7 or earlier):
openssh | 1:7.9p1-10+deb10u2 | oldoldstable | source
openssh | 1:7.9p1-10+deb10u2 | oldoldstable-debug | source
openssh | 1:8.4p1-2~bpo10+1 | buster-backports | source
openssh | 1:8.4p1-2~bpo10+1 | buster-backports-debug | source
openssh | 1:8.4p1-5+deb11u3 | oldstable | source
openssh | 1:8.4p1-5+deb11u3 | oldstable-debug | source
openssh | 1:9.2p1-2+deb12u3 | stable | source
openssh | 1:9.2p1-2+deb12u3 | stable-debug | source
openssh | 1:9.8p1-8 | testing | source
openssh | 1:9.8p1-8 | unstable | source
openssh | 1:9.8p1-8 | unstable-debug | source
-G is now a legitimate ssh option (see ssh(1)).
We have reviewed the article you provided and can find no evidence of compromise
of Devuan installations. It is also worth noting that all of Devuan's openssh
packages come directly from Debian, so it would likely be Debian that was
compromised.
I will close this report now, but if you feel we have misunderstood you or
missed something, please feel free to reopen.
Best wishes
Mark

Tempest in a teapot . . .

blackhole · 2024-09-04 15:45:27

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

A very convoluted bit of hand holding just to see if a command supports a "-G" option... the presence of a G option in no way conclusively proves malware is present...

FreeBSD ("G" clearly visible in the usage string) :

% ssh -G
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address]
           [-c cipher_spec] [-D [bind_address:]port] [-E log_file]
           [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
           [-J destination] [-L address] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-P tag] [-p port] [-R address]
           [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
           destination [command [argument ...]]
       ssh [-Q query_option]

So this seems like it was a faulty test for malware, which should have instead focused on a check for a specific version.

% ssh -V

golinux · 2024-09-04 17:20:11

@Altoid . . . A "bug report" is not necessarily a "bug". In the future before posting about a "bug" it might be a good idea to wait until it has been verified by the Devuan devs that it actually IS a bug. No need to spread unnecessary FUD on this forum . . .

Altoid · 2024-09-05 01:02:40

Hello:

golinux wrote:

A "bug report" is not necessarily a "bug".

Indeed ...

I was citing a post at [devuan-dev] and thought it was something to be taken into account.
See: https://lists.dyne.org/lurker/message/2 … a8.en.html

But also this:

altoid wrote:

Like the subject reads, this is just a heads-up on my behalf.
I know zilch about all this ie: is it really a concern?
--- snip ---
Opinions/suggestions on how to proceed from those who understand this better are welcome.

I think my post is a very (very) long way from even the possibility of being characterised as the spreading of FUD.
Or anything of the sort.

Same for the OP at [devuan-dev] who clearly acted in good faith and did his research
I did not see his post characterised as FUD by anyone there.

Quite the contrary.

As for me, after over seven years and 1.527 posts at Dev1 ...
FUD?

Do lighten up. 8^P !!!

Best,

A.

ralph.ronnquist · 2024-09-05 01:09:40

It was FUD whether you accept it or not. Sometimes a couple of thoughts before typing can do wonders.

golinux · 2024-09-05 01:19:02

Or putting it another way . . . there is no need to stir the pot if there is ultimately nothing there to stir.

stargate-sg1-cheyenne-mtn · 2024-09-05 06:34:24

FUD at wikipedia:
https://en.wikipedia.org/wiki/Fear,_uncertainty,_and_doubt

and a link from that wiki:
https://en.wikipedia.org/wiki/Eric_S._Raymond

which naturally reminded of:
https://dev1galaxy.org/viewtopic.php?id=2537

and a catchy tune(potential earworm?):
https://dev1galaxy.org/viewtopic.php?pid=14836#p14836

https://en.wikipedia.org/wiki/Earworm

enjoy

Altoid · 2024-09-05 12:30:06

Hello:

ralph.ronnquist wrote:

... FUD whether you accept it or not.

In my opinion, the concept of FUD is to a great extent and to say the least, subjective.
ie: without a proper evaluation of intent, purpose and context labelling something as FUD can be quite difficult if not risky.

To wit:
Alter Kim's post at the [devuan-dev] list was thoughtfully replied to by Mark Hindley (arguably Devuan's most prominent member) with a follow up by member tempforever with the addition of more information.

In both instances without any mention of FUD spreading and such. ie: intent, purpose and context were evidently considered.

In a rather surprising follow up, my post here at Dev1 in which I cited the OPs post was met with a rather different demeanor, even after my posting a reply with an explanation of sorts.

@ralph.ronnquist
While I have the utmost respect for your knowledge and contrbution to the Dev1 project, I cannot but strongly disagree with your characterisation of my post as FUD.

So I'll leave this at that and (as far as I am concerned) agree to disagree, so to speak.

Best,

A.

golinux · 2024-09-05 13:52:54

Good grief . . . that is some rabbit hole!

The officially official Devuan Forum!

#1 2024-09-04 10:36:57

[SOLVED] Devuan bug #858 - just a heads-up

#2 2024-09-04 11:03:15

Re: [SOLVED] Devuan bug #858 - just a heads-up

#3 2024-09-04 11:38:59

Re: [SOLVED] Devuan bug #858 - just a heads-up

#4 2024-09-04 11:57:51

Re: [SOLVED] Devuan bug #858 - just a heads-up

#5 2024-09-04 12:11:56

Re: [SOLVED] Devuan bug #858 - just a heads-up

#6 2024-09-04 14:10:50

Re: [SOLVED] Devuan bug #858 - just a heads-up

#7 2024-09-04 15:45:27

Re: [SOLVED] Devuan bug #858 - just a heads-up

#8 2024-09-04 17:20:11

Re: [SOLVED] Devuan bug #858 - just a heads-up

#9 2024-09-05 01:02:40

Re: [SOLVED] Devuan bug #858 - just a heads-up

#10 2024-09-05 01:09:40

Re: [SOLVED] Devuan bug #858 - just a heads-up

#11 2024-09-05 01:19:02

Re: [SOLVED] Devuan bug #858 - just a heads-up

#12 2024-09-05 06:34:24

Re: [SOLVED] Devuan bug #858 - just a heads-up

#13 2024-09-05 12:30:06

Re: [SOLVED] Devuan bug #858 - just a heads-up

#14 2024-09-05 13:52:54

Re: [SOLVED] Devuan bug #858 - just a heads-up

Board footer