Version in base suite: 337-1 Base version: cockpit_337-1 Target version: cockpit_337-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cockpit/cockpit_337-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cockpit/cockpit_337-1+deb13u1.dsc changelog | 7 gbp.conf | 2 patches/series | 1 patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch | 80 ++++++++++ 4 files changed, 89 insertions(+), 1 deletion(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmptznmdyja/cockpit_337-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmptznmdyja/cockpit_337-1+deb13u1.dsc: no acceptable signature found diff -Nru cockpit-337/debian/changelog cockpit-337/debian/changelog --- cockpit-337/debian/changelog 2025-04-23 14:11:05.000000000 +0000 +++ cockpit-337/debian/changelog 2026-04-09 03:29:56.000000000 +0000 @@ -1,3 +1,10 @@ +cockpit (337-1+deb13u1) trixie; urgency=medium + + * ws: Be more explicit when handling hostnames on cli. + [CVE-2026-4631] (Closes: #1133022, #1133122) + + -- Martin Pitt Thu, 09 Apr 2026 05:29:56 +0200 + cockpit (337-1) unstable; urgency=medium * New upstream release: diff -Nru cockpit-337/debian/gbp.conf cockpit-337/debian/gbp.conf --- cockpit-337/debian/gbp.conf 2023-06-14 11:51:32.000000000 +0000 +++ cockpit-337/debian/gbp.conf 2026-04-09 03:12:12.000000000 +0000 @@ -1,4 +1,4 @@ [DEFAULT] pristine-tar = True patch-numbers = False -debian-branch = master +debian-branch = trixie diff -Nru cockpit-337/debian/patches/series cockpit-337/debian/patches/series --- cockpit-337/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ cockpit-337/debian/patches/series 2026-04-09 03:23:29.000000000 +0000 @@ -0,0 +1 @@ +ws-be-more-explicit-when-handling-hostnames-on-cli.patch diff -Nru cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch --- cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch 1970-01-01 00:00:00.000000000 +0000 +++ cockpit-337/debian/patches/ws-be-more-explicit-when-handling-hostnames-on-cli.patch 2026-04-09 03:23:29.000000000 +0000 @@ -0,0 +1,80 @@ +From: Allison Karlitskaya +Date: Tue, 24 Mar 2026 15:44:15 +0100 +Subject: ws: be more explicit when handling hostnames on cli + +`cockpit-ws` has never protected hostnames from being interpreted as cli +options when passing them to the auth commands (`cockpit-session`, +`cockpit-ssh`, `cockpit.beiboot`). There have been a couple of relevant +changes over the years: + + - our move to using cockpit-session via unix socket has removed + exposure to this problem for `cockpit-session` + + - our move from `cockpit-ssh` (glib argument parser) to + `cockpit.beiboot` (Python argparse) has unfortunately exposed us to + https://github.com/python/cpython/issues/66623 which means (due to a + strange heuristic) that arguments starting with '-' can be + interpreted as positionals if they also have spaces in them + +This gives a way to get a hostname starting with a `-` to ssh (where it +*will* be interpreted as an option) and the following argument (the +python invocation on the remote) will be interpreted as the hostname. +Fortunately, new versions of ssh will reject this hostname. In any +case, we should firm up the code here and add `--` to ensure that it's +definitely interpreted as a hostname by ssh. + +For a similar reason add a `--` to the ssh command in `cockpit-ws`. + +CVE-2026-4631 + +Origin: https://github.com/cockpit-project/cockpit/commit/9d0695647 +Origin-ferny: https://github.com/allisonkarlitskaya/ferny/commit/44ec511c99 +Bug-Debian: https://bugs.debian.org/1133022 +--- + src/cockpit/_vendor/ferny/session.py | 2 +- + src/cockpit/beiboot.py | 4 ++-- + src/ws/cockpitauth.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/cockpit/_vendor/ferny/session.py b/src/cockpit/_vendor/ferny/session.py +index d142bdb..ac4616d 100644 +--- a/src/cockpit/_vendor/ferny/session.py ++++ b/src/cockpit/_vendor/ferny/session.py +@@ -145,7 +145,7 @@ class Session(SubprocessContext, InteractionHandler): + + # SSH_ASKPASS_REQUIRE is not generally available, so use setsid + process = await asyncio.create_subprocess_exec( +- *('/usr/bin/ssh', *args, destination), env=env, ++ *('/usr/bin/ssh', *args, '--', destination), env=env, + start_new_session=True, stdin=asyncio.subprocess.DEVNULL, + stdout=asyncio.subprocess.DEVNULL, stderr=agent, # type: ignore + preexec_fn=lambda: prctl(PR_SET_PDEATHSIG, signal.SIGKILL)) +diff --git a/src/cockpit/beiboot.py b/src/cockpit/beiboot.py +index 12e369a..0d2a5fe 100644 +--- a/src/cockpit/beiboot.py ++++ b/src/cockpit/beiboot.py +@@ -274,9 +274,9 @@ def via_ssh(cmd: Sequence[str], dest: str, ssh_askpass: Path, *ssh_opts: str) -> + # strip off [] IPv6 brackets + if host.startswith('[') and host.endswith(']'): + host = host[1:-1] +- destination = ['-p', port, host] ++ destination = ['-p', port, '--', host] + else: +- destination = [dest] ++ destination = ['--', dest] + + return ( + 'ssh', *ssh_opts, *destination, shlex.join(cmd) +diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c +index 3574189..6fd75be 100644 +--- a/src/ws/cockpitauth.c ++++ b/src/ws/cockpitauth.c +@@ -51,7 +51,7 @@ + + /* we only support beibooting machines with a known/vetted OS, as it's impossible to guarantee + * forward compatibility for all pages */ +-const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m cockpit.beiboot --remote-bridge=supported"; ++const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m cockpit.beiboot --remote-bridge=supported --"; + + /* Some tunables that can be set from tests */ + const gchar *cockpit_ws_session_program = NULL;