-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH certificate encoding/parsing incompatibility with OpenSSH #9207
Comments
lkubb
added a commit
to lkubb/pyca-cryptography
that referenced
this issue
Jul 10, 2023
reaperhulk
pushed a commit
that referenced
this issue
Jul 10, 2023
* Add tests for issue #9207 * Fix encoding of SSH certs with critical options * Test unexpected additional values for crit opts/exts
A few more steps before we close this:
|
reaperhulk
pushed a commit
to reaperhulk/cryptography
that referenced
this issue
Jul 10, 2023
* Add tests for issue pyca#9207 * Fix encoding of SSH certs with critical options * Test unexpected additional values for crit opts/exts
alex
pushed a commit
that referenced
this issue
Jul 11, 2023
* Fix encoding of SSH certs with critical options (#9208) * Add tests for issue #9207 * Fix encoding of SSH certs with critical options * Test unexpected additional values for crit opts/exts * temporarily allow invalid ssh cert encoding --------- Co-authored-by: jeanluc <2163936+lkubb@users.noreply.github.com>
Okay this is now released in 41.0.2 😄 |
s0undt3ch
added a commit
to s0undt3ch/salt
that referenced
this issue
Jul 16, 2023
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. References: https://nvd.nist.gov/vuln/detail/CVE-2023-38325 pyca/cryptography#9207 pyca/cryptography#9208 pyca/cryptography@41.0.1...41.0.2 https://pypi.org/project/cryptography/#history pyca/cryptography@1ca7adc Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
s0undt3ch
referenced
this issue
in s0undt3ch/salt
Jul 16, 2023
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. References: https://nvd.nist.gov/vuln/detail/CVE-2023-38325 [https://github.com/pyca/cryptography/issues/9207](pyca/cryptography#9207) [https://github.com/pyca/cryptography/issues/9208](pyca/cryptography#9208) [https://github.com/pyca/cryptography/compare/41.0.1...41.0.2](pyca/cryptography@41.0.1...41.0.2) https://pypi.org/project/cryptography/#history [https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3](pyca/cryptography@1ca7adc) Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
s0undt3ch
referenced
this issue
in s0undt3ch/salt
Jul 16, 2023
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. References: https://nvd.nist.gov/vuln/detail/CVE-2023-38325 [https://github.com/pyca/cryptography/issues/9207](pyca/cryptography#9207) [https://github.com/pyca/cryptography/issues/9208](pyca/cryptography#9208) [https://github.com/pyca/cryptography/compare/41.0.1...41.0.2](pyca/cryptography@41.0.1...41.0.2) https://pypi.org/project/cryptography/#history [https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3](pyca/cryptography@1ca7adc) Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
s0undt3ch
referenced
this issue
in s0undt3ch/salt
Jul 16, 2023
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. References: https://nvd.nist.gov/vuln/detail/CVE-2023-38325 [https://github.com/pyca/cryptography/issues/9207](pyca/cryptography#9207) [https://github.com/pyca/cryptography/issues/9208](pyca/cryptography#9208) [https://github.com/pyca/cryptography/compare/41.0.1...41.0.2](pyca/cryptography@41.0.1...41.0.2) https://pypi.org/project/cryptography/#history [https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3](pyca/cryptography@1ca7adc) Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
garethgreenaway
referenced
this issue
in saltstack/salt
Jul 17, 2023
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. References: https://nvd.nist.gov/vuln/detail/CVE-2023-38325 [https://github.com/pyca/cryptography/issues/9207](pyca/cryptography#9207) [https://github.com/pyca/cryptography/issues/9208](pyca/cryptography#9208) [https://github.com/pyca/cryptography/compare/41.0.1...41.0.2](pyca/cryptography@41.0.1...41.0.2) https://pypi.org/project/cryptography/#history [https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3](pyca/cryptography@1ca7adc) Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
Is it correct that this issue affects cryptography>=40.0? The patched code appears to be introduced only in 40.0. Thanks! |
Yes. It should be noted that contrary to what's in the CVE, this isn't a
security issue, its just a bug.
…On Fri, Jul 28, 2023 at 8:56 PM Michael Chan ***@***.***> wrote:
Is it correct that this issue affects cryptography>=40.0? The patched code
appears to be introduced only in 40.0. Thanks!
—
Reply to this email directly, view it on GitHub
<#9207 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBH4TRVHYZZ7GNNUXJLXSRNVRANCNFSM6AAAAAA2EJ2NBU>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
This was referenced Aug 16, 2023
Shortfinga
added a commit
to Shortfinga/advisory-database
that referenced
this issue
Aug 21, 2023
According to the CVE (https://nvd.nist.gov/vuln/detail/CVE-2023-38325) the vulnerability only affects >=40.0. The GHSA (GHSA-cf7p-gm2m-833m) also says this. In the issues this was asked and answered explicitly (pyca/cryptography#9207 (comment)).
sethmlarson
pushed a commit
to pypa/advisory-database
that referenced
this issue
Aug 21, 2023
According to the CVE (https://nvd.nist.gov/vuln/detail/CVE-2023-38325) the vulnerability only affects >=40.0. The GHSA (GHSA-cf7p-gm2m-833m) also says this. In the issues this was asked and answered explicitly (pyca/cryptography#9207 (comment)).
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
There is an encoding mismatch regarding critical options with values between
ssh-keygen
andcryptography
:ssh-keygen
withcryptography
does not yield expected values.SSHCertificateBuilder
withssh-keygen
fails.Steps
Re 1:
ssh-keygen -t ed25519
ssh-keygen -t ecdsa
ssh-keygen -s id_ed25519 -n cryptouser,testuser -I test@cryptography.io -O "critical:force-command=echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -O "critical:verify-required" -V 0x63b2b264:0x767eb5c0 id_ecdsa.pub
cryptography
:Re 2:
cryptography
ssh-keygen
Background
The specification is a bit confusing in regards to how critical options/extensions with values should be encoded:
Source
golang/crypto
had the same issue: golang/go#10569The text was updated successfully, but these errors were encountered: