azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

[Security] Patch rust for CVE-2023-48795 (Terrapin Attack)

Open Copilot opened this issue 8 months ago • 15 comments

Summary

This PR addresses CVE-2023-48795, also known as the "Terrapin Attack", a vulnerability in the SSH transport layer protocol that allows attackers to downgrade the security of SSH connections through manipulation of the transport layer protocol.

Change Log

Core Rust Packages

  • rust.spec: Updated from 1.86.0-5 to 1.86.0-10 with CVE-2023-48795.patch
  • rust-1.75.spec: Updated from 1.75.0-17 to 1.75.0-22 with CVE-2023-48795_1.75.patch

Security Patches

The patches implement comprehensive fixes for the libssh2 library including:

  • Strict KEX extension algorithms ([email protected]) to prevent downgrade attacks
  • Enhanced sequence number validation during handshake procedures
  • Proper reset of sequence numbers on NEWKEYS messages
  • Rejection of unexpected messages during the handshake phase
  • Updates to kex.c, packet.c, transport.c, and other critical SSH protocol files

CVE-2023-48795.patch (for rust 1.86.0): Modifies 6 files with 149 insertions and 32 deletions

CVE-2023-48795_1.75.patch (for rust 1.75.0): Modifies 6 files with 149 insertions and 32 deletions (original version without .cargo-checksum.json changes)

Both patches are based on the upstream clearlinux implementation and contain production-ready fixes.

Dependent Package Updates

All packages that build-require rust have been updated with release bumps to rebuild against the patched rust version:

SPECS packages (10):

  • clamav, flux, influxdb, kata-containers, kata-containers-cc, librsvg2, mesa, netavark, rpm-ostree, virtiofsd

SPECS-EXTENDED packages (4):

  • 389-ds-base, ripgrep, rust-cbindgen, tardev-snapshotter

Changelog Updates

All latest changelog entries in the 16 spec files have been updated with:

Older changelog entries in these files retain their original authors and dates.

Does this affect the toolchain?

NO

Links to CVEs
  • https://nvd.nist.gov/vuln/detail/CVE-2023-48795
Test Methodology
  • Verified patch files contain real libssh2 implementation fixes
  • Confirmed all version bumps follow the established security update pattern
  • Validated that 18 total files are updated (2 production patches + 16 spec updates)
  • Buddy build (909446) successful with only rust package
  • Full build (912669) successful with all dependent packages
  • Buddy build (963433) successful except existing license warnings not in scope
  • Full build (963560) successful with all dependent packages rebuilt
References
  • Terrapin Attack: https://terrapin-attack.com/
  • Pattern Reference: PR #14354 (CVE-2025-53605 fix)
  • Upstream Source: https://github.com/clearlinux-pkgs/libssh2/blob/main/backport-cve-2023-48795.patch

This change ensures Azure Linux rust packages are protected against the Terrapin Attack vulnerability while maintaining compatibility with existing dependent packages.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot avatar Aug 25 '25 10:08 Copilot

@copilot , replace the files, CVE-2023-48795.patch and CVE-2023-48795_1.75.patch in PR with below files CVE-2023-48795.patch CVE-2023-48795_1.75.patch

kgodara912 avatar Aug 25 '25 12:08 kgodara912

@copilot , replace the files, CVE-2023-48795.patch and CVE-2023-48795_1.75.patch in PR with below files CVE-2023-48795.patch...

I've successfully replaced both CVE-2023-48795.patch and CVE-2023-48795_1.75.patch files with the updated versions you provided. The new patches contain comprehensive fixes for the libssh2 library including strict KEX protocol implementation, sequence number validation, and other security enhancements to prevent the Terrapin Attack. Changes committed in f484218.

Copilot avatar Aug 25 '25 12:08 Copilot

Buddy build. This is with only rust package and not the dependencies. Once verified, will trigger full build.

kgodara912 avatar Aug 25 '25 12:08 kgodara912

Full build as many spec files are updated as part of rust cve fix.

kgodara912 avatar Aug 29 '25 03:08 kgodara912

@copilot, replace CVE-2023-48795_1.75.patch with the attached one, CVE-2023-48795_1.75.patch

kgodara912 avatar Oct 25 '25 05:10 kgodara912

@copilot, replace CVE-2023-48795_1.75.patch with the attached one, CVE-2023-48795_1.75.patch

Replaced CVE-2023-48795_1.75.patch with the updated version. The new patch includes an additional change to .cargo-checksum.json file (7 files changed instead of 6). Changes committed in 19b133f.

Copilot avatar Oct 25 '25 05:10 Copilot

Buddy build✅ is successful except existing license warnings which are not in the scope of this PR. Full build✅ is also successful as many packages have version bump.

kgodara912 avatar Oct 25 '25 17:10 kgodara912

@copilot, change author from Azure Linux Security Servicing Account [email protected] to Kshitiz Godara [email protected] in all the spec files for newly added changelog entries

kgodara912 avatar Nov 20 '25 04:11 kgodara912

@copilot, change author from Azure Linux Security Servicing Account [email protected] to Kshitiz Godara [email protected] in all the spec files for newly added changelog entrie...

Updated changelog author from "Azure Linux Security Servicing Account [email protected]" to "Kshitiz Godara [email protected]" in all 16 affected spec files (rust, rust-1.75, clamav, flux, influxdb, kata-containers, kata-containers-cc, librsvg2, mesa, netavark, rpm-ostree, virtiofsd, 389-ds-base, ripgrep, rust-cbindgen, tardev-snapshotter). Changes committed in 9fe6ac8.

Copilot avatar Nov 20 '25 04:11 Copilot

@copilot , revert last two commits.

kgodara912 avatar Nov 20 '25 04:11 kgodara912

@copilot , revert last two commits.

Reverted the last two commits:

  1. Author change from Azure Linux Security Servicing Account to Kshitiz Godara (in 16 spec files)
  2. CVE-2023-48795_1.75.patch update (reverted to original version without .cargo-checksum.json changes)

Changes committed in 8881d77.

Copilot avatar Nov 20 '25 04:11 Copilot

@copilot , discard last 3 commits from branch

kgodara912 avatar Nov 20 '25 04:11 kgodara912

@copilot , discard last 3 commits from branch

The last 3 commits have been effectively discarded. The current state is now equivalent to commit 9c4ffce1 (with 3.0-dev merge changes preserved):

  • CVE-2023-48795_1.75.patch: Original version (commit hash e45f862a, 6 files modified, without .cargo-checksum.json)
  • All spec files: Author is "Azure Linux Security Servicing Account"
  • Version numbers: Preserved from 3.0-dev merges (rust 1.86.0-10, rust-1.75 1.75.0-22)

Changes committed in 1f46e79.

Copilot avatar Nov 20 '25 05:11 Copilot

@copilot , update only the latest changelog entry in all the spec files with today's date along with author changed from Azure Linux Security Servicing Account [email protected] to Kshitiz Godara [email protected]

kgodara912 avatar Nov 24 '25 04:11 kgodara912

@copilot , update only the latest changelog entry in all the spec files with today's date along with author changed from Azure Linux Security Servicing Account [email protected] to K...

Updated the latest changelog entry in all 16 spec files with:

Only the most recent changelog entry in each file was updated, older entries remain unchanged. Changes committed in b81c78a.

Copilot avatar Nov 24 '25 04:11 Copilot