azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

[Security] Patch rust for CVE-2023-48795 (Terrapin Attack)

Open Copilot opened this issue 4 months ago • 15 comments

Summary

This PR addresses CVE-2023-48795, also known as the "Terrapin Attack", a vulnerability in the SSH transport layer protocol that allows attackers to downgrade the security of SSH connections through manipulation of the transport layer protocol.

Change Log

Core Rust Packages

  • rust.spec: Updated from 1.86.0-5 to 1.86.0-10 with CVE-2023-48795.patch
  • rust-1.75.spec: Updated from 1.75.0-17 to 1.75.0-22 with CVE-2023-48795_1.75.patch

Security Patches

The patches implement comprehensive fixes for the libssh2 library including:

  • Strict KEX extension algorithms ([email protected]) to prevent downgrade attacks
  • Enhanced sequence number validation during handshake procedures
  • Proper reset of sequence numbers on NEWKEYS messages
  • Rejection of unexpected messages during the handshake phase
  • Updates to kex.c, packet.c, transport.c, and other critical SSH protocol files

CVE-2023-48795.patch (for rust 1.86.0): Modifies 6 files with 149 insertions and 32 deletions

CVE-2023-48795_1.75.patch (for rust 1.75.0): Modifies 6 files with 149 insertions and 32 deletions (original version without .cargo-checksum.json changes)

Both patches are based on the upstream clearlinux implementation and contain production-ready fixes.

Dependent Package Updates

All packages that build-require rust have been updated with release bumps to rebuild against the patched rust version:

SPECS packages (10):

  • clamav, flux, influxdb, kata-containers, kata-containers-cc, librsvg2, mesa, netavark, rpm-ostree, virtiofsd

SPECS-EXTENDED packages (4):

  • 389-ds-base, ripgrep, rust-cbindgen, tardev-snapshotter

Changelog Updates

All latest changelog entries in the 16 spec files have been updated with:

Older changelog entries in these files retain their original authors and dates.

Does this affect the toolchain?

NO

Links to CVEs
  • https://nvd.nist.gov/vuln/detail/CVE-2023-48795
Test Methodology
  • Verified patch files contain real libssh2 implementation fixes
  • Confirmed all version bumps follow the established security update pattern
  • Validated that 18 total files are updated (2 production patches + 16 spec updates)
  • Buddy build (909446) successful with only rust package
  • Full build (912669) successful with all dependent packages
  • Buddy build (963433) successful except existing license warnings not in scope
  • Full build (963560) successful with all dependent packages rebuilt
References
  • Terrapin Attack: https://terrapin-attack.com/
  • Pattern Reference: PR #14354 (CVE-2025-53605 fix)
  • Upstream Source: https://github.com/clearlinux-pkgs/libssh2/blob/main/backport-cve-2023-48795.patch

This change ensures Azure Linux rust packages are protected against the Terrapin Attack vulnerability while maintaining compatibility with existing dependent packages.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot avatar Aug 25 '25 10:08 Copilot