Bug 2166916

Summary: openssh: Invalid characters can be included in DNS hostnames via CanonicalizeHostname and CanonicalizePermittedCNAMEs options
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bdettelb, caswilli, dbelyavs, dffrench, dfreiber, dkuc, fjansen, gzaronik, hkataria, jburrell, jjelen, jkoehler, jmitchel, jtanner, jwon, kaycoth, kshier, micjohns, ngough, psegedy, rgodfrey, rogbas, sthirugn, tsasak, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh 9.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2166917    

Description Pedro Sampaio 2023-02-03 13:51:39 UTC 
In OpenSSH before 9.2, if the CanonicalizeHostname and CanonicalizePermittedCNAMEs options were enabled, and the system/libc resolver did not check   that names in DNS responses were valid, then use of these options could allow an attacker with control of DNS to include invalid characters (possibly including wildcards) in names added to known_hosts files when they were updated. These names would still have to match the CanonicalizePermittedCNAMEs allow-list, so practical exploitation appears unlikely.

References:

https://www.openssh.com/releasenotes.html