debian

15 May 2026

Planet Debian

Bits from Debian: New Debian Developers and Maintainers (March and April 2026)

The following contributors got their Debian Developer accounts in the last two months:

Filip Strömbäck (fstromback)
Arthur Diniz (arthurbd)
Manuel Traut (manut)
Xiyue Deng (manphiz)
kpcyrd (kpcyrd)

The following contributors were added as Debian Maintainers in the last two months:

Chris Talbot
Gabriel Filion
Mate Kukri

Congratulations!

15 May 2026 2:00pm GMT

Russell Coker: Debian SE Linux and ssh-keysign-pwn

I just tested out the ssh-keysign-pwn exploit [1] on Debian kernel 6.12.74+deb13+1-amd64 which was released before these exploits.

When sshkeysign_pwn is run as user_t the following is logged in the audit log and it fails to exploit anything:

type=SYSCALL msg=audit(1778831599.951:22353257): arch=c000003e syscall=438 success=no exit=-1 a0=3 a1=c a2=0 a3=1b8020 items=0 ppid=5632 pid=6654 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="sshkeysign_pwn" exe="/home/test/a/ssh-keysign-pwn/sshkeysign_pwn" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=pidfd_getfd AUID="test" UID="test" GID="test" EUID="test" SUID="test" FSUID="test" EGID="test" SGID="test" FSGID="test"
type=PROCTITLE msg=audit(1778831599.951:22353257): proctitle="./sshkeysign_pwn"
type=AVC msg=audit(1778831599.951:22353258): avc:  denied  { ptrace } for  pid=6654 comm="sshkeysign_pwn" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=0

When it is run as unconfined_t the contents of the /etc/ssh/ssh_host_ecdsa_key file are correctly displayed on standard out in about 10ms, the file in question is only readable by root and a non-root user can use this exploit to read it.

It wouldn't be uncommon to have a system configured to allow users to trace their own processes. The following policy addition grants access for the user to trace their own processes:

allow user_t self:process ptrace;

With that in place the sshkeysign_pwn exploit still doesn't work and there are logs like the following:

type=AVC msg=audit(1778833455.726:57355191): avc:  denied  { read } for  pid=6941 comm="ssh-keysign" name="ssh_host_rsa_key" dev="vda" ino=15492 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1778833455.726:57355191): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=55eadec43061 a2=0 a3=0 items=0 ppid=6933 pid=6941 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="ssh-keysign" exe="/usr/lib/openssh/ssh-keysign" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="test" UID="test" GID="test" EUID="root" SUID="root" FSUID="root" EGID="test" SGID="test" FSGID="test"

So if you could find some secret data in a file that's only restricted by Unix permissions and user_t is granted ptrace access then a variant of that exploit could work.

When user_t is allowed ptrace access the chage_pwn exploit fails with the following log entries, so any binary that runs in a different domain can't be used in that situation.

type=AVC msg=audit(1778833908.020:57434896): avc:  denied  { ptrace } for  pid=7037 comm="chage_pwn" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:passwd_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1778833908.020:57434896): arch=c000003e syscall=438 success=no exit=-1 a0=3 a1=5 a2=0 a3=1b7e00000000 items=0 ppid=5632 pid=7037 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="chage_pwn" exe="/home/test/a/ssh-keysign-pwn/chage_pwn" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=pidfd_getfd AUID="test" UID="test" GID="test" EUID="test" SUID="test" FSUID="test" EGID="test" SGID="test" FSGID="test"

Conclusion

In a "strict" configuration with users having the user_t domain a Debian system is not vulnerable to these exploits unless there is some configuration error or some unusual configuration choices. Users with the unconfined_t domain can successfully run the exploits.

[1] https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

15 May 2026 8:48am GMT

Daniel Baumann: Debian: Linux Vulnerability Mitigation (ssh-keysign-pwn)

After the Linux local root privilege escalations of the last two weeks, the bug of today is ssh-keysign-pwn [CVE-2026-46333] which allows to read root-owned files as an unprivileged user.

Exploiting the vulnerability doesn't require to load any specific modules like the bugs from the last weeks, this one needs to be fixed by rebooting the system into an updated kernel.

I've cherry-picked the upstream commit to fix it in trixie-fastforward-backports (linux 7 backports for trixie), confirmed that the exploits don't work anymore, and submitted a merge request for sid.

Updates:

linux-vulnerability-mitigation 20260515-1 contains a partial mitigation for ssh-keysign-pwn (this makes all exploits known so far to stop working, however, there's definitely more needed), thanks to Salvatore Bonaccorso (carnil): echo 2 > /proc/sys/kernel/yama/ptrace_scope

linux-vulnerability-mitigation is uploaded to sid - until it is available on deb.debian.org, use people.debian.org/~daniel

linux 7.0.7-1 is uploaded to trixie-fastforward-backports as 7.0.7-1~ffwd13+u1, replacing the previously cherry-picked 7.0.4-1~ffwd13+u2 upload

Added references to [CVE-2026-46333]

15 May 2026 12:14am GMT