Your message dated Sun, 10 Feb 2019 19:51:50 +0000
with message-id <[email protected]>
and subject line Bug#921655: fixed in rssh 2.3.4-11
has caused the Debian Bug report #921655,
regarding rssh 2.3.4-4+deb8u2 breaks download of multiple files.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
921655: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921655
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rssh
Version: 2.3.4-4+deb8u2
Severity: important
Since our fileserver auto patched to rssh 2.3.4-4+deb8u2 this morning, our
automated scp requests have been failing if we try get multiple files from the
server in one wildcarded request.
So to recreate
---------
$ scp [email protected]://directory//file.x86_64_*.*.zip .
The authenticity of host 'example.com (192.168.60.224)' can't be established.
ECDSA key fingerprint is ########################
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'example.com (192.168.60.224)' (ECDSA) to the list
of known hosts.
insecure scp option not allowed.
This account is restricted by rssh.
Allowed commands: scp sftp rsync
If you believe this is in error, please contact your system administrator.
----------
where example.com://directory//file.x86_64_*.*.zip matched 2 or more files
Moving files from the fileserver until there's only one match results in a
successful download.
Not using wildcards is also ok.
I believe this was caused by the new method " static int scp_okay( char **vec )
" which seems to deliberately fail if there are multiple files seen. The end of
the loop seems designed to fail if saw_file is already true?
---------------------
+/*
+ * scp_okay() - take the command line and check that it is a hopefully-safe scp
+ * server command line, accepting only very specific options.
+ * Returns FALSE if the command line should not be allowed, TRUE
+ * if it is okay.
+ */
+static int scp_okay( char **vec )
+{
+ int saw_file = FALSE;
+ int saw_end = FALSE;
+
+ for ( vec++; vec && *vec; vec++ ){
+ /* Allowed options. */
+ if ( !saw_end ) {
+ if ( strcmp(*vec, "-v") == 0 ) continue;
+ if ( strcmp(*vec, "-r") == 0 ) continue;
+ if ( strcmp(*vec, "-p") == 0 ) continue;
+ if ( strcmp(*vec, "-d") == 0 ) continue;
+ if ( strcmp(*vec, "-f") == 0 ) continue;
+ if ( strcmp(*vec, "-t") == 0 ) continue;
+ }
+
+ /* End of arguments. One more argument allowed after this. */
+ if ( !saw_end && strcmp(*vec, "--") == 0 ){
+ saw_end = TRUE;
+ continue;
+ }
+
+ /* No other options allowed, but allow file starting with -. */
+ if ( *vec[0] == '-' && !saw_end ) return FALSE;
+ if ( saw_file ) return FALSE;
+ saw_file = TRUE;
+ }
+
+ /* We must have seen a single file. */
+ return saw_file;
+}
--------------
This is on an Ubuntu14:04 machine. I've marked it "severity important" as it's
a regression that caused a set of 3 fileservers who'd been happy for ~ 5 years
to stop serving the required files and took a fair while to debug as this was
an automated process and we didn't suspect a fileservr change for a fair while.
I hope this is explanatory enough but please ask for more details if needed.
thanks
Martin
--- End Message ---
--- Begin Message ---
Source: rssh
Source-Version: 2.3.4-11
We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <[email protected]> (supplier of updated rssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 10 Feb 2019 11:17:28 -0800
Source: rssh
Architecture: source
Version: 2.3.4-11
Distribution: unstable
Urgency: high
Maintainer: Russ Allbery <[email protected]>
Changed-By: Russ Allbery <[email protected]>
Closes: 921655
Changes:
rssh (2.3.4-11) unstable; urgency=high
.
* The fix for the scp security vulneraability in 2.3.4-9 introduced a
regression that blocked scp of multiple files from a server using
rssh. Based on further analysis of scp's command-line parsing, relax
the check to require the server command contain -f or -t, which should
deactivate scp's support for remote files. (Closes: #921655)
Checksums-Sha1:
dceb7da45abf1c64e300c426f879bd38d23f46a2 1553 rssh_2.3.4-11.dsc
73edbba658c448753fcf9343d1d273f470bdd992 30332 rssh_2.3.4-11.debian.tar.xz
Checksums-Sha256:
a601be045c621b4cadca033ac836e6da753b2ce25df09442ce22d2bd2d2e17a8 1553
rssh_2.3.4-11.dsc
464eac3ff45d55591ab23a22de2d205bc09e8bf8258655cc0291c41b25438404 30332
rssh_2.3.4-11.debian.tar.xz
Files:
db5723bf5557ea2f342e8fe20f3795b7 1553 net optional rssh_2.3.4-11.dsc
b6c0efbbde4855832db40aa5b1ce5a12 30332 net optional rssh_2.3.4-11.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE1zk0tJZ0z1zNmsJ4fYAxXFc23nUFAlxgeXoACgkQfYAxXFc2
3nVNfgf+PrYrypfGfbRhu53GIzxqm6rUjHhLFAMfHWp3YQvMgifPCrXVmLoCmAQk
EijqTWbsePG4NEv19FyvWKWNu1IYe9MZFIOhy46C/evzF/wNytVOLuT9QcXNza8j
Hq+XHLQN4LnR8L8Ggx684vG7MGWq/N9RdEBSSKSOYbBx1DWVj2WHE4Dc1HiCtsDo
WOISpSv8oDLhw6/QWPDbvmZWZZwKeMQu8qwL23dbsK36143E82Q5gMlfQCtEZ3Le
4GWE2O2R/1D8usZrFm0xvL/Rq5Xn8A25505blDOdNqi+48St/6nVkfEI/olQN0qi
87JUKiRwdvZyurwdIW6obM8G5tVsyg==
=NJI8
-----END PGP SIGNATURE-----
--- End Message ---
