Package: rssh Version: 2.3.0-1 Severity: grave Tags: security patch Justification: renders package unusable
Due to missing curly braces in util.c, if rssh gets as far as checking to see if the issued command was CVS, the check will always succeed. Furthermore, this failure can be exploited to pass -e options to CVS, since the command invoked will actually be /usr/bin/cvs and the security check for -e options will be bypassed. This breaks all use of rsync and rdist since /usr/bin/cvs is actually invoked instead of those programs. It also bypasses all security checking from rssh.conf if the check for what program to run gets that far. I've confirmed that the attached trivial patch fixes the problem. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Versions of packages rssh depends on: ii debconf [debconf-2.0] 1.4.66 Debian configuration management sy ii openssh-server 1:4.2p1-5 Secure shell server, an rshd repla rssh recommends no packages. -- debconf information: * rssh/secnote: rssh/update-10: rssh/update-config-pre-2.2: * rssh/chroot_helper_setuid: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]