Russ Allbery <[EMAIL PROTECTED]> writes:
> Package: rssh
> Version: 2.3.0-1
> Severity: grave
> Tags: security patch
> Justification: renders package unusable
> Due to missing curly braces in util.c, if rssh gets as far as checking
> to see if the issued command was CVS, the check will always succeed.
> Furthermore, this failure can be exploited to pass -e options to CVS,
> since the command invoked will actually be /usr/bin/cvs and the security
> check for -e options will be bypassed.
> This breaks all use of rsync and rdist since /usr/bin/cvs is actually
> invoked instead of those programs. It also bypasses all security
> checking from rssh.conf if the check for what program to run gets that
> far.
> I've confirmed that the attached trivial patch fixes the problem.
Ack, sorry, here's the patch.
--- rssh-2.3.0/util.c.orig 2005-11-27 09:01:52.000000000 -0800
+++ rssh-2.3.0/util.c 2006-01-06 16:23:04.000000000 -0800
@@ -209,13 +209,14 @@
return PATH_SCP;
}
- if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) )
+ if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){
if ( opt_exist(cl, 'e') ){
fprintf(stderr, "\ninsecure -e option not allowed.");
log_msg("insecure -e option in cvs command line!");
return NULL;
}
return PATH_CVS;
+ }
if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){
/* filter -P option */
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
