Your message dated Tue, 29 Jan 2019 05:50:04 +0000 with message-id <e1gomhc-00065x...@fasolo.debian.org> and subject line Bug#919623: fixed in rssh 2.3.4-9 has caused the Debian Bug report #919623, regarding Remote code execution in scp support to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 919623: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919623 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: rssh Version: 2.3.4-8 Severity: grave Tags: security upstream https://sourceforge.net/p/rssh/mailman/message/36519118/ is the upstream report. The reporter indicated they asked for a CVE but didn't include it in the message. scp allows remote code execution inside the server environment via several methods due to inadequate command-line verification. This bug has been present since the beginning of rssh. I have a completely untested patch but haven't had time to test it yet. Attaching it to this report for whatever it's worth. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rssh depends on: ii debconf [debconf-2.0] 1.5.69 ii libc6 2.28-4 ii openssh-server 1:7.9p1-4 rssh recommends no packages. Versions of packages rssh suggests: ii cvs 2:1.12.13+real-26 pn makejail <none> pn rdist <none> ii rsync 3.1.3-1 ii subversion 1.10.3-1+b1 -- Configuration Files: /etc/logcheck/ignore.d.server/rssh [Errno 13] Permission denied: '/etc/logcheck/ignore.d.server/rssh' /etc/rssh.conf changed [not included] -- debconf information excludeddiff --git a/util.c b/util.c index 56f67ad..4dde1a0 100644 --- a/util.c +++ b/util.c @@ -268,6 +268,45 @@ static int rsync_e_okay( char **vec ) } +/* + * scp_okay() - take the command line and check that it is a hopefully-safe scp + * server command line, accepting only very specific options. + * Returns FALSE if the command line should not be allowed, TRUE + * if it is okay. + */ +static int scp_okay( char **vec ) +{ + int saw_file = FALSE; + int saw_end = FALSE; + + for ( ; vec && *vec; vec++ ){ + /* Allowed options. */ + if ( !saw_end ) { + if ( strcmp(*vec, "-v") == 0 ) continue; + if ( strcmp(*vec, "-r") == 0 ) continue; + if ( strcmp(*vec, "-p") == 0 ) continue; + if ( strcmp(*vec, "-d") == 0 ) continue; + if ( strcmp(*vec, "-f") == 0 ) continue; + if ( strcmp(*vec, "-t") == 0 ) continue; + } + + /* End of arguments. One more argument allowed after this. */ + if ( !saw_end && strcmp(*vec, "--") == 0 ){ + saw_end = TRUE; + continue; + } + + /* No other options allowed, but allow file starting with -. */ + if ( *vec[0] == '-' && !saw_end ) return FALSE; + if ( saw_file ) return FALSE; + saw_file = TRUE; + } + + /* We must have seen a single file. */ + return saw_file; +} + + /* * check_command_line() - take the command line passed to rssh, and verify * that the specified command is one the user is @@ -283,8 +322,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) return PATH_SFTP_SERVER; if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){ - /* filter -S option */ - if ( opt_filter(cl, 'S') ) return NULL; + if ( !scp_okay(cl) ){ + fprintf(stderr, "\ninsecure scp option not allowed."); + log_msg("insecure scp option in scp command line"); + return NULL; + } return PATH_SCP; }
--- End Message ---
--- Begin Message ---Source: rssh Source-Version: 2.3.4-9 We believe that the bug you reported is fixed in the latest version of rssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 919...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Russ Allbery <r...@debian.org> (supplier of updated rssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 28 Jan 2019 21:03:59 -0800 Source: rssh Architecture: source Version: 2.3.4-9 Distribution: unstable Urgency: high Maintainer: Russ Allbery <r...@debian.org> Changed-By: Russ Allbery <r...@debian.org> Closes: 919623 Changes: rssh (2.3.4-9) unstable; urgency=high . [ Russ Allbery ] * Validate the allowed scp command line and only permit the flags used in server mode and only a single argument, to attempt to prevent use of ssh options to run arbitrary code on the server. This will break scp -3 to a system running rssh, which seems like an acceptable loss. (Closes: #919623, CVE-2019-1000018) * Tighten validation of the rsync command line to require --server be the first argument, which should prevent initiation of an outbound rsync command from the server, which in turn might allow execution of arbitrary code via ssh configuration similar to scp. * Add validation of the server command line after chroot when chroot is enabled. Prior to this change, dangerous argument filtering was not done when chroot was configured, allowing remote code execution inside the chroot in some configurations via the previous two bugs and via the mechanisms in CVE-2012-2251 and CVE-2012-2252. * Document that the cvs server-side dangerous option filtering is probably insufficient and should not be considered secure. * Remove ancient upgrade support in debian/postinst. * Remove debian/source/options, which was forcing compression to xz (now the default). * Update to debhelper compatibility level V12. * Update standards version to 4.3.0 (no changes required). . [ Ondřej Nový ] * d/watch: Use https protocol Checksums-Sha1: 42eccc8a40da4bccb24eb1cae17e5f60b95cae52 1548 rssh_2.3.4-9.dsc ef0b4a667e16c3f09209dd6c049e5bed6e4f119a 29704 rssh_2.3.4-9.debian.tar.xz Checksums-Sha256: 59a60a8c4c703752afd349e56a5acf848f4e6a8ba9a7de14b25b8522a716711e 1548 rssh_2.3.4-9.dsc aae025b0d9b2d335ad140ecb872b97ec162cd26aae81aaf979d97478db9a4a24 29704 rssh_2.3.4-9.debian.tar.xz Files: c7e597dcb58a210e377ce83771cce0d9 1548 net optional rssh_2.3.4-9.dsc 11e4877e55f793e5b2efeb24ed9c5d49 29704 net optional rssh_2.3.4-9.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE1zk0tJZ0z1zNmsJ4fYAxXFc23nUFAlxP39EACgkQfYAxXFc2 3nV7vAf6ApcxS1NqfqqxzZklCcNbvmhAzZ0+8tMNvTQ5zRMUqoFg8wbpumrzy5ji iET3HqYZk9WSq0UDiM90sMDFivW1GsPVms8B4G/bRlXuXJTACiWPrJIdesadb8w5 6czJp/LjSLP0iROa+9NzTngujaZwZE8NL8sNE7T+YhZnVI+C0/U7KLHJ11Ir/Mel s8a4GQoD/8Rl9/bpHTxevtgKiQFkPttEI8CRYsIWLfGppPG7Y1hz3WcNN2Np5Fo/ 8ofAvtapGTD0GtoYX8COYogLpkEwWcI8L25SC0Q/NZmeiCIx1w1EOFXjr1CxUCN9 Bm0bO3P3iI+w4TnOHlYKG4rKjWQ1UQ== =GBQT -----END PGP SIGNATURE-----
--- End Message ---
