Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions
On Tue, 26 Feb 2019, Colin Watson wrote:
On Wed, Feb 13, 2019 at 10:36:34AM +0200, Harry Sintonen wrote:
The recent openssh upstream fix to "check in scp client that filenames sent
during
remote->local directory copies satisfy the wildcard specified by the user" (*)
had an unfortunate
side effect of breaking a legitimate use case of scp: deliberately copying the
source directory
permissions over the target directory. This is achieved by using syntax:
"dir/.".
Hi,
Have you already reported this directly upstream (bugzilla.mindrot.org)?
No.
I'd expect that to be the best approach here, since the upstream master
branch exhibits the same problem, and especially since the changes were
in response to your security vulnerability report. We can of course
cherry-pick regression fixes that have landed upstream.
Yeah likely would be the best course of action. If someone feels like
forwarding this to them, please do so.
Note that it was actually
https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2
that broke this.
Indeed, I now see that this patch was indeed different from the one I
suggested initially. At the time I didn't check for "." myself either, so
I also added check for it. However, I then discovered the issue we have
now. So I adjusted my patches to cater this specific syntax, separating
the check for the "." and adding some checks to allow it in certain
situations ("dir/." etc). It's even commented in the patch, so it should
be quite evident what the code is doing there and why.
How exactly this was missed in the official patches is a mystery to me.
While incomplete, GNU extension dependant and clearly not as consise as
the "official", my patch at least handles the "dir/." case properly:
https://sintonen.fi/advisories/scp-name-validator.patch
PS. This is by no means a suggestion to replace the upstream patches with
my mess. It merely tries to demonstrate how I handled this particular
issue.
In part I feel responsible for this bug, but then on the other hand I did
try to handle this correctly while upstream did not. I find the whole
thing a bit depressing.
Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions
On Wed, Feb 13, 2019 at 10:36:34AM +0200, Harry Sintonen wrote: > The recent openssh upstream fix to "check in scp client that filenames sent > during > remote->local directory copies satisfy the wildcard specified by the user" > (*) had an unfortunate > side effect of breaking a legitimate use case of scp: deliberately copying > the source directory > permissions over the target directory. This is achieved by using syntax: > "dir/.". Hi, Have you already reported this directly upstream (bugzilla.mindrot.org)? I'd expect that to be the best approach here, since the upstream master branch exhibits the same problem, and especially since the changes were in response to your security vulnerability report. We can of course cherry-pick regression fixes that have landed upstream. Note that it was actually https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2 that broke this. Thanks, -- Colin Watson [cjwat...@debian.org]
Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions
Package: openssh-client Version: 1:7.4p1-10+deb9u5 Severity: normal Dear Maintainer, The recent openssh upstream fix to "check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user" (*) had an unfortunate side effect of breaking a legitimate use case of scp: deliberately copying the source directory permissions over the target directory. This is achieved by using syntax: "dir/.". Example: $ mkdir dstdir $ scp -pr user@server:srcdir/. dstdir error: unexpected filename: . Even when I attempt to disable strict checking by specifying -T, the issue persists: $ scp -pr -T user@server:srcdir/. dstdir error: unexpected filename: . Instead of failing I would have expected scp to allow copying over srcdir (including the permissions) over to dstdir, when using this explicit syntax. *) https://github.com/openssh/openssh-portable/commit/391ffc4b9d31fa1f4ad566499fef9176ff8a07dc -- System Information: Debian Release: 9.7 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages openssh-client depends on: ii adduser 3.115 ii dpkg 1.18.25 ii libc6 2.24-11+deb9u3 ii libedit2 3.1-20160903-3 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libselinux1 2.6-3+b3 ii libssl1.0.2 1.0.2q-1~deb9u1 ii passwd1:4.4-4.1 ii zlib1g1:1.2.8.dfsg-5 Versions of packages openssh-client recommends: ii xauth 1:1.0.9-1+b2 Versions of packages openssh-client suggests: pn keychain pn libpam-ssh pn monkeysphere pn ssh-askpass -- no debconf information
