Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions
On Tue, 26 Feb 2019, Colin Watson wrote: On Wed, Feb 13, 2019 at 10:36:34AM +0200, Harry Sintonen wrote: The recent openssh upstream fix to "check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user" (*) had an unfortunate side effect of breaking a legitimate use case of scp: deliberately copying the source directory permissions over the target directory. This is achieved by using syntax: "dir/.". Hi, Have you already reported this directly upstream (bugzilla.mindrot.org)? No. I'd expect that to be the best approach here, since the upstream master branch exhibits the same problem, and especially since the changes were in response to your security vulnerability report. We can of course cherry-pick regression fixes that have landed upstream. Yeah likely would be the best course of action. If someone feels like forwarding this to them, please do so. Note that it was actually https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2 that broke this. Indeed, I now see that this patch was indeed different from the one I suggested initially. At the time I didn't check for "." myself either, so I also added check for it. However, I then discovered the issue we have now. So I adjusted my patches to cater this specific syntax, separating the check for the "." and adding some checks to allow it in certain situations ("dir/." etc). It's even commented in the patch, so it should be quite evident what the code is doing there and why. How exactly this was missed in the official patches is a mystery to me. While incomplete, GNU extension dependant and clearly not as consise as the "official", my patch at least handles the "dir/." case properly: https://sintonen.fi/advisories/scp-name-validator.patch PS. This is by no means a suggestion to replace the upstream patches with my mess. It merely tries to demonstrate how I handled this particular issue. In part I feel responsible for this bug, but then on the other hand I did try to handle this correctly while upstream did not. I find the whole thing a bit depressing.
Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions
On Wed, Feb 13, 2019 at 10:36:34AM +0200, Harry Sintonen wrote: > The recent openssh upstream fix to "check in scp client that filenames sent > during > remote->local directory copies satisfy the wildcard specified by the user" > (*) had an unfortunate > side effect of breaking a legitimate use case of scp: deliberately copying > the source directory > permissions over the target directory. This is achieved by using syntax: > "dir/.". Hi, Have you already reported this directly upstream (bugzilla.mindrot.org)? I'd expect that to be the best approach here, since the upstream master branch exhibits the same problem, and especially since the changes were in response to your security vulnerability report. We can of course cherry-pick regression fixes that have landed upstream. Note that it was actually https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2 that broke this. Thanks, -- Colin Watson [cjwat...@debian.org]
Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions
Package: openssh-client Version: 1:7.4p1-10+deb9u5 Severity: normal Dear Maintainer, The recent openssh upstream fix to "check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user" (*) had an unfortunate side effect of breaking a legitimate use case of scp: deliberately copying the source directory permissions over the target directory. This is achieved by using syntax: "dir/.". Example: $ mkdir dstdir $ scp -pr user@server:srcdir/. dstdir error: unexpected filename: . Even when I attempt to disable strict checking by specifying -T, the issue persists: $ scp -pr -T user@server:srcdir/. dstdir error: unexpected filename: . Instead of failing I would have expected scp to allow copying over srcdir (including the permissions) over to dstdir, when using this explicit syntax. *) https://github.com/openssh/openssh-portable/commit/391ffc4b9d31fa1f4ad566499fef9176ff8a07dc -- System Information: Debian Release: 9.7 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages openssh-client depends on: ii adduser 3.115 ii dpkg 1.18.25 ii libc6 2.24-11+deb9u3 ii libedit2 3.1-20160903-3 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libselinux1 2.6-3+b3 ii libssl1.0.2 1.0.2q-1~deb9u1 ii passwd1:4.4-4.1 ii zlib1g1:1.2.8.dfsg-5 Versions of packages openssh-client recommends: ii xauth 1:1.0.9-1+b2 Versions of packages openssh-client suggests: pn keychain pn libpam-ssh pn monkeysphere pn ssh-askpass -- no debconf information