Debian Bug report logs - #344424
rssh: local privilege escalation in versions < 2.3.0 (CVE-2005-3345)

version graph

Package: rssh; Maintainer for rssh is (unknown);

Reported by: Max Vozeler <max@decl.org>

Date: Thu, 22 Dec 2005 16:48:21 UTC

Severity: critical

Tags: security

Merged with 344395

Found in versions rssh/2.2.3-1, rssh/2.2.3-3

Fixed in version rssh/2.3.0-1

Done: Jesus Climent <jesus.climent@hispalinux.es>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#344424; Package rssh. (full text, mbox, link).


Acknowledgement sent to Max Vozeler <max@decl.org>:
New Bug report received and forwarded. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Max Vozeler <max@decl.org>
To: submit@bugs.debian.org
Subject: rssh: local privilege escalation in versions < 2.3.0 (CVE-2005-3345)
Date: Thu, 22 Dec 2005 17:48:10 +0100
Package: rssh
Version: 2.2.3-3
Severity: critical
Tags: security

Hey Jesus,

rssh 2.3.0 has been released by Derek to fix the arbitrary chroot()
problem and privilege escalation we've mailed about (CVE-2005-3345)

http://www.pizzashack.org/rssh/index.shtml:
> Dec 18, 2005
> 
> rssh v2.3.0 released today!
> 
> Important Security Notice:
> 
> Max Vozeler has reported a problem whereby rssh can allow users who
> have shell access to systems where rssh is installed (and
> rssh_chroot_helper is installed SUID) to gain root access to the
> system, due to the ability to chroot to arbitrary locations. There are
> a lot of potentially mitigating factors, but to be safe you should
> upgrade immediately. This bug affects all versions of rssh from v2.0.0
> to v2.2.3, so please upgrade now!
> 
> The 2.3.0 release of rssh fixes this problem, by forcing the chroot
> helper to re-parse the config file to decide where to chroot(2) to.
> Users with shell access to the system can not subvert the chroot
> location, and may not be able to chroot at all depending on the
> configuration of rssh, which solves the problem.

Having rssh installed and rssh_chroot_helper setuid root is sufficient
for this bug to be exploitable, hence severity critical.

cheers,
Max



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#344424; Package rssh. (full text, mbox, link).


Acknowledgement sent to Jesus Climent <jesus.climent@hispalinux.es>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #10 received at 344424@bugs.debian.org (full text, mbox, reply):

From: Jesus Climent <jesus.climent@hispalinux.es>
To: Max Vozeler <max@decl.org>, 344424@bugs.debian.org
Subject: Re: Bug#344424: rssh: local privilege escalation in versions < 2.3.0 (CVE-2005-3345)
Date: Thu, 22 Dec 2005 19:49:41 +0100
Hi.

On Thu, Dec 22, 2005 at 05:48:10PM +0100, Max Vozeler wrote:
> Package: rssh
> Version: 2.2.3-3
> Severity: critical
> Tags: security
> 
> Hey Jesus,
> 
> rssh 2.3.0 has been released by Derek to fix the arbitrary chroot()
> problem and privilege escalation we've mailed about (CVE-2005-3345)

The package Derek has put in the web page seems to be broken, and the patch I
applied from him does effectively break the compilation of the package, so I
am looking into the problem right now.

-- 
Jesus Climent                                      info:www.pumuki.org
Unix SysAdm|Linux User #66350|Debian Developer|2.6.14|Helsinki Finland
GPG: 1024D/86946D69 BB64 2339 1CAA 7064 E429  7E18 66FC 1D7F 8694 6D69

Kill every human on the planet?  Sounds like a good idea! But first, we
should concentrate on more immediate goals.
		--Jeffrey Goines (12 Monkeys)



Merged 344395 344424. Request was from Max Vozeler <max@decl.org> to control@bugs.debian.org. (full text, mbox, link).


Reply sent to Jesus Climent <jesus.climent@hispalinux.es>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Max Vozeler <max@decl.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #17 received at 344395-close@bugs.debian.org (full text, mbox, reply):

From: Jesus Climent <jesus.climent@hispalinux.es>
To: 344395-close@bugs.debian.org
Subject: Bug#344395: fixed in rssh 2.3.0-1
Date: Wed, 28 Dec 2005 08:02:06 -0800
Source: rssh
Source-Version: 2.3.0-1

We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive:

rssh_2.3.0-1.diff.gz
  to pool/main/r/rssh/rssh_2.3.0-1.diff.gz
rssh_2.3.0-1.dsc
  to pool/main/r/rssh/rssh_2.3.0-1.dsc
rssh_2.3.0-1_powerpc.deb
  to pool/main/r/rssh/rssh_2.3.0-1_powerpc.deb
rssh_2.3.0.orig.tar.gz
  to pool/main/r/rssh/rssh_2.3.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 344395@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jesus Climent <jesus.climent@hispalinux.es> (supplier of updated rssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 19 Dec 2005 20:00:02 +0200
Source: rssh
Binary: rssh
Architecture: source powerpc
Version: 2.3.0-1
Distribution: unstable
Urgency: high
Maintainer: Jesus Climent <jesus.climent@hispalinux.es>
Changed-By: Jesus Climent <jesus.climent@hispalinux.es>
Description: 
 rssh       - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist
Closes: 344395 344424
Changes: 
 rssh (2.3.0-1) unstable; urgency=high
 .
   * New upstream release.
   * This package is a security update:
     - closes CVE-2005-3345.
     - Closes: #344424, #344395
Files: 
 43616b7c0360063d50654b074b0e69ae 592 net optional rssh_2.3.0-1.dsc
 4badd1c95bf9b9507e6642598e809dd5 113701 net optional rssh_2.3.0.orig.tar.gz
 7090f32e81cdf815e9311772dd1ba1c1 13888 net optional rssh_2.3.0-1.diff.gz
 b5d9a545abd38350759d017924e1b2a5 48004 net optional rssh_2.3.0-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDqzQrZvwdf4aUbWkRAp6wAKDbOBmJcIBKnkkc7N0y6ipQkNOcZACg7AFi
DA5h7ggZi+qz371+OSsRWRs=
=ETnF
-----END PGP SIGNATURE-----




Reply sent to Jesus Climent <jesus.climent@hispalinux.es>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Max Vozeler <max@decl.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #22 received at 344424-close@bugs.debian.org (full text, mbox, reply):

From: Jesus Climent <jesus.climent@hispalinux.es>
To: 344424-close@bugs.debian.org
Subject: Bug#344424: fixed in rssh 2.3.0-1
Date: Wed, 28 Dec 2005 08:02:06 -0800
Source: rssh
Source-Version: 2.3.0-1

We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive:

rssh_2.3.0-1.diff.gz
  to pool/main/r/rssh/rssh_2.3.0-1.diff.gz
rssh_2.3.0-1.dsc
  to pool/main/r/rssh/rssh_2.3.0-1.dsc
rssh_2.3.0-1_powerpc.deb
  to pool/main/r/rssh/rssh_2.3.0-1_powerpc.deb
rssh_2.3.0.orig.tar.gz
  to pool/main/r/rssh/rssh_2.3.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 344424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jesus Climent <jesus.climent@hispalinux.es> (supplier of updated rssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 19 Dec 2005 20:00:02 +0200
Source: rssh
Binary: rssh
Architecture: source powerpc
Version: 2.3.0-1
Distribution: unstable
Urgency: high
Maintainer: Jesus Climent <jesus.climent@hispalinux.es>
Changed-By: Jesus Climent <jesus.climent@hispalinux.es>
Description: 
 rssh       - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist
Closes: 344395 344424
Changes: 
 rssh (2.3.0-1) unstable; urgency=high
 .
   * New upstream release.
   * This package is a security update:
     - closes CVE-2005-3345.
     - Closes: #344424, #344395
Files: 
 43616b7c0360063d50654b074b0e69ae 592 net optional rssh_2.3.0-1.dsc
 4badd1c95bf9b9507e6642598e809dd5 113701 net optional rssh_2.3.0.orig.tar.gz
 7090f32e81cdf815e9311772dd1ba1c1 13888 net optional rssh_2.3.0-1.diff.gz
 b5d9a545abd38350759d017924e1b2a5 48004 net optional rssh_2.3.0-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDqzQrZvwdf4aUbWkRAp6wAKDbOBmJcIBKnkkc7N0y6ipQkNOcZACg7AFi
DA5h7ggZi+qz371+OSsRWRs=
=ETnF
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#344424; Package rssh. (full text, mbox, link).


Acknowledgement sent to "Steven M. Christey" <coley@mitre.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. (full text, mbox, link).


Message #27 received at 344424@bugs.debian.org (full text, mbox, reply):

From: "Steven M. Christey" <coley@mitre.org>
To: max@decl.org, 344424@bugs.debian.org
Subject: Re: Bug#344424: rssh: local privilege escalation in versions < 2.3.0 (CVE-2005-3345)
Date: Wed, 28 Dec 2005 16:06:00 -0500 (EST)
Note that there is a duplicate CVE that has been partially published,
based on the Gentoo and rssh advisories, which did not reference
CVE-2005-3345.  I have removed that duplicate, so continue to use
CVE-2005-3345.

(the duplicate was CVE-2005-4531)

- Steve



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 22:37:44 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 04:07:40 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.