Debian Bug report logs - #346322
rssh runs cvs for rdist and rsync, doesn't check cvs -e

version graph

Package: rssh; Maintainer for rssh is Russ Allbery <rra@debian.org>; Source for rssh is src:rssh.

Reported by: Russ Allbery <rra@debian.org>

Date: Sat, 7 Jan 2006 00:48:05 UTC

Severity: grave

Tags: fixed, patch, security

Found in version rssh/2.3.0-1

Fixed in version rssh/2.3.2-1

Done: Russ Allbery <rra@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#346322; Package rssh. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jesus Climent <jesus.climent@hispalinux.es>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rssh runs cvs for rdist and rsync, doesn't check cvs -e
Date: Fri, 06 Jan 2006 16:29:45 -0800
Package: rssh
Version: 2.3.0-1
Severity: grave
Tags: security patch
Justification: renders package unusable

Due to missing curly braces in util.c, if rssh gets as far as checking
to see if the issued command was CVS, the check will always succeed.
Furthermore, this failure can be exploited to pass -e options to CVS,
since the command invoked will actually be /usr/bin/cvs and the security
check for -e options will be bypassed.

This breaks all use of rsync and rdist since /usr/bin/cvs is actually
invoked instead of those programs.  It also bypasses all security
checking from rssh.conf if the check for what program to run gets that
far.

I've confirmed that the attached trivial patch fixes the problem.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)

Versions of packages rssh depends on:
ii  debconf [debconf-2.0]         1.4.66     Debian configuration management sy
ii  openssh-server                1:4.2p1-5  Secure shell server, an rshd repla

rssh recommends no packages.

-- debconf information:
* rssh/secnote:
  rssh/update-10:
  rssh/update-config-pre-2.2:
* rssh/chroot_helper_setuid: false



Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#346322; Package rssh. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. Full text and rfc822 format available.

Message #10 received at 346322@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 346322@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#346322: rssh runs cvs for rdist and rsync, doesn't check cvs -e
Date: Fri, 06 Jan 2006 16:53:45 -0800
Russ Allbery <rra@debian.org> writes:

> Package: rssh
> Version: 2.3.0-1
> Severity: grave
> Tags: security patch
> Justification: renders package unusable

> Due to missing curly braces in util.c, if rssh gets as far as checking
> to see if the issued command was CVS, the check will always succeed.
> Furthermore, this failure can be exploited to pass -e options to CVS,
> since the command invoked will actually be /usr/bin/cvs and the security
> check for -e options will be bypassed.

> This breaks all use of rsync and rdist since /usr/bin/cvs is actually
> invoked instead of those programs.  It also bypasses all security
> checking from rssh.conf if the check for what program to run gets that
> far.

> I've confirmed that the attached trivial patch fixes the problem.

Ack, sorry, here's the patch.

--- rssh-2.3.0/util.c.orig	2005-11-27 09:01:52.000000000 -0800
+++ rssh-2.3.0/util.c	2006-01-06 16:23:04.000000000 -0800
@@ -209,13 +209,14 @@
 		return PATH_SCP;
 	}
 
-	if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) )
+	if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){
 		if ( opt_exist(cl, 'e') ){
 			fprintf(stderr, "\ninsecure -e option not allowed.");
 			log_msg("insecure -e option in cvs command line!");
 			return NULL;
 		}
 		return PATH_CVS;
+	}
 
 	if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){
 		/* filter -P option */

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#346322; Package rssh. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. Full text and rfc822 format available.

Message #15 received at 346322@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 346322@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#346322: rssh runs cvs for rdist and rsync, doesn't check cvs -e
Date: Sat, 07 Jan 2006 12:43:24 -0800
Upstream reports they've released a new version of rssh (2.3.2) which is
now mentioned on the rssh home page.  It looks like this release should
also fix Bug#339531.

The problems in 2.3.0 sound like they were introduced in that version and
wouldn't affect previous versions (although of course previous versions
have the chroot problem fixed in 2.3.0).

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#346322; Package rssh. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. Full text and rfc822 format available.

Message #20 received at 346322@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 346322@bugs.debian.org
Cc: Jesus Climent <jesus.climent@hispalinux.es>, team@security.debian.org
Subject: Intention to NMU rssh for security vulnerability
Date: Fri, 17 Mar 2006 13:35:28 -0800
Hi Jesus,

I haven't heard anything back about this bug (#346322), which is a serious
security vulnerability affecting unstable and testing.

I've checked the latest upstream release (2.3.2) and compared it to 2.3.0
currently in Debian, and the following patch fixes this vulnerability and
another segfault issue.  I intend to upload an NMU for rssh applying this
patch on Monday (March 20th) if I haven't heard back from you saying to
hold off.

Please let me know if you need any help or have any questions or concerns,
or if you have an upload prepared already for this problem.

diff -ru rssh-2.3.0/main.c.in rssh-2.3.2/main.c.in
--- rssh-2.3.0/main.c.in	2005-11-27 14:36:19.000000000 -0800
+++ rssh-2.3.2/main.c.in	2006-01-03 09:25:05.000000000 -0800
@@ -1,7 +1,7 @@
 /*
  * rssh.c - restricted shell for ssh to allow scp or sftp only
  * 
- * Copyright 2003 Derek D. Martin ( code at pizzashack dot org ).
+ * Copyright 2003-2006 Derek D. Martin ( code at pizzashack dot org ).
  *
  * This program is licensed under a BSD-style license, as follows: 
  *
@@ -174,8 +174,6 @@
 		         char **cmd )
 {
 	char    **argvec;       /* argument vector for new cmd line */
-	char	*homedir;	/* relative to chroot */
-	char	*root;		/* the chroot dir */
 	char	*temp;		/* to build chroot helper cmd line */
 	int	len;
 
@@ -229,8 +227,8 @@
 		*cmd = PATH_CHROOT_HELPER;
 
 		/* set up buffer to log command line ('"' + ' ' + '\0' = 9) */
-		len = strlen(cmdline) + strlen(root) + strlen(homedir) + 
-		      strlen(argvec[2]) + strlen(PATH_CHROOT_HELPER) + 9;
+		len = strlen(cmdline) +  strlen(argvec[2]) + 
+			strlen(PATH_CHROOT_HELPER) + 9;
 		if ( !(temp = (char *)malloc(len)) ){
 			log_set_priority(LOG_ERR);
 			log_msg("OOM error in build_shell_args() (fatal)");
diff -ru rssh-2.3.0/util.c rssh-2.3.2/util.c
--- rssh-2.3.0/util.c	2005-11-27 09:01:52.000000000 -0800
+++ rssh-2.3.2/util.c	2006-01-03 09:37:39.000000000 -0800
@@ -1,7 +1,7 @@
 /*
  * util.c - utility functions for rssh
  * 
- * Copyright 2003 Derek D. Martin ( code at pizzashack dot org ).
+ * Copyright 2003-2006 Derek D. Martin ( code at pizzashack dot org ).
  *
  * This program is licensed under a BSD-style license, as follows: 
  *
@@ -209,13 +209,14 @@
 		return PATH_SCP;
 	}
 
-	if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) )
+	if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){
 		if ( opt_exist(cl, 'e') ){
 			fprintf(stderr, "\ninsecure -e option not allowed.");
 			log_msg("insecure -e option in cvs command line!");
 			return NULL;
 		}
 		return PATH_CVS;
+	}
 
 	if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){
 		/* filter -P option */


-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Tags added: fixed Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Russ Allbery <rra@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 346322-close@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 346322-close@bugs.debian.org
Subject: Bug#346322: fixed in rssh 2.3.2-1
Date: Fri, 21 Apr 2006 21:17:06 -0700
Source: rssh
Source-Version: 2.3.2-1

We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive:

rssh_2.3.2-1.diff.gz
  to pool/main/r/rssh/rssh_2.3.2-1.diff.gz
rssh_2.3.2-1.dsc
  to pool/main/r/rssh/rssh_2.3.2-1.dsc
rssh_2.3.2-1_i386.deb
  to pool/main/r/rssh/rssh_2.3.2-1_i386.deb
rssh_2.3.2.orig.tar.gz
  to pool/main/r/rssh/rssh_2.3.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 346322@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated rssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 21 Apr 2006 20:45:25 -0700
Source: rssh
Binary: rssh
Architecture: source i386
Version: 2.3.2-1
Distribution: unstable
Urgency: low
Maintainer: Jesus Climent <jesus.climent@hispalinux.es>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 rssh       - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist
Closes: 333923 335384 335475 339531 341412 346322 355935 357715
Changes: 
 rssh (2.3.2-1) unstable; urgency=low
 .
   * New co-maintainer.
   * New upstream release.
     - Incorporates fixes from NMU.  (Closes: #346322, #355935, #357715)
     - Incorporates missing va_end also fixed in NMU.  (Closes: #339531)
   * Don't compress example scripts.  (Closes: #333923)
   * Mention chroot and jail in the rssh description.  (Closes: #335475)
   * Add libnss_compat* to the chroot script.  (Closes: #335384)
   * Drop the ssh-krb5 alternative; it doesn't use the right sftp-server
     path.  Add Suggests pointing to the other supported commands.
   * Drop the configuration caution from the package description; it's in
     the man page and the long description isn't supposed to include
     configuration information for the package.
   * Rework README.Debian a little to point to the rssh man page instead of
     SECURITY (upstream moved the security notes there) and emphasize
     reading the documentation before using the package.
   * Update logcheck rules.
   * debian/rules and debian/control cleanup.
     - Switch to quilt for patches.  It works essentially the same as the
       script the package was using but is more standard and is the current
       recommended tool.
     - Run dh_shlibdeps to pick up proper dependency information.
     - Get the debconf dependency from debhelper.
     - Use debian/compat instead of setting DH_COMPAT.
     - Use dh_installman instead of the deprecated dh_installmanpages.
     - Remove duplicate rssh.docs configuration file.
     - Don't install config.{guess,sub}; configure doesn't use them.
     - Rename NEWS.Debian to NEWS so that debhelper installs it.
     - Install logcheck rules with debhelper.
     - Simplify unused rules and remove some boilerplate.
   * Translation updates.
     - Swedish, thanks Daniel Nylander.  (Closes: #341412)
Files: 
 ad20c46e6ce646bb7e7d471519403d44 635 net optional rssh_2.3.2-1.dsc
 65712f2c06ff5fc6fc783bc8c2e4e1ba 113959 net optional rssh_2.3.2.orig.tar.gz
 5f3d1d236ffaa0fe5926ea5983344f73 15382 net optional rssh_2.3.2-1.diff.gz
 dca5777ff89837e8a14e8d56e1b33e81 49808 net optional rssh_2.3.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFESae3+YXjQAr8dHYRAtCfAKCLUB1PwnhPS6B8XeknryAbpKm8sQCfe8MT
Wq78oTKRT8qk+FhHfUK1kFU=
=bwdU
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 21:04:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 16:30:11 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.