Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jesus Climent <jesus.climent@hispalinux.es>: Bug#346322; Package rssh.
(full text, mbox, link).
Acknowledgement sent to Russ Allbery <rra@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jesus Climent <jesus.climent@hispalinux.es>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rssh runs cvs for rdist and rsync, doesn't check cvs -e
Date: Fri, 06 Jan 2006 16:29:45 -0800
Package: rssh
Version: 2.3.0-1
Severity: grave
Tags: security patch
Justification: renders package unusable
Due to missing curly braces in util.c, if rssh gets as far as checking
to see if the issued command was CVS, the check will always succeed.
Furthermore, this failure can be exploited to pass -e options to CVS,
since the command invoked will actually be /usr/bin/cvs and the security
check for -e options will be bypassed.
This breaks all use of rsync and rdist since /usr/bin/cvs is actually
invoked instead of those programs. It also bypasses all security
checking from rssh.conf if the check for what program to run gets that
far.
I've confirmed that the attached trivial patch fixes the problem.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Versions of packages rssh depends on:
ii debconf [debconf-2.0] 1.4.66 Debian configuration management sy
ii openssh-server 1:4.2p1-5 Secure shell server, an rshd repla
rssh recommends no packages.
-- debconf information:
* rssh/secnote:
rssh/update-10:
rssh/update-config-pre-2.2:
* rssh/chroot_helper_setuid: false
Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>: Bug#346322; Package rssh.
(full text, mbox, link).
Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>.
(full text, mbox, link).
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#346322: rssh runs cvs for rdist and rsync, doesn't check cvs -e
Date: Fri, 06 Jan 2006 16:53:45 -0800
Russ Allbery <rra@debian.org> writes:
> Package: rssh
> Version: 2.3.0-1
> Severity: grave
> Tags: security patch
> Justification: renders package unusable
> Due to missing curly braces in util.c, if rssh gets as far as checking
> to see if the issued command was CVS, the check will always succeed.
> Furthermore, this failure can be exploited to pass -e options to CVS,
> since the command invoked will actually be /usr/bin/cvs and the security
> check for -e options will be bypassed.
> This breaks all use of rsync and rdist since /usr/bin/cvs is actually
> invoked instead of those programs. It also bypasses all security
> checking from rssh.conf if the check for what program to run gets that
> far.
> I've confirmed that the attached trivial patch fixes the problem.
Ack, sorry, here's the patch.
--- rssh-2.3.0/util.c.orig 2005-11-27 09:01:52.000000000 -0800
+++ rssh-2.3.0/util.c 2006-01-06 16:23:04.000000000 -0800
@@ -209,13 +209,14 @@
return PATH_SCP;
}
- if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) )
+ if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){
if ( opt_exist(cl, 'e') ){
fprintf(stderr, "\ninsecure -e option not allowed.");
log_msg("insecure -e option in cvs command line!");
return NULL;
}
return PATH_CVS;
+ }
if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){
/* filter -P option */
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>: Bug#346322; Package rssh.
(full text, mbox, link).
Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>.
(full text, mbox, link).
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#346322: rssh runs cvs for rdist and rsync, doesn't check cvs -e
Date: Sat, 07 Jan 2006 12:43:24 -0800
Upstream reports they've released a new version of rssh (2.3.2) which is
now mentioned on the rssh home page. It looks like this release should
also fix Bug#339531.
The problems in 2.3.0 sound like they were introduced in that version and
wouldn't affect previous versions (although of course previous versions
have the chroot problem fixed in 2.3.0).
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>: Bug#346322; Package rssh.
(full text, mbox, link).
Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>.
(full text, mbox, link).
Cc: Jesus Climent <jesus.climent@hispalinux.es>, team@security.debian.org
Subject: Intention to NMU rssh for security vulnerability
Date: Fri, 17 Mar 2006 13:35:28 -0800
Hi Jesus,
I haven't heard anything back about this bug (#346322), which is a serious
security vulnerability affecting unstable and testing.
I've checked the latest upstream release (2.3.2) and compared it to 2.3.0
currently in Debian, and the following patch fixes this vulnerability and
another segfault issue. I intend to upload an NMU for rssh applying this
patch on Monday (March 20th) if I haven't heard back from you saying to
hold off.
Please let me know if you need any help or have any questions or concerns,
or if you have an upload prepared already for this problem.
diff -ru rssh-2.3.0/main.c.in rssh-2.3.2/main.c.in
--- rssh-2.3.0/main.c.in 2005-11-27 14:36:19.000000000 -0800
+++ rssh-2.3.2/main.c.in 2006-01-03 09:25:05.000000000 -0800
@@ -1,7 +1,7 @@
/*
* rssh.c - restricted shell for ssh to allow scp or sftp only
*
- * Copyright 2003 Derek D. Martin ( code at pizzashack dot org ).
+ * Copyright 2003-2006 Derek D. Martin ( code at pizzashack dot org ).
*
* This program is licensed under a BSD-style license, as follows:
*
@@ -174,8 +174,6 @@
char **cmd )
{
char **argvec; /* argument vector for new cmd line */
- char *homedir; /* relative to chroot */
- char *root; /* the chroot dir */
char *temp; /* to build chroot helper cmd line */
int len;
@@ -229,8 +227,8 @@
*cmd = PATH_CHROOT_HELPER;
/* set up buffer to log command line ('"' + ' ' + '\0' = 9) */
- len = strlen(cmdline) + strlen(root) + strlen(homedir) +
- strlen(argvec[2]) + strlen(PATH_CHROOT_HELPER) + 9;
+ len = strlen(cmdline) + strlen(argvec[2]) +
+ strlen(PATH_CHROOT_HELPER) + 9;
if ( !(temp = (char *)malloc(len)) ){
log_set_priority(LOG_ERR);
log_msg("OOM error in build_shell_args() (fatal)");
diff -ru rssh-2.3.0/util.c rssh-2.3.2/util.c
--- rssh-2.3.0/util.c 2005-11-27 09:01:52.000000000 -0800
+++ rssh-2.3.2/util.c 2006-01-03 09:37:39.000000000 -0800
@@ -1,7 +1,7 @@
/*
* util.c - utility functions for rssh
*
- * Copyright 2003 Derek D. Martin ( code at pizzashack dot org ).
+ * Copyright 2003-2006 Derek D. Martin ( code at pizzashack dot org ).
*
* This program is licensed under a BSD-style license, as follows:
*
@@ -209,13 +209,14 @@
return PATH_SCP;
}
- if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) )
+ if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){
if ( opt_exist(cl, 'e') ){
fprintf(stderr, "\ninsecure -e option not allowed.");
log_msg("insecure -e option in cvs command line!");
return NULL;
}
return PATH_CVS;
+ }
if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){
/* filter -P option */
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Tags added: fixed
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Russ Allbery <rra@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: rssh
Source-Version: 2.3.2-1
We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive:
rssh_2.3.2-1.diff.gz
to pool/main/r/rssh/rssh_2.3.2-1.diff.gz
rssh_2.3.2-1.dsc
to pool/main/r/rssh/rssh_2.3.2-1.dsc
rssh_2.3.2-1_i386.deb
to pool/main/r/rssh/rssh_2.3.2-1_i386.deb
rssh_2.3.2.orig.tar.gz
to pool/main/r/rssh/rssh_2.3.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 346322@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated rssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 21 Apr 2006 20:45:25 -0700
Source: rssh
Binary: rssh
Architecture: source i386
Version: 2.3.2-1
Distribution: unstable
Urgency: low
Maintainer: Jesus Climent <jesus.climent@hispalinux.es>
Changed-By: Russ Allbery <rra@debian.org>
Description:
rssh - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist
Closes: 333923335384335475339531341412346322355935357715
Changes:
rssh (2.3.2-1) unstable; urgency=low
.
* New co-maintainer.
* New upstream release.
- Incorporates fixes from NMU. (Closes: #346322, #355935, #357715)
- Incorporates missing va_end also fixed in NMU. (Closes: #339531)
* Don't compress example scripts. (Closes: #333923)
* Mention chroot and jail in the rssh description. (Closes: #335475)
* Add libnss_compat* to the chroot script. (Closes: #335384)
* Drop the ssh-krb5 alternative; it doesn't use the right sftp-server
path. Add Suggests pointing to the other supported commands.
* Drop the configuration caution from the package description; it's in
the man page and the long description isn't supposed to include
configuration information for the package.
* Rework README.Debian a little to point to the rssh man page instead of
SECURITY (upstream moved the security notes there) and emphasize
reading the documentation before using the package.
* Update logcheck rules.
* debian/rules and debian/control cleanup.
- Switch to quilt for patches. It works essentially the same as the
script the package was using but is more standard and is the current
recommended tool.
- Run dh_shlibdeps to pick up proper dependency information.
- Get the debconf dependency from debhelper.
- Use debian/compat instead of setting DH_COMPAT.
- Use dh_installman instead of the deprecated dh_installmanpages.
- Remove duplicate rssh.docs configuration file.
- Don't install config.{guess,sub}; configure doesn't use them.
- Rename NEWS.Debian to NEWS so that debhelper installs it.
- Install logcheck rules with debhelper.
- Simplify unused rules and remove some boilerplate.
* Translation updates.
- Swedish, thanks Daniel Nylander. (Closes: #341412)
Files:
ad20c46e6ce646bb7e7d471519403d44 635 net optional rssh_2.3.2-1.dsc
65712f2c06ff5fc6fc783bc8c2e4e1ba 113959 net optional rssh_2.3.2.orig.tar.gz
5f3d1d236ffaa0fe5926ea5983344f73 15382 net optional rssh_2.3.2-1.diff.gz
dca5777ff89837e8a14e8d56e1b33e81 49808 net optional rssh_2.3.2-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFESae3+YXjQAr8dHYRAtCfAKCLUB1PwnhPS6B8XeknryAbpKm8sQCfe8MT
Wq78oTKRT8qk+FhHfUK1kFU=
=bwdU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 21:04:31 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.