Debian Bug report logs -
#349645
ssh: local code execution in scp [CVE-2006-0225]
Reported by: Martin Pitt <mpitt@debian.org>
Date: Tue, 24 Jan 2006 10:33:07 UTC
Severity: important
Tags: patch, security
Merged with 352254,
369998
Fixed in version openssh/1:4.3p2-1
Done: Colin Watson <cjwatson@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#349645
; Package ssh
.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>
:
New Bug report received and forwarded. Copy sent to Matthew Vernon <matthew@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: ssh
Severity: important
Tags: security patch
Hi!
http://bugzilla.mindrot.org/show_bug.cgi?id=1094 describes a flaw in
scp: it expands shell characters and escapes twice which could lead to
unwanted shell code execution. It affects cases where scp is used to
transfer untrusted directories, but this could happen in automated
systems, cron jobs, etc.
The reporter provided a patch, but it has not yet been acknowledged by
upstream.
Please mention the CVE number in the changelog when you fix this.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#349645
; Package ssh
.
(full text, mbox, link).
Acknowledgement sent to Colin Watson <cjwatson@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(full text, mbox, link).
Message #10 received at 349645@bugs.debian.org (full text, mbox, reply):
On Tue, Jan 24, 2006 at 11:22:23AM +0100, Martin Pitt wrote:
> Package: ssh
> Severity: important
> Tags: security patch
>
> Hi!
>
> http://bugzilla.mindrot.org/show_bug.cgi?id=1094 describes a flaw in
> scp: it expands shell characters and escapes twice which could lead to
> unwanted shell code execution. It affects cases where scp is used to
> transfer untrusted directories, but this could happen in automated
> systems, cron jobs, etc.
>
> The reporter provided a patch, but it has not yet been acknowledged by
> upstream.
It's not clear to me whether upstream will change this, because it's not
possible to fix many scp issues without breaking protocol compatibility:
http://www.openssh.org/faq.html#2.10
The official line is to use sftp instead.
Therefore, unless and until upstream acknowledges the bug and decides
what to do about it, I don't intend to change this in Debian in case I
affect protocol compatibility with other systems. Users concerned about
the security impact of this bug should migrate away from scp to sftp,
rsync-over-ssh, or similar.
Cheers,
--
Colin Watson [cjwatson@debian.org]
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#349645
; Package ssh
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(full text, mbox, link).
Message #15 received at 349645@bugs.debian.org (full text, mbox, reply):
* Colin Watson:
> It's not clear to me whether upstream will change this, because it's not
> possible to fix many scp issues without breaking protocol compatibility:
The bug affects local-to-local copies, which are not subject to
protocol constraints. Remote-to-remote copies do not seem to use the
wire protocol, either, so it should be possible to fix them, too.
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#349645
; Package ssh
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(full text, mbox, link).
Message #20 received at 349645@bugs.debian.org (full text, mbox, reply):
By the way, if you intend to fix this bug for stable, it might be a
good idea to include a fix for #270770 as well (which, at this stage,
boils down to clearing the SUID/SGID flags).
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#349645
; Package ssh
.
(full text, mbox, link).
Acknowledgement sent to Colin Watson <cjwatson@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(full text, mbox, link).
Message #25 received at 349645@bugs.debian.org (full text, mbox, reply):
On Tue, Jan 24, 2006 at 11:09:17AM +0000, Colin Watson wrote:
> It's not clear to me whether upstream will change this,
Looks like upstream are going to fix it after all. I'll monitor the
upstream bug and incorporate whatever patch finally gets committed.
--
Colin Watson [cjwatson@debian.org]
Bug reassigned from package `ssh' to `openssh'.
Request was from Justin Pryzby <justinpryzby@users.sourceforge.net>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug reassigned from package `openssh' to `openssh'.
Request was from Adam D. Barratt <debian-bts@adam-barratt.org.uk>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Colin Watson <cjwatson@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Martin Pitt <mpitt@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #38 received at 349645-close@bugs.debian.org (full text, mbox, reply):
Source: openssh
Source-Version: 1:4.3p2-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_4.3p2-1_powerpc.udeb
to pool/main/o/openssh/openssh-client-udeb_4.3p2-1_powerpc.udeb
openssh-client_4.3p2-1_powerpc.deb
to pool/main/o/openssh/openssh-client_4.3p2-1_powerpc.deb
openssh-server-udeb_4.3p2-1_powerpc.udeb
to pool/main/o/openssh/openssh-server-udeb_4.3p2-1_powerpc.udeb
openssh-server_4.3p2-1_powerpc.deb
to pool/main/o/openssh/openssh-server_4.3p2-1_powerpc.deb
openssh_4.3p2-1.diff.gz
to pool/main/o/openssh/openssh_4.3p2-1.diff.gz
openssh_4.3p2-1.dsc
to pool/main/o/openssh/openssh_4.3p2-1.dsc
openssh_4.3p2.orig.tar.gz
to pool/main/o/openssh/openssh_4.3p2.orig.tar.gz
ssh-askpass-gnome_4.3p2-1_powerpc.deb
to pool/main/o/openssh/ssh-askpass-gnome_4.3p2-1_powerpc.deb
ssh_4.3p2-1_all.deb
to pool/main/o/openssh/ssh_4.3p2-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 349645@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 12 May 2006 12:48:24 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.3p2-1
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
openssh-client-udeb - Secure shell client for the Debian installer (udeb)
openssh-server - Secure shell server, an rshd replacement
openssh-server-udeb - Secure shell server for the Debian installer (udeb)
ssh - Secure shell client and server (transitional package)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 114894 259865 349645 349896 352042 360348 361032 361220
Changes:
openssh (1:4.3p2-1) unstable; urgency=low
.
* New upstream release (closes: #361032).
- CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
subshell to perform local to local, and remote to remote copy
operations. This subshell exposed filenames to shell expansion twice;
allowing a local attacker to create filenames containing shell
metacharacters that, if matched by a wildcard, could lead to execution
of attacker-specified commands with the privilege of the user running
scp (closes: #349645).
- Add support for tunneling arbitrary network packets over a connection
between an OpenSSH client and server via tun(4) virtual network
interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN
between the client and server providing real network connectivity at
layer 2 or 3. This feature is experimental.
- Reduce default key length for new DSA keys generated by ssh-keygen
back to 1024 bits. DSA is not specified for longer lengths and does
not fully benefit from simply making keys longer. As per FIPS 186-2
Change Notice 1, ssh-keygen will refuse to generate a new DSA key
smaller or larger than 1024 bits.
- Fixed X forwarding failing to start when the X11 client is executed in
background at the time of session exit.
- Change ssh-keygen to generate a protocol 2 RSA key when invoked
without arguments (closes: #114894).
- Fix timing variance for valid vs. invalid accounts when attempting
Kerberos authentication.
- Ensure that ssh always returns code 255 on internal error
(closes: #259865).
- Cleanup wtmp files on SIGTERM when not using privsep.
- Set SO_REUSEADDR on X11 listeners to avoid problems caused by
lingering sockets from previous session (X11 applications can
sometimes not connect to 127.0.0.1:60xx) (closes:
https://launchpad.net/bugs/25528).
- Ensure that fds 0, 1 and 2 are always attached in all programs, by
duping /dev/null to them if necessary.
- Xauth list invocation had bogus "." argument.
- Remove internal assumptions on key exchange hash algorithm and output
length, preparing OpenSSH for KEX methods with alternate hashes.
- Ignore junk sent by a server before it sends the "SSH-" banner.
- Many manual page improvements.
- Lots of cleanups, including fixes to memory leaks on error paths and
possible crashes.
* Update to current GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-4.3p2-gsskex-20060223.patch
(closes: #352042).
* debian/rules: Resynchronise CFLAGS with that generated by configure.
* Restore pam_nologin to /etc/pam.d/ssh; sshd no longer checks this itself
when PAM is enabled, but relies on PAM to do it.
* Rename KeepAlive to TCPKeepAlive in default sshd_config
(closes: #349896).
* Rephrase ssh/new_config and ssh/encrypted_host_key_but_no_keygen debconf
templates to make boolean short descriptions end with a question mark
and to avoid use of the first person.
* Ship README.tun.
* Policy version 3.7.2: no changes required.
* debconf template translations:
- Update Italian (thanks, Luca Monducci; closes: #360348).
- Add Galician (thanks, Jacobo Tarrio; closes: #361220).
Files:
8d1f58e7d3b425bd1ef12e3371ffc68f 990 net standard openssh_4.3p2-1.dsc
239fc801443acaffd4c1f111948ee69c 920186 net standard openssh_4.3p2.orig.tar.gz
a8c086845a068a536ca0dc3321bd521a 162625 net standard openssh_4.3p2-1.diff.gz
a22fdf533137fa2d03a61dde4d4f580f 1052 net extra ssh_4.3p2-1_all.deb
d9ceadbb42d05c28581275e87038e6ec 623544 net standard openssh-client_4.3p2-1_powerpc.deb
bd5163ae4860b2cbbe89eaaad7ad0a63 223824 net optional openssh-server_4.3p2-1_powerpc.deb
c0f609fd7ba81691924e44da1c23106d 98662 gnome optional ssh-askpass-gnome_4.3p2-1_powerpc.deb
9c37157b73710391a8e893b735732d68 165182 debian-installer optional openssh-client-udeb_4.3p2-1_powerpc.udeb
b74fff399f1586d316f284454abef7a0 168630 debian-installer optional openssh-server-udeb_4.3p2-1_powerpc.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEZHrp9t0zAhD6TNERAvREAJ4gTdqtZk4gQ48u/NGy97U0Dku7QQCfZJSI
ODLtJHsGi9NB/39+0FQVU/E=
=1Fuo
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#349645
; Package openssh
.
(full text, mbox, link).
Acknowledgement sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(full text, mbox, link).
Message #43 received at 349645@bugs.debian.org (full text, mbox, reply):
Is this considered important enough for a DSA for sarge?
--
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#349645
; Package openssh
.
(full text, mbox, link).
Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(full text, mbox, link).
Message #48 received at 349645@bugs.debian.org (full text, mbox, reply):
On Wed, May 17, 2006 at 02:26:33PM +1000, Geoff Crompton wrote:
> Is this considered important enough for a DSA for sarge?
That is a question best addressed to the security team
Justin
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#349645
; Package openssh
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(full text, mbox, link).
Message #53 received at 349645@bugs.debian.org (full text, mbox, reply):
Justin Pryzby wrote:
> On Wed, May 17, 2006 at 02:26:33PM +1000, Geoff Crompton wrote:
> > Is this considered important enough for a DSA for sarge?
> That is a question best addressed to the security team
No, we don't think it warrants a security update.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#349645
; Package openssh
.
(full text, mbox, link).
Acknowledgement sent to "sheila Stublen" <sheila@alfabianou.org>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(full text, mbox, link).
Message #60 received at 349645@bugs.debian.org (full text, mbox, reply):
Yet rather fight, then, like unnatural sons, Forsake your loving parents in distress.
AN ALLE FINANZINVESTOREN!
DIESE AKTIE WIRD DURCHSTARTEN!
FREITAG 20. APRIL STARTET DIE HAUSSE!
REALISIERTER KURSGEWINN VON 400%+ IN 5 TAGEN!
Symbol: G7Q.F
Company: COUNTY LINE ENERGY
5 Tages Kursziel: 0.95
Schlusskurs: 0.21
WKN: A0J3B0
ISIN: US2224791077
Markt: Frankfurt
LASSEN SIE SICH DIESE CHANCE NICHT ENTGEHEN!
G7Q WIRD WIE EINE RAKETE DURCHSTARTEN!
UNSERE ERWARTUNGEN WIRD G7Q.F UBERTREFFEN!
The attribute to be associated with the type.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 10:55:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:22:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.