Debian Bug report logs -
#920486
netkit-rsh: CVE-2019-7282 CVE-2019-7283
Reported by: Hiroyuki YAMAMORI <h-yamamo@db3.so-net.ne.jp>
Date: Sat, 26 Jan 2019 05:24:02 UTC
Severity: important
Tags: security
Found in versions netkit-rsh/0.17-19, netkit-rsh/0.17-17
Fixed in version netkit-rsh/0.17-20
Done: Alberto Gonzalez Iniesta <agi@inittab.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#920486; Package rsh-client.
(Sat, 26 Jan 2019 05:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Hiroyuki YAMAMORI <h-yamamo@db3.so-net.ne.jp>:
New Bug report received and forwarded. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>.
(Sat, 26 Jan 2019 05:24:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rsh-client
Version: 0.17-19
Severity: important
Tags: security
Refer Bug #919101
Dear Maintainer,
netkit-rcp also has CVE-2018-20685 and CVE-2019-6111 similar to scp.
Source code of the problem below:
"netkit-rsh-0.17/rcp/rcp.c" line 750 (after debian patched)
while (isdigit(*cp))
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
SCREWUP("size not delimited");
<!---- check code is required here ---->
if (targisdir) {
char *newbuf;
int need = strlen(targ) + strlen(cp) + 2;
if (need > cursize) {
Thank you,
Hiroyuki YAMAMORI
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages rsh-client depends on:
ii libc6 2.28-5
rsh-client recommends no packages.
rsh-client suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#920486; Package rsh-client.
(Mon, 28 Jan 2019 15:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Alberto Gonzalez Iniesta <agi@inittab.org>:
Extra info received and forwarded to list.
(Mon, 28 Jan 2019 15:57:07 GMT) (full text, mbox, link).
Message #10 received at 920486@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, Jan 26, 2019 at 02:20:06PM +0900, Hiroyuki YAMAMORI wrote:
> Package: rsh-client
> Version: 0.17-19
> Severity: important
> Tags: security
>
> Refer Bug #919101
>
> Dear Maintainer,
>
> netkit-rcp also has CVE-2018-20685 and CVE-2019-6111 similar to scp.
Hi!
Thanks for noticing.
Attaching the patch so that others can check it.
Regards,
Alberto
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
[fix-CVE-2018-20685-and-CVE-2019-6111.patch (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#920486; Package rsh-client.
(Tue, 29 Jan 2019 00:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Hiroyuki YAMAMORI <h-yamamo@db3.so-net.ne.jp>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>.
(Tue, 29 Jan 2019 00:57:05 GMT) (full text, mbox, link).
Message #15 received at 920486@bugs.debian.org (full text, mbox, reply):
From: Alberto Gonzalez Iniesta <agi@inittab.org>
Date: Mon, 28 Jan 2019 16:46:21 +0100
> On Sat, Jan 26, 2019 at 02:20:06PM +0900, Hiroyuki YAMAMORI wrote:
>> Package: rsh-client
>> Version: 0.17-19
>> Severity: important
>> Tags: security
>>
>> Refer Bug #919101
>>
>> Dear Maintainer,
>>
>> netkit-rcp also has CVE-2018-20685 and CVE-2019-6111 similar to scp.
>
> Hi!
>
> Thanks for noticing.
>
> Attaching the patch so that others can check it.
>
> Regards,
>
> Alberto
I've tried.
Build OK.
There is no problem with the normal case.
I have not done a error case. However, since it is the same as openssh,
so I think it's OK.
Thank you,
Hiroyuki YAMAMORI
Reply sent
to Alberto Gonzalez Iniesta <agi@inittab.org>:
You have taken responsibility.
(Wed, 30 Jan 2019 17:45:07 GMT) (full text, mbox, link).
Notification sent
to Hiroyuki YAMAMORI <h-yamamo@db3.so-net.ne.jp>:
Bug acknowledged by developer.
(Wed, 30 Jan 2019 17:45:07 GMT) (full text, mbox, link).
Message #20 received at 920486-close@bugs.debian.org (full text, mbox, reply):
Source: netkit-rsh
Source-Version: 0.17-20
We believe that the bug you reported is fixed in the latest version of
netkit-rsh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 920486@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated netkit-rsh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 30 Jan 2019 17:02:34 +0100
Source: netkit-rsh
Binary: rsh-client rsh-server
Architecture: source amd64
Version: 0.17-20
Distribution: unstable
Urgency: medium
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description:
rsh-client - client programs for remote shell connections
rsh-server - server program for remote shell connections
Closes: 920486
Changes:
netkit-rsh (0.17-20) unstable; urgency=medium
.
* Fix CVE-2018-20685 and CVE-2019-6111. (Closes: #920486)
Thanks Hiroyuki YAMAMORI for the heads up.
Checksums-Sha1:
e01554ea6628b37da934b344c29e5f703556d87b 1780 netkit-rsh_0.17-20.dsc
4047297d0ffb413b766bf768a3020662e3f56ead 23388 netkit-rsh_0.17-20.debian.tar.xz
337754c219cee8ea1062091dd6f5e5b8beaa8cfa 7466 netkit-rsh_0.17-20_amd64.buildinfo
79e2aceb91daf310326e62052b32ce6e8621b22f 5116 rsh-client-dbgsym_0.17-20_amd64.deb
1a149dd14423b18d5503d17c917f239823c6f505 31552 rsh-client_0.17-20_amd64.deb
8282cf4fb341a5b99996320ff779b3b90f5fca14 5348 rsh-server-dbgsym_0.17-20_amd64.deb
4458d9c923a201ca4c1e4fbe30010000efbd30ac 36428 rsh-server_0.17-20_amd64.deb
Checksums-Sha256:
2c9261477ed0679fbbb6a5444b89d96e58234cabbed75b662a0dfedd8b2184d0 1780 netkit-rsh_0.17-20.dsc
4e8f457ed75c195ea617596b9ac7aa978931f59cd18f766ebf7b62b117741886 23388 netkit-rsh_0.17-20.debian.tar.xz
a12ca1513f1972295cad54e1230aa2a0556a018d4b2d65877734d8b1fdc66d3e 7466 netkit-rsh_0.17-20_amd64.buildinfo
f36c7ce2dc6a6a1a03eea1eeffd780465e48aaf46587135c89efde62f562ee83 5116 rsh-client-dbgsym_0.17-20_amd64.deb
f67aab7974cc209ea11498d2509587eb1e3b71c248ae678800f76aa92ec3a309 31552 rsh-client_0.17-20_amd64.deb
dc3fb9a0ae00f2d46fbe7a4bafaeaed7d5c285319637cdf424c982da03cc3eba 5348 rsh-server-dbgsym_0.17-20_amd64.deb
3ab8c4958f6a85ae674fa42b7045e5cc8f6b37f6058191c30f2c196781a24c86 36428 rsh-server_0.17-20_amd64.deb
Files:
8e16237fbee773bf9383de70d9c68d01 1780 net optional netkit-rsh_0.17-20.dsc
f628d6dea202731f9e59d12eb258fb69 23388 net optional netkit-rsh_0.17-20.debian.tar.xz
aea6330c1e5ffcf5960e735073a398c1 7466 net optional netkit-rsh_0.17-20_amd64.buildinfo
92b1341c034142dd0980e7176f408b08 5116 debug optional rsh-client-dbgsym_0.17-20_amd64.deb
647b1634ec6c0a8dc9fcee6908c73840 31552 net optional rsh-client_0.17-20_amd64.deb
2df2457d03fe06d4bb2ce05cf4a7e331 5348 debug optional rsh-server-dbgsym_0.17-20_amd64.deb
0c1b977a7ffe8ebc74306ded6e4dee50 36428 net optional rsh-server_0.17-20_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAlxRzokQHGFnaUBpbml0
dGFiLm9yZwAKCRAAmzN1a5qqVSiyEACPsosXaKMhnqiwQr4ZaZR2Mp7traAPHPBu
KomedW56fbi0E1gIlSUX/DIweQPydCZvLh0XtL7paoxEOVGaYNJs1G5w8uYW04Q7
xvo2f/d8NnA+b8HPYylIIoYzJRhhs5508V0Wjjz5/utQcPN4uZXpFIMoJWzQYS8d
n87tr2EDTquqTFPvBclqd3W0MGzw+ESMJBD4pg/ipypxf9nygicYxDMnu0uH178F
N4LhVH5whHffCShlKQKbWiKqJyhCi6+dlrtX9JPp/CuXddv29bsvU31nbwiTrmYS
JROibf3AEFruxeo/XTzSMVio7Zm7QCPwvpMz7ZAH5HI/3AAJ3GNdpwn/ybQyNIda
vJo7zHK5M/m94MLWnm+L/7cl+dcLOfuUFdWS0Mw0p/8JQoAyZAVsUbSOvCCt4bGI
altCeRFLF0mRip0qQ/O/FoOWBYrswuNWqKpi9WknI2sj0D32NMEU4ky5TkXr6qed
gHptx91is8AOTeVkxFC8djXX20tM/f2WOEhmHWoa8dPAXBhg0QrIKkRGsJcDdQEp
+ug4VUMXGK618E6zCqpDGwYl3qB+JT9Du+5soSN/okrGcBNNCok/fJ9lP26b2Nrf
3zL9pBiv2PNYpfJjweTc30PaAWaw3NsZKfaxqnPT/oZV9lnFzh5iJMwHB1CBoA33
wKQ2xJYpOw==
=svGn
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#920486; Package rsh-client.
(Wed, 30 Jan 2019 22:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>.
(Wed, 30 Jan 2019 22:21:03 GMT) (full text, mbox, link).
Message #25 received at 920486@bugs.debian.org (full text, mbox, reply):
Hi,
> netkit-rsh (0.17-20) unstable; urgency=medium
> .
> * Fix CVE-2018-20685 and CVE-2019-6111. (Closes: #920486)
> Thanks Hiroyuki YAMAMORI for the heads up.
FTR, I have asked MITRE if those two CVEs should be used as well for
netkit-rsh or if it would need two new CVEs.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#920486; Package rsh-client.
(Thu, 31 Jan 2019 10:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Alberto Gonzalez Iniesta <agi@inittab.org>:
Extra info received and forwarded to list.
(Thu, 31 Jan 2019 10:06:02 GMT) (full text, mbox, link).
Message #30 received at 920486@bugs.debian.org (full text, mbox, reply):
On Wed, Jan 30, 2019 at 11:17:51PM +0100, Salvatore Bonaccorso wrote:
> Hi,
Hi!
> > netkit-rsh (0.17-20) unstable; urgency=medium
> > .
> > * Fix CVE-2018-20685 and CVE-2019-6111. (Closes: #920486)
> > Thanks Hiroyuki YAMAMORI for the heads up.
>
> FTR, I have asked MITRE if those two CVEs should be used as well for
> netkit-rsh or if it would need two new CVEs.
Ooops! I should have asked before... Sorry.
Do you (sec team) think we should prepare an upload with this fix for
stable security?
Regards,
Alberto
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Information forwarded
to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#920486; Package rsh-client.
(Thu, 31 Jan 2019 20:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>.
(Thu, 31 Jan 2019 20:09:04 GMT) (full text, mbox, link).
Message #35 received at 920486@bugs.debian.org (full text, mbox, reply):
Control: found -1 0.17-17
Control: retitle -1 netkit-rsh: CVE-2019-7282 CVE-2019-7283
Hi Alberto,
On Thu, Jan 31, 2019 at 11:03:36AM +0100, Alberto Gonzalez Iniesta wrote:
> On Wed, Jan 30, 2019 at 11:17:51PM +0100, Salvatore Bonaccorso wrote:
> > Hi,
>
> Hi!
>
> > > netkit-rsh (0.17-20) unstable; urgency=medium
> > > .
> > > * Fix CVE-2018-20685 and CVE-2019-6111. (Closes: #920486)
> > > Thanks Hiroyuki YAMAMORI for the heads up.
> >
> > FTR, I have asked MITRE if those two CVEs should be used as well for
> > netkit-rsh or if it would need two new CVEs.
>
> Ooops! I should have asked before... Sorry.
> Do you (sec team) think we should prepare an upload with this fix for
> stable security?
So it turns out that two new CVEs were assigned, CVE-2019-7282 (for
the one similar to CVE-2018-20685) and CVE-2019-7283 (for the one
similar to CVE-2019-6111).
Regards,
Salvatore
Marked as found in versions netkit-rsh/0.17-17.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 920486-submit@bugs.debian.org.
(Thu, 31 Jan 2019 20:09:04 GMT) (full text, mbox, link).
Changed Bug title to 'netkit-rsh: CVE-2019-7282 CVE-2019-7283' from 'rsh-client: rcp has CVE-2018-20685 similar to scp'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 920486-submit@bugs.debian.org.
(Thu, 31 Jan 2019 20:09:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 05 Mar 2019 07:31:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:47:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon