Root compromise bug if rssh_chroot_helper is installed suid

Debian Bug report logs - #344395
Root compromise bug if rssh_chroot_helper is installed suid

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Mikko Hänninen <Mikko.Hanninen@iki.fi>

To: submit@bugs.debian.org

Subject: Root compromise bug if rssh_chroot_helper is installed suid

Date: Thu, 22 Dec 2005 14:13:37 +0200

Package: rssh
Version: 2.2.3-1
Severity: grave
Tags: security

From the rssh website, http://www.pizzashack.org/rssh/

  Important Security Notice:

  Max Vozeler has reported a problem whereby rssh can allow users who have
  shell access to systems where rssh is installed (and rssh_chroot_helper
  is installed SUID) to gain root access to the system, due to the
  ability to chroot to arbitrary locations. There are a lot of potentially
  mitigating factors, but to be safe you should upgrade immediately. This
  bug affects all versions of rssh from v2.0.0 to v2.2.3, so please
  upgrade now!

I believe this affects the Debian package, since I could not find any
documentation on this issue being fixed in the current stable verion.
A new version, 2.3.0 is available upstream to fix this issue. I believe
it will also fix bug #339531.


-- 
Mikko Hänninen  <Mikko.Hanninen@iki.fi>
*****  Printed with 100% recycled electrons.  *****

Message #10 received at 344395@bugs.debian.org (full text, mbox, reply):

From: Jesus Climent <jesus.climent@hispalinux.es>

To: Mikko H??nninen <Mikko.Hanninen@iki.fi>, 344395@bugs.debian.org

Subject: Re: Bug#344395: Root compromise bug if rssh_chroot_helper is installed suid

Date: Thu, 22 Dec 2005 13:43:18 +0100

On Thu, Dec 22, 2005 at 02:13:37PM +0200, Mikko H??nninen wrote:
> Package: rssh
> Version: 2.2.3-1
> Severity: grave
> Tags: security
> 
> >From the rssh website, http://www.pizzashack.org/rssh/
> 
>   Important Security Notice:
> 
>   Max Vozeler has reported a problem whereby rssh can allow users who have
>   shell access to systems where rssh is installed (and rssh_chroot_helper
>   is installed SUID) to gain root access to the system, due to the
>   ability to chroot to arbitrary locations. There are a lot of potentially
>   mitigating factors, but to be safe you should upgrade immediately. This
>   bug affects all versions of rssh from v2.0.0 to v2.2.3, so please
>   upgrade now!
> 
> I believe this affects the Debian package, since I could not find any
> documentation on this issue being fixed in the current stable verion.
> A new version, 2.3.0 is available upstream to fix this issue. I believe
> it will also fix bug #339531.

I am already working on it, but there seems to be a small problem with the
compilation.

Thanks for sending the bug, though.

-- 
Jesus Climent                                      info:www.pumuki.org
Unix SysAdm|Linux User #66350|Debian Developer|2.6.14|Helsinki Finland
GPG: 1024D/86946D69 BB64 2339 1CAA 7064 E429  7E18 66FC 1D7F 8694 6D69

Like my old grand daddy used to say, "The less a man makes declarative 
statements, the less apt he is to look foolish in retrospect."
		--Chester (Four Rooms)

Message #19 received at 344395-close@bugs.debian.org (full text, mbox, reply):

From: Jesus Climent <jesus.climent@hispalinux.es>

To: 344395-close@bugs.debian.org

Subject: Bug#344395: fixed in rssh 2.3.0-1

Date: Wed, 28 Dec 2005 08:02:06 -0800

Source: rssh
Source-Version: 2.3.0-1

We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive:

rssh_2.3.0-1.diff.gz
  to pool/main/r/rssh/rssh_2.3.0-1.diff.gz
rssh_2.3.0-1.dsc
  to pool/main/r/rssh/rssh_2.3.0-1.dsc
rssh_2.3.0-1_powerpc.deb
  to pool/main/r/rssh/rssh_2.3.0-1_powerpc.deb
rssh_2.3.0.orig.tar.gz
  to pool/main/r/rssh/rssh_2.3.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 344395@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jesus Climent <jesus.climent@hispalinux.es> (supplier of updated rssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 19 Dec 2005 20:00:02 +0200
Source: rssh
Binary: rssh
Architecture: source powerpc
Version: 2.3.0-1
Distribution: unstable
Urgency: high
Maintainer: Jesus Climent <jesus.climent@hispalinux.es>
Changed-By: Jesus Climent <jesus.climent@hispalinux.es>
Description: 
 rssh       - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist
Closes: 344395 344424
Changes: 
 rssh (2.3.0-1) unstable; urgency=high
 .
   * New upstream release.
   * This package is a security update:
     - closes CVE-2005-3345.
     - Closes: #344424, #344395
Files: 
 43616b7c0360063d50654b074b0e69ae 592 net optional rssh_2.3.0-1.dsc
 4badd1c95bf9b9507e6642598e809dd5 113701 net optional rssh_2.3.0.orig.tar.gz
 7090f32e81cdf815e9311772dd1ba1c1 13888 net optional rssh_2.3.0-1.diff.gz
 b5d9a545abd38350759d017924e1b2a5 48004 net optional rssh_2.3.0-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDqzQrZvwdf4aUbWkRAp6wAKDbOBmJcIBKnkkc7N0y6ipQkNOcZACg7AFi
DA5h7ggZi+qz371+OSsRWRs=
=ETnF
-----END PGP SIGNATURE-----

Message #24 received at 344424-close@bugs.debian.org (full text, mbox, reply):

From: Jesus Climent <jesus.climent@hispalinux.es>

To: 344424-close@bugs.debian.org

Subject: Bug#344424: fixed in rssh 2.3.0-1

Date: Wed, 28 Dec 2005 08:02:06 -0800

Source: rssh
Source-Version: 2.3.0-1

We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive:

rssh_2.3.0-1.diff.gz
  to pool/main/r/rssh/rssh_2.3.0-1.diff.gz
rssh_2.3.0-1.dsc
  to pool/main/r/rssh/rssh_2.3.0-1.dsc
rssh_2.3.0-1_powerpc.deb
  to pool/main/r/rssh/rssh_2.3.0-1_powerpc.deb
rssh_2.3.0.orig.tar.gz
  to pool/main/r/rssh/rssh_2.3.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 344424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jesus Climent <jesus.climent@hispalinux.es> (supplier of updated rssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 19 Dec 2005 20:00:02 +0200
Source: rssh
Binary: rssh
Architecture: source powerpc
Version: 2.3.0-1
Distribution: unstable
Urgency: high
Maintainer: Jesus Climent <jesus.climent@hispalinux.es>
Changed-By: Jesus Climent <jesus.climent@hispalinux.es>
Description: 
 rssh       - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist
Closes: 344395 344424
Changes: 
 rssh (2.3.0-1) unstable; urgency=high
 .
   * New upstream release.
   * This package is a security update:
     - closes CVE-2005-3345.
     - Closes: #344424, #344395
Files: 
 43616b7c0360063d50654b074b0e69ae 592 net optional rssh_2.3.0-1.dsc
 4badd1c95bf9b9507e6642598e809dd5 113701 net optional rssh_2.3.0.orig.tar.gz
 7090f32e81cdf815e9311772dd1ba1c1 13888 net optional rssh_2.3.0-1.diff.gz
 b5d9a545abd38350759d017924e1b2a5 48004 net optional rssh_2.3.0-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDqzQrZvwdf4aUbWkRAp6wAKDbOBmJcIBKnkkc7N0y6ipQkNOcZACg7AFi
DA5h7ggZi+qz371+OSsRWRs=
=ETnF
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.