Debian Bug report logs -
#919623
rssh: CVE-2019-1000018: Remote code execution in scp support
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, rra@debian.org, team@security.debian.org:
Bug#919623; Package rssh.
(Fri, 18 Jan 2019 03:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Russ Allbery <rra@debian.org>:
New Bug report received and forwarded. Copy sent to rra@debian.org, team@security.debian.org.
(Fri, 18 Jan 2019 03:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: rssh
Version: 2.3.4-8
Severity: grave
Tags: security upstream
https://sourceforge.net/p/rssh/mailman/message/36519118/ is the upstream
report. The reporter indicated they asked for a CVE but didn't include it
in the message.
scp allows remote code execution inside the server environment via several
methods due to inadequate command-line verification. This bug has been
present since the beginning of rssh.
I have a completely untested patch but haven't had time to test it yet.
Attaching it to this report for whatever it's worth.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rssh depends on:
ii debconf [debconf-2.0] 1.5.69
ii libc6 2.28-4
ii openssh-server 1:7.9p1-4
rssh recommends no packages.
Versions of packages rssh suggests:
ii cvs 2:1.12.13+real-26
pn makejail <none>
pn rdist <none>
ii rsync 3.1.3-1
ii subversion 1.10.3-1+b1
-- Configuration Files:
/etc/logcheck/ignore.d.server/rssh [Errno 13] Permission denied: '/etc/logcheck/ignore.d.server/rssh'
/etc/rssh.conf changed [not included]
-- debconf information excluded
[rssh.patch (text/plain, attachment)]
Reply sent
to Russ Allbery <rra@debian.org>:
You have taken responsibility.
(Tue, 29 Jan 2019 05:54:04 GMT) (full text, mbox, link).
Notification sent
to Russ Allbery <rra@debian.org>:
Bug acknowledged by developer.
(Tue, 29 Jan 2019 05:54:04 GMT) (full text, mbox, link).
Message #10 received at 919623-close@bugs.debian.org (full text, mbox, reply):
Source: rssh
Source-Version: 2.3.4-9
We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 919623@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated rssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 28 Jan 2019 21:03:59 -0800
Source: rssh
Architecture: source
Version: 2.3.4-9
Distribution: unstable
Urgency: high
Maintainer: Russ Allbery <rra@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Closes: 919623
Changes:
rssh (2.3.4-9) unstable; urgency=high
.
[ Russ Allbery ]
* Validate the allowed scp command line and only permit the flags used
in server mode and only a single argument, to attempt to prevent use
of ssh options to run arbitrary code on the server. This will break
scp -3 to a system running rssh, which seems like an acceptable loss.
(Closes: #919623, CVE-2019-1000018)
* Tighten validation of the rsync command line to require --server be
the first argument, which should prevent initiation of an outbound
rsync command from the server, which in turn might allow execution of
arbitrary code via ssh configuration similar to scp.
* Add validation of the server command line after chroot when chroot is
enabled. Prior to this change, dangerous argument filtering was not
done when chroot was configured, allowing remote code execution inside
the chroot in some configurations via the previous two bugs and via
the mechanisms in CVE-2012-2251 and CVE-2012-2252.
* Document that the cvs server-side dangerous option filtering is
probably insufficient and should not be considered secure.
* Remove ancient upgrade support in debian/postinst.
* Remove debian/source/options, which was forcing compression to xz (now
the default).
* Update to debhelper compatibility level V12.
* Update standards version to 4.3.0 (no changes required).
.
[ Ondřej Nový ]
* d/watch: Use https protocol
Checksums-Sha1:
42eccc8a40da4bccb24eb1cae17e5f60b95cae52 1548 rssh_2.3.4-9.dsc
ef0b4a667e16c3f09209dd6c049e5bed6e4f119a 29704 rssh_2.3.4-9.debian.tar.xz
Checksums-Sha256:
59a60a8c4c703752afd349e56a5acf848f4e6a8ba9a7de14b25b8522a716711e 1548 rssh_2.3.4-9.dsc
aae025b0d9b2d335ad140ecb872b97ec162cd26aae81aaf979d97478db9a4a24 29704 rssh_2.3.4-9.debian.tar.xz
Files:
c7e597dcb58a210e377ce83771cce0d9 1548 net optional rssh_2.3.4-9.dsc
11e4877e55f793e5b2efeb24ed9c5d49 29704 net optional rssh_2.3.4-9.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE1zk0tJZ0z1zNmsJ4fYAxXFc23nUFAlxP39EACgkQfYAxXFc2
3nV7vAf6ApcxS1NqfqqxzZklCcNbvmhAzZ0+8tMNvTQ5zRMUqoFg8wbpumrzy5ji
iET3HqYZk9WSq0UDiM90sMDFivW1GsPVms8B4G/bRlXuXJTACiWPrJIdesadb8w5
6czJp/LjSLP0iROa+9NzTngujaZwZE8NL8sNE7T+YhZnVI+C0/U7KLHJ11Ir/Mel
s8a4GQoD/8Rl9/bpHTxevtgKiQFkPttEI8CRYsIWLfGppPG7Y1hz3WcNN2Np5Fo/
8ofAvtapGTD0GtoYX8COYogLpkEwWcI8L25SC0Q/NZmeiCIx1w1EOFXjr1CxUCN9
Bm0bO3P3iI+w4TnOHlYKG4rKjWQ1UQ==
=GBQT
-----END PGP SIGNATURE-----
Bug reopened
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Tue, 29 Jan 2019 06:09:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions rssh/2.3.4-9.
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Tue, 29 Jan 2019 06:09:03 GMT) (full text, mbox, link).
Added indication that 919623 affects 2.3.4-5
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Tue, 29 Jan 2019 06:09:04 GMT) (full text, mbox, link).
Added indication that 919623 affects 2.3.4-4
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Tue, 29 Jan 2019 06:09:05 GMT) (full text, mbox, link).
Marked as fixed in versions 2.3.4-9.
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Tue, 29 Jan 2019 06:09:07 GMT) (full text, mbox, link).
Marked as found in versions rssh/2.3.4-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Jan 2019 06:30:04 GMT) (full text, mbox, link).
Changed Bug title to 'rssh: CVE-2019-1000018: Remote code execution in scp support' from 'Remote code execution in scp support'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Jan 2019 06:30:37 GMT) (full text, mbox, link).
Removed indication that 919623 affects 2.3.4-4
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Jan 2019 06:36:04 GMT) (full text, mbox, link).
Removed indication that 919623 affects 2.3.4-5
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Jan 2019 06:36:04 GMT) (full text, mbox, link).
Marked as found in versions rssh/2.3.4-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Jan 2019 06:36:05 GMT) (full text, mbox, link).
Marked as fixed in versions rssh/2.3.4-9.
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Tue, 29 Jan 2019 17:33:03 GMT) (full text, mbox, link).
Reply sent
to Russ Allbery <rra@debian.org>:
You have taken responsibility.
(Fri, 01 Feb 2019 23:06:05 GMT) (full text, mbox, link).
Notification sent
to Russ Allbery <rra@debian.org>:
Bug acknowledged by developer.
(Fri, 01 Feb 2019 23:06:05 GMT) (full text, mbox, link).
Message #39 received at 919623-close@bugs.debian.org (full text, mbox, reply):
Source: rssh
Source-Version: 2.3.4-5+deb9u1
We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 919623@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated rssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 29 Jan 2019 20:50:25 -0800
Source: rssh
Binary: rssh
Architecture: source amd64
Version: 2.3.4-5+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Russ Allbery <rra@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
rssh - Restricted shell allowing scp, sftp, cvs, svn, rsync or rdist
Closes: 919623
Changes:
rssh (2.3.4-5+deb9u1) stretch-security; urgency=high
.
* Validate the allowed scp command line and only permit the flags used
in server mode and only a single argument, to attempt to prevent use
of ssh options to run arbitrary code on the server. This will break
scp -3 to a system running rssh, which seems like an acceptable loss.
(Closes: #919623, CVE-2019-1000018)
* Tighten validation of the rsync command line to require --server be
the first argument, which should prevent initiation of an outbound
rsync command from the server, which in turn might allow execution of
arbitrary code via ssh configuration similar to scp.
* Add validation of the server command line after chroot when chroot is
enabled. Prior to this change, dangerous argument filtering was not
done when chroot was configured, allowing remote code execution inside
the chroot in some configurations via the previous two bugs and via
the mechanisms in CVE-2012-2251 and CVE-2012-2252.
* Further document that the cvs server-side dangerous option filtering
is probably insufficient and should not be considered secure.
Checksums-Sha1:
abbe87acbd79c6f645d41a4c2b97275974c8765e 1514 rssh_2.3.4-5+deb9u1.dsc
e13ae1fdce4b0c89ef70f4695689139c8409e2e8 113315 rssh_2.3.4.orig.tar.gz
ec0806bfe79aa9e492ca6cacda703e3402b0bd76 29752 rssh_2.3.4-5+deb9u1.debian.tar.xz
82603138d269ae3c7fccaa7b7049a5b18993ff4c 50334 rssh-dbgsym_2.3.4-5+deb9u1_amd64.deb
e99df262b745edd2f9eee6d804036a963e9b9333 5735 rssh_2.3.4-5+deb9u1_amd64.buildinfo
0ee3959f7eceb196e05d581c9f724074ca6dfd13 55234 rssh_2.3.4-5+deb9u1_amd64.deb
Checksums-Sha256:
cdb37277bf07dbfa1c67ffe1af44b11445352846776d9e5c06fe842d0130bdda 1514 rssh_2.3.4-5+deb9u1.dsc
f30c6a760918a0ed39cf9e49a49a76cb309d7ef1c25a66e77a41e2b1d0b40cd9 113315 rssh_2.3.4.orig.tar.gz
ef5fdacd6ed2e65951e41e239112c623e47f8ba9ad8e4a31128fe9aaebdd83fd 29752 rssh_2.3.4-5+deb9u1.debian.tar.xz
c08ed3a198b1dde1a191c56253312680b7e3452f0aa29eb2860f93644e99c9df 50334 rssh-dbgsym_2.3.4-5+deb9u1_amd64.deb
d09d2acdc9e66f9edb9fae7466128ead7dd62e58a882467a7d49c78782ee1c85 5735 rssh_2.3.4-5+deb9u1_amd64.buildinfo
523c80701e1dd46107a2c29b47e2567ca8c63962d4de0014bd7c9efe92c87689 55234 rssh_2.3.4-5+deb9u1_amd64.deb
Files:
14f390db82b92c964c0f47aa92cc66c6 1514 net optional rssh_2.3.4-5+deb9u1.dsc
5211f5fe206704f813a3cec61f487042 113315 net optional rssh_2.3.4.orig.tar.gz
c979ff30b775c381fdde87dd887d6e0d 29752 net optional rssh_2.3.4-5+deb9u1.debian.tar.xz
c0289dcddb835943f1284967ca72c203 50334 debug extra rssh-dbgsym_2.3.4-5+deb9u1_amd64.deb
f55ce22f03dba8d01afe453dab94dedd 5735 net optional rssh_2.3.4-5+deb9u1_amd64.buildinfo
e2a36964f73fdfe1f946fab31203a3a3 55234 net optional rssh_2.3.4-5+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE1zk0tJZ0z1zNmsJ4fYAxXFc23nUFAlxRMVoACgkQfYAxXFc2
3nVc/QgAsGs4wfVRB7OrwpjGZfIuyATxNA3O/C6kBo0kzW60+/e8ZBO4T8A0uS6p
Db+sNRhJI7zIqJOnlwQ5Vxbx4HHDpSRRIkKTxDPINUpNMwCPr9vXAvjdP0OL/F7L
8Rb9Pi/1yk4QqrBd8RnskkKs6JM618U81LSnXnYIE96Xj4FkvE0CLac2IT+799BQ
XR6AQ+H2mXt5N7PZWDueYGzHhWegiilsLW74R3hhS/GzvXj7PKFm753KbUSS+AsO
vjODWciZrTTcwxsGtpLsLCB9eGVnLPvVRCNKva3qpEg4S7rMND+A5X7k/QSVmkC9
qzM7NLdUYxcrYONOeS/141B6F91O+g==
=d1aX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 04 Mar 2019 07:27:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:17:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon