First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 119232
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 119232 depends on: Show dependency tree
Show dependency graph
Bug 119232 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-01-16 14:20 0000 
Patch on referenced URL.

----

scp currently implements local-to-local copy by constructing a command line
using 'cp' in a string and then using system(). It has the problem that the
file
name is exposed twice to shell expansion. The file name could contain
characters
which need quoting, like $ or spaces. This second expansion must be avoided.

Steps to Reproduce:
1.touch foo\ bar
2.mkdir somedir
3.scp foo\ bar somedir

Actual results:
cp: cannot stat `foo': No such file or directory
cp: cannot stat `bar': No such file or directory

This can be even a security issue although with a fairly low severity:
bress@link:/tmp/josh% ls -l
total 4
drwxrwxr-x  2 bress bress 4096 Sep 19 14:51 a
-rw-rw-r--  1 bress bress    0 Sep 19 14:51 `touch feh`
bress@link:/tmp/josh% scp * a
cp: omitting directory `a'
cp: missing destination file
Try `cp --help' for more information.
zsh: exit 1     scp * a
bress@link:/tmp/josh% ls -l
total 4
drwxrwxr-x  2 bress bress 4096 Sep 19 14:51 a
-rw-rw-r--  1 bress bress    0 Sep 19 14:52 feh
-rw-rw-r--  1 bress bress    0 Sep 19 14:51 `touch feh`

Proposed solution: replace system() with fork+exec()

------- Comment #1 From Sune Kloppenborg Jeppesen 2006-01-16 23:29:45 0000 ------- 
AFAIR dropbear uses the same code for scp, vapier please advise.

------- Comment #2 From Thierry Carrez (RETIRED) 2006-01-18 06:48:21 0000 ------- 
Not sure this should be considered a bug. Sounds like a feature to me.

------- Comment #3 From solar 2006-01-18 06:51:58 0000 ------- 
(In reply to comment #2)
> Not sure this should be considered a bug. Sounds like a feature to me.

This sounds like a feature to me also. I'd say we should wait on upstream and
see if they move on it.

------- Comment #4 From SpanKY 2006-01-18 06:58:05 0000 ------- 
user isnt reporting that expansion is bad, he's reporting that it gets expanded
twice ... which looks like a bug to me

------- Comment #5 From Thierry Carrez (RETIRED) 2006-01-18 07:14:16 0000 ------- 
OK, I'll rephrase. That doesn't sound like a vulnerability to me. More a buggy
feature. Quoting Solar Designer: "Anyone passing untrusted input onto scp's
command line is asking for trouble."

------- Comment #6 From Thierry Carrez (RETIRED) 2006-01-18 07:16:10 0000 ------- 
Also from vendor-sec, it appears to be the OpenSSH project position as well :
not a vulnerability and scp can't be fixed.

------- Comment #7 From Rajiv Aaron Manglani 2006-01-24 21:52:39 0000 ------- 
Secunia Advisory: SA18579

TITLE:
OpenSSH scp Command Line Shell Command Injection

SECUNIA ADVISORY ID:
SA18579

RELEASE DATE:
2006-01-24

VERIFY ADVISORY:
http://secunia.com/advisories/18579/

CRITICAL:
Not critical

WHERE:
Local system

IMPACT:
Privilege escalation

SOFTWARE:
OpenSSH 3.x
OpenSSH 4.x

DESCRIPTION:
Josh Bressers has reported a weakness in OpenSSH, which potentially can be
exploited by malicious, local users to perform certain actions with escalated
privileges.

The weakness is caused due to the insecure use of the "system()" function in
scp when performing copy operations using filenames that are supplied by the
user from the command line. This can be exploited to execute shell commands
with privileges of the user running scp.

Successful exploitation requires that the user is e.g. tricked into using scp
to copy a file with a specially crafted filename.

The weakness has been confirmed in version 4.2p1. Other versions may also be
affected.

SOLUTION:
Do not use scp to copy files containing potentially malicious filenames.

Some Linux vendors have issued updated packages.

REPORTED BY CREDITS:
Josh Bressers

ORIGINAL ADVISORY:
Red Hat Bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026

Secunia Advisory: SA18579

------- Comment #8 From Rajiv Aaron Manglani 2006-01-24 21:53:51 0000 ------- 
fyi fedora patched their openssh:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168167

------- Comment #9 From Sune Kloppenborg Jeppesen 2006-01-25 13:22:30 0000 ------- 
base-system please advise.

------- Comment #10 From SpanKY 2006-01-25 14:38:41 0000 ------- 
as i said on irc, i think it's safe to just wait for upstream to either accept
or reject the change

------- Comment #11 From SpanKY 2006-01-31 19:27:31 0000 ------- 
openssh 4.2p1-r1 in portage with patch from upstream cvs

------- Comment #12 From Sune Kloppenborg Jeppesen 2006-02-01 01:49:33 0000 ------- 
vapier, what about dropbear? afair it uses the same code for scp.

------- Comment #13 From SpanKY 2006-02-01 17:24:49 0000 ------- 
tweaked the patch to work with dropbear and added 0.47-r1

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-02-01 22:46:00 0000 ------- 
Arches please test and mark stable.

------- Comment #15 From Simon Stelling (RETIRED) 2006-02-02 04:37:57 0000 ------- 
glad this got fixed, finally i can use bash completion again when scp'ing my
mp3s from one box to another ;)

amd64 stable

------- Comment #16 From Gustavo Zacarias (RETIRED) 2006-02-02 09:45:20 0000 ------- 
sparc'em.

------- Comment #17 From Mark Loeser 2006-02-02 11:24:46 0000 ------- 
x86 done

------- Comment #18 From René Nussbaumer 2006-02-02 13:32:35 0000 ------- 
Stable on hppa

------- Comment #19 From Jose Luis Rivero (yoswink) 2006-02-02 17:35:51 0000 ------- 
both stable on alpha.

------- Comment #20 From Tobias Scherbaum 2006-02-03 10:23:54 0000 ------- 
dropbear marked ppc stable

------- Comment #21 From Stefan Cornelius (RETIRED) 2006-02-03 10:51:59 0000 ------- 
ready for glsa vote, i say yes.

------- Comment #22 From Markus Rothe 2006-02-03 11:14:50 0000 ------- 
stable on ppc64

------- Comment #23 From Sune Kloppenborg Jeppesen 2006-02-03 11:27:32 0000 ------- 
I tend to vote YES.

------- Comment #24 From Wolf Giesen (RETIRED) 2006-02-13 04:00:39 0000 ------- 
It seems the "scponly" package is also affected (no wonder) ... somebody care
to comment?

------- Comment #25 From Tavis Ormandy (RETIRED) 2006-02-13 07:16:28 0000 ------- 
Matsuu, you seem to be scponly maintainer, any comment regarding comment #24 ?

------- Comment #26 From Joshua Kinard 2006-02-19 11:13:43 0000 ------- 
mips stable on openssh & dropbear.

------- Comment #27 From Thierry Carrez (RETIRED) 2006-02-20 12:01:14 0000 ------- 
scponly looks OK to me. In all cases it would be a different bug/CVE since teh
codebases are quite different. Please submit any evidence into a new bug.

Ready for GLSA

------- Comment #28 From Thierry Carrez (RETIRED) 2006-02-20 12:55:01 0000 ------- 
GLSA 200602-11
First Last Prev Next    No search results available      Search page      Enter new bug