util.c in rssh 2.3.0 in Debian GNU/Linux does not use braces to make a block, which causes a check for CVS to always succeed and allows rsync and rdist to bypass intended access restrictions in rssh.conf. It's not clear to me why there's the "in Debian" stanza. The problem is not Debian specific. Version 2.3.2 is fine. These are the problematic loc: --- rssh-2.3.0/util.c.orig 2005-11-27 09:01:52.000000000 -0800 +++ rssh-2.3.0/util.c 2006-01-06 16:23:04.000000000 -0800 @@ -209,13 +209,14 @@ return PATH_SCP; } - if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ) + if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){ if ( opt_exist(cl, 'e') ){ fprintf(stderr, "\ninsecure -e option not allowed."); log_msg("insecure -e option in cvs command line!"); return NULL; } return PATH_CVS; + } if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){ /* filter -P option */
Mike please advise.
Interesting that you mark this as minor, Sune. I'd say it's not a light issue and the corresponding Debian bug
Interesting that you mark this as minor, Sune. I'd say it's not a light issue and the corresponding Debian bug¹ is even classified grave. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346322
I'm not too familiar with rssh and not sure what can actually be accomplished with this access restriction bypass. The upstream Changelog just states: 2.3.1 - fixed stupid bug that caused rssh not to allow rsync and rdist Secunia says: Note: The vulnerability was fixed in version 2.3.0, but it contains a bug in the "check_command_line()" function in util.c, which may cause "/usr/bin/cvs" to be run instead of rsync and rdist. Carlo, can you elaborate?
Just a note : Debian security bugs are all "grave" at a minimum We range ours from trivial to blocker, that doesn't mean they aren't security issues that need more urgent care than (any?) other bugs, that's why we assign them to a team of annoying bastards that hunt maintainers down. The alternative is to call them all "blocker" and assign them to maintainers directly (which is how Debian handles it).
upstream says this prevents use of rsync/rdist: Missing brackets in one function prevented the use of rsync and rdist, ... but there's no reason for 2.3.2 to not go stable ... there's apparently many known bugs in 2.3.0
Arches please test and mark 2.3.2 stable.
x86 stable
Stable on ppc.
Like a SPARC OOOOOOOOOOOOOOOOOOOOHHHHHHHHHHHHHHHHHH LIKE A SPARC
mmm, time to vote well i think it does not merit a glsa.
I have to abstain. I don't really get the impact.
@comment #11 Bypass of access restrictions :-) I tend to vote NO as well.
No Debian advisory on this one. Voting no and closing.