142399 2006-08-01 03:06 0000 app-shells/rssh-2.3.0 - access restrictions bypass (CVE-2006-1320) 2006-08-10 12:30:18 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B4? [noglsa] jaervosz P2 minor --- 1 carlo@gentoo.org security@gentoo.org sgtphou@fire-eyes.org carlo@gentoo.org 2006-08-01 03:06:41 0000 util.c in rssh 2.3.0 in Debian GNU/Linux does not use braces to make a block, which causes a check for CVS to always succeed and allows rsync and rdist to bypass intended access restrictions in rssh.conf. It's not clear to me why there's the "in Debian" stanza. The problem is not Debian specific. Version 2.3.2 is fine. These are the problematic loc: --- rssh-2.3.0/util.c.orig 2005-11-27 09:01:52.000000000 -0800 +++ rssh-2.3.0/util.c 2006-01-06 16:23:04.000000000 -0800 @@ -209,13 +209,14 @@ return PATH_SCP; } - if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ) + if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){ if ( opt_exist(cl, 'e') ){ fprintf(stderr, "\ninsecure -e option not allowed."); log_msg("insecure -e option in cvs command line!"); return NULL; } return PATH_CVS; + } if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){ /* filter -P option */ jaervosz@gentoo.org 2006-08-01 07:10:01 0000 Mike please advise. carlo@gentoo.org 2006-08-01 17:37:49 0000 Interesting that you mark this as minor, Sune. I'd say it's not a light issue and the corresponding Debian bug carlo@gentoo.org 2006-08-01 17:37:49 0000 Interesting that you mark this as minor, Sune. I'd say it's not a light issue and the corresponding Debian bugĀ¹ is even classified grave. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346322 jaervosz@gentoo.org 2006-08-02 00:46:53 0000 I'm not too familiar with rssh and not sure what can actually be accomplished with this access restriction bypass. The upstream Changelog just states: 2.3.1 - fixed stupid bug that caused rssh not to allow rsync and rdist Secunia says: Note: The vulnerability was fixed in version 2.3.0, but it contains a bug in the "check_command_line()" function in util.c, which may cause "/usr/bin/cvs" to be run instead of rsync and rdist. Carlo, can you elaborate? koon@gentoo.org 2006-08-02 06:36:36 0000 Just a note : Debian security bugs are all "grave" at a minimum We range ours from trivial to blocker, that doesn't mean they aren't security issues that need more urgent care than (any?) other bugs, that's why we assign them to a team of annoying bastards that hunt maintainers down. The alternative is to call them all "blocker" and assign them to maintainers directly (which is how Debian handles it). vapier@gentoo.org 2006-08-04 20:16:23 0000 upstream says this prevents use of rsync/rdist: Missing brackets in one function prevented the use of rsync and rdist, ... but there's no reason for 2.3.2 to not go stable ... there's apparently many known bugs in 2.3.0 jaervosz@gentoo.org 2006-08-05 00:20:33 0000 Arches please test and mark 2.3.2 stable. ticho@gentoo.org 2006-08-05 00:56:03 0000 x86 stable hansmi@gentoo.org 2006-08-05 02:40:07 0000 Stable on ppc. weeve@gentoo.org 2006-08-06 09:51:18 0000 Like a SPARC OOOOOOOOOOOOOOOOOOOOHHHHHHHHHHHHHHHHHH LIKE A SPARC falco@gentoo.org 2006-08-08 04:35:37 0000 mmm, time to vote well i think it does not merit a glsa. frilled@gentoo.org 2006-08-08 04:44:34 0000 I have to abstain. I don't really get the impact. jaervosz@gentoo.org 2006-08-08 05:11:46 0000 @comment #11 Bypass of access restrictions :-) I tend to vote NO as well. koon@gentoo.org 2006-08-10 12:30:18 0000 No Debian advisory on this one. Voting no and closing.