Bug 142399 - app-shells/rssh-2.3.0 - access restrictions bypass (CVE-2006-1320)
Bug#: 142399 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: carlo@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-shells/rssh-2.3.0 - access restrictions bypass (CVE-2006-1320)
Keywords:  
Status Whiteboard: B4? [noglsa] jaervosz
Opened: 2006-08-01 03:06 0000
Description:   Opened: 2006-08-01 03:06 0000 
util.c in rssh 2.3.0 in Debian GNU/Linux does not use braces to make a block,
which causes a check for CVS to always succeed and allows rsync and rdist to
bypass intended access restrictions in rssh.conf.



It's not clear to me why there's the "in Debian" stanza. The problem is not
Debian specific. Version 2.3.2 is fine.


These are the problematic loc:

--- rssh-2.3.0/util.c.orig      2005-11-27 09:01:52.000000000 -0800
+++ rssh-2.3.0/util.c   2006-01-06 16:23:04.000000000 -0800
@@ -209,13 +209,14 @@
                return PATH_SCP;
        }

-       if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) )
+       if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){
                if ( opt_exist(cl, 'e') ){
                        fprintf(stderr, "\ninsecure -e option not allowed.");
                        log_msg("insecure -e option in cvs command line!");
                        return NULL;
                }
                return PATH_CVS;
+       }

        if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){
                /* filter -P option */

------- Comment #1 From Sune Kloppenborg Jeppesen 2006-08-01 07:10:01 0000 ------- 
Mike please advise.

------- Comment #2 From Carsten Lohrke 2006-08-01 17:37:49 0000 ------- 
Interesting that you mark this as minor, Sune. I'd say it's not a light issue
and the corresponding Debian bug

------- Comment #3 From Carsten Lohrke 2006-08-01 17:37:49 0000 ------- 
Interesting that you mark this as minor, Sune. I'd say it's not a light issue
and the corresponding Debian bugĀ¹ is even classified grave.


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346322

------- Comment #4 From Sune Kloppenborg Jeppesen 2006-08-02 00:46:53 0000 ------- 
I'm not too familiar with rssh and not sure what can actually be accomplished
with this access restriction bypass. The upstream Changelog just states:

2.3.1

 - fixed stupid bug that caused rssh not to allow rsync and rdist

Secunia says:

Note: The vulnerability was fixed in version 2.3.0, but it contains a bug in
the "check_command_line()" function in util.c, which may cause "/usr/bin/cvs"
to be run instead of rsync and rdist.

Carlo, can you elaborate?

------- Comment #5 From Thierry Carrez (RETIRED) 2006-08-02 06:36:36 0000 ------- 
Just a note : Debian security bugs are all "grave" at a minimum

We range ours from trivial to blocker, that doesn't mean they aren't security
issues that need more urgent care than (any?) other bugs, that's why we assign
them to a team of annoying bastards that hunt maintainers down. The alternative
is to call them all "blocker" and assign them to maintainers directly (which is
how Debian handles it).

------- Comment #6 From SpanKY 2006-08-04 20:16:23 0000 ------- 
upstream says this prevents use of rsync/rdist:
Missing brackets in one function prevented the use of rsync and rdist, ...

but there's no reason for 2.3.2 to not go stable ... there's apparently many
known bugs in 2.3.0

------- Comment #7 From Sune Kloppenborg Jeppesen 2006-08-05 00:20:33 0000 ------- 
Arches please test and mark 2.3.2 stable.

------- Comment #8 From Andrej Kacian (RETIRED) 2006-08-05 00:56:03 0000 ------- 
x86 stable

------- Comment #9 From Michael Hanselmann (hansmi) (RETIRED) 2006-08-05 02:40:07 0000 ------- 
Stable on ppc.

------- Comment #10 From Jason Wever (RETIRED) 2006-08-06 09:51:18 0000 ------- 
Like a SPARC

OOOOOOOOOOOOOOOOOOOOHHHHHHHHHHHHHHHHHH LIKE A SPARC

------- Comment #11 From Raphael Marichez 2006-08-08 04:35:37 0000 ------- 
mmm, time to vote


well i think it does not merit a glsa.

------- Comment #12 From Wolf Giesen (RETIRED) 2006-08-08 04:44:34 0000 ------- 
I have to abstain. I don't really get the impact.

------- Comment #13 From Sune Kloppenborg Jeppesen 2006-08-08 05:11:46 0000 ------- 
@comment #11 Bypass of access restrictions :-)

I tend to vote NO as well.

------- Comment #14 From Thierry Carrez (RETIRED) 2006-08-10 12:30:18 0000 ------- 
No Debian advisory on this one. Voting no and closing.