First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 201726
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Jakub Moc (RETIRED) <jakub@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 201726 depends on: Show dependency tree
Bug 201726 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-12-08 23:08 0000 
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437148 for details,
basically these features can be misused for user to gain an undesired shell
access.

- We don't ship this w/ unison support
- subversion support is optional on USE=subversion
- rsync support is enabled by default in the ebuild.

Some of insecure commands have been disabled in CVS, no release yet however,
plus it's unlikely it will ever cover all potential bypasses via these
features. 

So:

- we can either make rsync support optional as well, change the use flag
descriptions in use.local.desc accordingly and point users to
http://scponly.cvs.sourceforge.net/scponly/scponly/SECURITY?&view=markup for
info on security implications of those options

- or hard-disable the functionality

Opinions?

------- Comment #1 From Robert Buchholz 2007-12-09 22:36:22 0000 ------- 
Thanks for finding that one, Jakub.

The rsync&co functionality is broken by design.
I'd say:

1) Disable all of unison, svn and rsync by default, introduce (by default
disabled) use-flags and if those are enabled, ewarn about the issues and refer
people to the SECURITY file.

2) I'd also vote for the SECURITY file to be included in the ebuild.

3) Patches from the svn or latest release should get into an ebuild that goes
stable afterwards. 

Matsuu, please advise.

------- Comment #2 From MATSUU Takuto 2007-12-11 16:21:35 0000 ------- 
4.6-r3 in cvs. added rsync USE flag and added files/SECURITY.
I tried unsuccessfully to backport patches.

------- Comment #3 From MATSUU Takuto 2008-01-16 17:06:42 0000 ------- 
4.8 in cvs.

------- Comment #4 From Sune Kloppenborg Jeppesen 2008-01-16 19:03:21 0000 ------- 
Thx Matsuu. I presume it is fixed in 4.8 (their wiki seems out of date)?

Arches please test and mark stable. Target keywords are:

scponly-4.8.ebuild:KEYWORDS="amd64 ppc sparc x86"

------- Comment #5 From Christian Faulhammer 2008-01-17 08:33:55 0000 ------- 
x86 stable

------- Comment #6 From Tobias Scherbaum 2008-01-18 20:21:41 0000 ------- 
ppc stable

------- Comment #7 From Raúl Porcel 2008-01-21 11:15:22 0000 ------- 
sparc stable

------- Comment #8 From Peter Weller 2008-01-22 10:19:01 0000 ------- 
amd64 done.

------- Comment #9 From Sune Kloppenborg Jeppesen 2008-01-22 11:06:27 0000 ------- 
This one is ready for GLSA vote. I tend to vote NO.

------- Comment #10 From Robert Buchholz 2008-01-22 23:48:25 0000 ------- 
I think we should GLSA this together with 203099, and note the insecurities of
svn.

------- Comment #11 From Sune Kloppenborg Jeppesen 2008-01-23 09:02:45 0000 ------- 
Sounds like a good idea.

------- Comment #12 From Pierre-Yves Rofes 2008-02-12 21:08:41 0000 ------- 
GLSA 200802-06, sorry for the delay.
First Last Prev Next    No search results available      Search page      Enter new bug