215702 – (CVE-2008-1657) net-misc/openssh <4.7_p1-r6 rc execution overrides ForceCommand restriction (CVE-2008-1657)

Bug 215702 (CVE-2008-1657) - net-misc/openssh <4.7_p1-r6 rc execution overrides ForceCommand restriction (CVE-2008-1657)

Summary: net-misc/openssh <4.7_p1-r6 rc execution overrides ForceCommand restriction (...

Status:	RESOLVED FIXED

Alias:	CVE-2008-1657

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/29602/
Whiteboard:	A3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-04-01 13:55 UTC by Robert Buchholz (RETIRED)
Modified:	2020-04-08 21:46 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-04-01 13:55:10 UTC

Secunia:
A weakness has been reported in OpenSSH, which can be exploited by
malicious, local users to bypass certain security restrictions.

The weakness is caused due to the improper implementation of the
"ForceCommand" directive. This can be exploited to execute arbitrary
commands via the ~/.ssh/rc file even if a "ForceCommand" directive is
in effect.

The weakness is reported in versions prior to 4.9 and 4.9p1.

SOLUTION:
Update to version 4.9 or 4.9p1.

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://marc.info/?l=openssh-unix-dev&m=120692745026265&w=2

Comment 1 SpanKY gentoo-dev

2008-04-01 15:38:56 UTC

if we could get a small diff for 4.7_p1, that would be best ...

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-04-01 16:04:31 UTC

The patch is here: ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/001_openssh.patch

Comment 3 SpanKY gentoo-dev

2008-04-01 18:43:15 UTC

openssh-4.7_p1-r6 in the tree then with that one fix, thanks

openssh-4.9_p1 is also in the tree, but it's missing updated patches, so stabilizing that version would just make users'/admins' lives painful

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-04-01 19:21:00 UTC

Arches, please test and mark stable:
=net-misc/openssh-4.7_p1-r6
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2008-04-01 22:53:36 UTC

x86 stable

Comment 6 Richard Freeman gentoo-dev

2008-04-02 00:41:49 UTC

amd64 stable

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2008-04-02 11:44:55 UTC

alpha/ia64/sparc stable

Comment 8 Markus Rothe (RETIRED) gentoo-dev

2008-04-02 15:52:35 UTC

ppc64 stable

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2008-04-02 16:04:56 UTC

Stable for HPPA.

Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev

2008-04-03 16:55:24 UTC

ppc stable

Comment 11 Robert Buchholz (RETIRED) gentoo-dev

2008-04-03 22:39:54 UTC

request has been filed

Comment 12 Peter Volkov (RETIRED) gentoo-dev

2008-04-04 05:01:21 UTC

Fixed in release snapshot.

Comment 13 Robert Buchholz (RETIRED) gentoo-dev

2008-04-05 12:53:53 UTC

GLSA 200804-03

Comment 14 Robert Buchholz (RETIRED) gentoo-dev

2008-04-05 12:55:16 UTC

Fixed for ~arch in 5.0_p1