Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 116526

Summary: net-misc/scponly: Privilege Escalation and Security Bypass Vulnerabilities
Product: Gentoo Security Reporter: JG <jg>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/18223/
Whiteboard: C1? [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
getopt patch from 4.2 changed for 4.3 none

Description JG 2005-12-23 11:45:55 UTC 
from the advisory:

Description:
Two vulnerabilities have been reported in scponly, which can be exploited by malicious, local users to gain escalated privileges, or by malicious users to bypass certain security restrictions.

1) A design error in "scponlyc" allows it to be used with arbitrary chroot directories that local users create in their home directories. This can be exploited by malicious users to gain escalated privileges by creating a hardlink to a setuid root binary in their own chroot directory, configuring LD_PRELOAD to overload a call to setuid with a malicious function, and then using "scponlyc" with the malicious chroot directory.

Successful exploitation allows local privilege escalation but requires that the chrooted setuid "scponlyc" binary is installed, a user executable setuid binary exists on the same file system mount as the user's home directory, and the OS supports LD_PRELOAD.

2) An error exists in the validation of user supplied command line. This can be exploited to supply additional command line arguments to rsync or scp, potentially bypassing the restricted shell and allowing the execution of arbitrary programs.

Successful exploitation requires that scp and rsync compatibility is enabled.

The vulnerabilities have been reported in version 4.1 and prior.

Solution:
Update to version 4.2.
http://sublimation.org/scponly/
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-23 11:56:39 UTC 
No official maintainer, grabbed 3 guys from changelog. Somebody please give this bug some love and provide updated ebuilds. Jeeves mentioned that this package is a candidate for removal - so if nobody reacts in time we might have to do that.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-25 03:53:53 UTC 
Come on, nobody wants to step up to fix this?
Comment 3 Tom Martin (RETIRED) gentoo-dev 2005-12-26 10:54:25 UTC 
I'm afraid I only fixed a typo in $DESCRIPTION when I was tree-fixing ages ago, and I don't really have anything else to do with the package. It looks to me like matsuu's been doing all of the bumping.
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-26 11:24:04 UTC 
Yeah! My personal hero of the day, kloeri, tries to provide a fixed ebuild, thanks.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-26 13:45:32 UTC 
Thanks kloeri, arches please test and mark stable
Comment 6 Simon Stelling (RETIRED) gentoo-dev 2005-12-26 13:56:03 UTC 
amd64 stable
Comment 7 Mark Loeser (RETIRED) gentoo-dev 2005-12-26 18:26:14 UTC 
x86 done
Comment 8 JG 2005-12-27 11:52:58 UTC 
thank you guys for the fixed ebuild!

according to the developer, 4.3 will be released today because of some issues in 4.2 (i'm also suffering from this "chroot dir writable by group/other" discussed in the freebsd thread on the scponly list).
https://lists.ccs.neu.edu/pipermail/scponly/2005-December/001056.html

JG
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-12-28 00:33:49 UTC 
4.3 is released with stability fixorz, probably best to include that version and stableize it rather than break people systems by releasing the GLSA over 4.2 only...

kloeri: I know I'm asking a lot, but would you be so kind ?
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2005-12-28 02:04:19 UTC 
4.3 in cvs now. It's only a few lines changed but I yanked keywords back to ~arch anyway.

Now, lets see if there'll be a 4.4 with my getopt patch in a day or two :)
Comment 11 Johannes Greil 2005-12-28 02:04:55 UTC 
Created attachment 75668 [details, diff]
getopt patch from 4.2 changed for 4.3

i've used the ebuild and the changed the patch from 4.2. without the patch it isn't possible to compile 4.3 (as with 4.2) because of getopt errors in helper.c
scponly 4.3 works fine now and the users are able to login again.

JG
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-28 02:09:25 UTC 
Thx Kloeri for the swift response.

Arches please retest and mark stable.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-12-28 02:24:09 UTC 
x86/amd64: Last arch out should remove version 4.2 which is buggy, so that application of the "unaffected:>=4.2" GLSA rule picks up 4.3 properly...

thx in advance.
Comment 14 Simon Stelling (RETIRED) gentoo-dev 2005-12-28 07:51:09 UTC 
amd64 stable, the second
Comment 15 Mark Loeser (RETIRED) gentoo-dev 2005-12-28 13:59:23 UTC 
x86 stable, removed 4.2
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-12-29 02:30:48 UTC 
Thx everyone !
GLSA 200512-17 is out.