Summary: | app-shells/rssh-2.3.0 - access restrictions bypass (CVE-2006-1320) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | sgtphou |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4? [noglsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Carsten Lohrke (RETIRED)
2006-08-01 03:06:41 UTC
Mike please advise. Interesting that you mark this as minor, Sune. I'd say it's not a light issue and the corresponding Debian bug Interesting that you mark this as minor, Sune. I'd say it's not a light issue and the corresponding Debian bugĀ¹ is even classified grave. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346322 I'm not too familiar with rssh and not sure what can actually be accomplished with this access restriction bypass. The upstream Changelog just states: 2.3.1 - fixed stupid bug that caused rssh not to allow rsync and rdist Secunia says: Note: The vulnerability was fixed in version 2.3.0, but it contains a bug in the "check_command_line()" function in util.c, which may cause "/usr/bin/cvs" to be run instead of rsync and rdist. Carlo, can you elaborate? Just a note : Debian security bugs are all "grave" at a minimum We range ours from trivial to blocker, that doesn't mean they aren't security issues that need more urgent care than (any?) other bugs, that's why we assign them to a team of annoying bastards that hunt maintainers down. The alternative is to call them all "blocker" and assign them to maintainers directly (which is how Debian handles it). upstream says this prevents use of rsync/rdist: Missing brackets in one function prevented the use of rsync and rdist, ... but there's no reason for 2.3.2 to not go stable ... there's apparently many known bugs in 2.3.0 Arches please test and mark 2.3.2 stable. x86 stable Stable on ppc. Like a SPARC OOOOOOOOOOOOOOOOOOOOHHHHHHHHHHHHHHHHHH LIKE A SPARC mmm, time to vote well i think it does not merit a glsa. I have to abstain. I don't really get the impact. @comment #11 Bypass of access restrictions :-) I tend to vote NO as well. No Debian advisory on this one. Voting no and closing. |