Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 215702 (CVE-2008-1657)

Summary: net-misc/openssh <4.7_p1-r6 rc execution overrides ForceCommand restriction (CVE-2008-1657)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/29602/
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 13:55:10 UTC 
Secunia:
A weakness has been reported in OpenSSH, which can be exploited by
malicious, local users to bypass certain security restrictions.

The weakness is caused due to the improper implementation of the
"ForceCommand" directive. This can be exploited to execute arbitrary
commands via the ~/.ssh/rc file even if a "ForceCommand" directive is
in effect.

The weakness is reported in versions prior to 4.9 and 4.9p1.

SOLUTION:
Update to version 4.9 or 4.9p1.

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://marc.info/?l=openssh-unix-dev&m=120692745026265&w=2
Comment 1 SpanKY gentoo-dev 2008-04-01 15:38:56 UTC 
if we could get a small diff for 4.7_p1, that would be best ...
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 16:04:31 UTC 
The patch is here: ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/001_openssh.patch
Comment 3 SpanKY gentoo-dev 2008-04-01 18:43:15 UTC 
openssh-4.7_p1-r6 in the tree then with that one fix, thanks

openssh-4.9_p1 is also in the tree, but it's missing updated patches, so stabilizing that version would just make users'/admins' lives painful
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 19:21:00 UTC 
Arches, please test and mark stable:
=net-misc/openssh-4.7_p1-r6
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-04-01 22:53:36 UTC 
x86 stable
Comment 6 Richard Freeman gentoo-dev 2008-04-02 00:41:49 UTC 
amd64 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-04-02 11:44:55 UTC 
alpha/ia64/sparc stable
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2008-04-02 15:52:35 UTC 
ppc64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-02 16:04:56 UTC 
Stable for HPPA.
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-03 16:55:24 UTC 
ppc stable
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-04-03 22:39:54 UTC 
request has been filed
Comment 12 Peter Volkov (RETIRED) gentoo-dev 2008-04-04 05:01:21 UTC 
Fixed in release snapshot.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-04-05 12:53:53 UTC 
GLSA 200804-03
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-04-05 12:55:16 UTC 
Fixed for ~arch in 5.0_p1