Summary: | <app-shells/rssh-2.3.3-r1 upstream reports circumvention; developer has ceased maintenance (CVE-2012-3478) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | erik falor <ewfalor> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | m_gentoobug, opensource, proxy-maint | ||||||
Priority: | Normal | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | B2 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
erik falor
2012-05-09 15:59:38 UTC
Here's the link to the mailing list archive's copy of the email to which I referred. The message begins about halfway down the page, below the gratuitous calendars. http://sourceforge.net/mailarchive/forum.php?forum_name=rssh-discuss&max_rows=25&style=nested&viewmonth=201205 Thanks for the bug, erik. Without an upstream, I suggest this be treecleaned. I agree Update: the upstream developer states [1] that he has a patch for this issue he will publish later in the week (of course we do not know if he is willing to fix other issues, should they arise, and I guess we don't have anyone looking to maintain this). [1] http://www.securityfocus.com/archive/1/522716/30/0/ Created attachment 315111 [details] patch to 2.3.4 The developer issued a patch that fixes the security problem. I attach an updated ebuild and the corresponding patch. My ebuild skills are minimal, so errors are to be expected. For my arch (~amd64) it seems to be working though. The patch can also be found at rssh's mailing list (last message, hit "Message as HTML"): http://sourceforge.net/mailarchive/forum.php?thread_name=20120605185223.GI17652%40dragontoe.org&forum_name=rssh-discuss Created attachment 315113 [details]
rssh 2.3.3-r1
I would still treeclean as this doesn't have any other fixes upstream for a long time and is poorly maintained (upstream maintainer stated we won't maintain it any more), also, looks like nobody is willing to maintain it downstream I can't really argue with your reasoning. For dialog's sake only, I'll say that it is an application made for a specific purpose (restrict ssh access) and it does it well, so no new features are needed. Also it has very few upstream bug reports, two I think for the last 6 years, both fixed. The only mildly good excuse to keep it I can find, is that it is mentioned by many online guides about "securing your server". (In reply to comment #8) > I can't really argue with your reasoning. > > For dialog's sake only, I'll say that it is an application made for a > specific purpose (restrict ssh access) and it does it well, so no new > features are needed. Also it has very few upstream bug reports, two I think > for the last 6 years, both fixed. > > The only mildly good excuse to keep it I can find, is that it is mentioned > by many online guides about "securing your server". I don't mind keeping this in portage if a user wants to proxy maintain it until a serious bug pops up (In reply to comment #9) > (In reply to comment #8) > > I can't really argue with your reasoning. > > > > For dialog's sake only, I'll say that it is an application made for a > > specific purpose (restrict ssh access) and it does it well, so no new > > features are needed. Also it has very few upstream bug reports, two I think > > for the last 6 years, both fixed. > > > > The only mildly good excuse to keep it I can find, is that it is mentioned > > by many online guides about "securing your server". > > I don't mind keeping this in portage if a user wants to proxy maintain it > until a serious bug pops up +1 Ok then, I am willing to proxy maintain it for as long as upstream keeps it safe and the ebuild is within my skills. I just subscribed to rssh's mailing list to stay up to date with security announcements. Thanks greatly. (From one lurker at least!) Regards, Martin Ok we will save it. Please contact proxy-maint once the security patch is available and you have created a new ebuild I have already attached the new ebuild and the security patch here. Should I do something more? The two files I attached are: $PORTAGE/app-shells/rssh/rssh-2.3.3-r1.ebuild $PORTAGE/app-shells/rssh/files/rssh.2.3.4.patch Thanks. Bumped and old ebuilds removed Thanks, Marios and Markos. Arches, please test and mark stable: =app-shells/rssh-2.3.3-r1 Target KEYWORDS="amd64 ppc sparc x86" x86 stable amd64 stable Please move to -r2. Marios sent me a new ebuild with minor fixes. I already marked it stable for amd64/x86 Arches, please test and mark stable: =app-shells/rssh-2.3.3-r2 Target KEYWORDS="ppc sparc" sparc keywords dropped ppc stable. Thanks, folks. GLSA request filed. CVE-2012-3478 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3478): rssh 2.3.3 and earlier allows local users to bypass intended restricted shell access via crafted environment variables in the command line. This issue was resolved and addressed in GLSA 201311-19 at http://security.gentoo.org/glsa/glsa-201311-19.xml by GLSA coordinator Sergey Popov (pinkbyte). |