Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 699842 (CVE-2019-1000018, CVE-2019-3463, CVE-2019-3464)

Summary: app-shells/rssh: multiple vulnerabilities (CVE-2019-{3463,3464,1000018})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: junghans, treecleaner
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-11-11 16:59:48 UTC
CVE-2019-1000018 (https://nvd.nist.gov/vuln/detail/CVE-2019-1000018):
  rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special
  Elements used in a Command ('Command Injection') vulnerability in allowscp
  permission that can result in Local command execution. This attack appear to
  be exploitable via An authorized SSH user with the allowscp permission.

CVE-2019-3464 (https://nvd.nist.gov/vuln/detail/CVE-2019-3464):
  Insufficient sanitization of environment variables passed to rsync can
  bypass the restrictions imposed by rssh, a restricted shell that should
  restrict users to perform only rsync operations, resulting in the execution
  of arbitrary shell commands.

CVE-2019-3463 (https://nvd.nist.gov/vuln/detail/CVE-2019-3463):
  Insufficient sanitization of arguments passed to rsync can bypass the
  restrictions imposed by rssh, a restricted shell that should restrict users
  to perform only rsync operations, resulting in the execution of arbitrary
  shell commands.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-25 01:57:38 UTC
@maintainer(s), please apply the patches or another distribution have used, and create a suitable ebuild.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 01:28:58 UTC
@maintainer(s): ping
Comment 3 Christoph Junghans (RETIRED) gentoo-dev 2020-04-22 02:43:13 UTC
I haven't used it in years, let's just last ride it.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 11:37:47 UTC
(In reply to Christoph Junghans from comment #3)
> I haven't used it in years, let's just last ride it.

Sure. I was considering bumping it but I use OpenSSH's config to fulfil the purpose of this.. so..

CCing treecleaners.
Comment 5 Larry the Git Cow gentoo-dev 2020-05-19 20:22:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e00101ac084c702c716b10363ec55effb51bd28

commit 7e00101ac084c702c716b10363ec55effb51bd28
Author:     Christoph Junghans <junghans@gentoo.org>
AuthorDate: 2020-05-19 20:20:57 +0000
Commit:     Christoph Junghans <junghans@gentoo.org>
CommitDate: 2020-05-19 20:22:01 +0000

    profiles: Mask app-shells/rssh for removal
    
    Bug: https://bugs.gentoo.org/699842
    Signed-off-by: Christoph Junghans <junghans@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)
Comment 6 Larry the Git Cow gentoo-dev 2020-06-20 04:47:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a710a9190556d70ad498474dd9594f534fbf4322

commit a710a9190556d70ad498474dd9594f534fbf4322
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-20 04:46:11 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-20 04:46:11 +0000

    app-shells/rssh: drop last-rited pkg
    
    Bug: https://bugs.gentoo.org/699842
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 app-shells/rssh/Manifest                           |  2 -
 .../rssh/files/rssh-2.3.4_p3-autotools.patch       | 33 ----------------
 app-shells/rssh/metadata.xml                       | 11 ------
 app-shells/rssh/rssh-2.3.4.ebuild                  | 37 -----------------
 app-shells/rssh/rssh-2.3.4_p3.ebuild               | 46 ----------------------
 profiles/package.mask                              |  5 ---
 6 files changed, 134 deletions(-)
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2020-06-20 04:47:30 UTC
glsa opened.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:24:45 UTC
This issue was resolved and addressed in
 GLSA 202007-29 at https://security.gentoo.org/glsa/202007-29
by GLSA coordinator Sam James (sam_c).