Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717794 (CVE-2019-7282, CVE-2019-7283)

Summary: <net-misc/netkit-rsh-0.17-r12: Access restrictions bypass (CVE-2019-{7282,7283})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, hlein, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920486
See Also: https://bugs.gentoo.org/show_bug.cgi?id=741456
https://github.com/gentoo/gentoo/pull/21380
Whiteboard: B4 [glsa? cve]
Package list:
Runtime testing required: ---
Bug Depends on: 810664    
Bug Blocks:    
Attachments:
Description Flags
Patch that needs adding to netkit-rsh-0.17-patches-3.tar.lzma none

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 04:36:44 UTC
CVE-2019-7282 (https://nvd.nist.gov/vuln/detail/CVE-2019-7282):
  In NetKit through 0.17, rcp.c in the rcp client allows remote rsh servers to
  bypass intended access restrictions via the filename of . or an empty
  filename. The impact is modifying the permissions of the target directory on
  the client side. This is similar to CVE-2018-20685.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 04:38:27 UTC
CVE-2019-7283 (https://nvd.nist.gov/vuln/detail/CVE-2019-7283):
  An issue was discovered in rcp in NetKit through 0.17. For an rcp operation,
  the server chooses which files/directories are sent to the client. However,
  the rcp client only performs cursory validation of the object name returned.
  A malicious rsh server (or Man-in-The-Middle attacker) can overwrite
  arbitrary files in a directory on the rcp client machine. This is similar to
  CVE-2019-6111.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-25 18:56:40 UTC
Ping. Looks like there's patch(es) available?
Comment 3 Norman Back 2021-06-20 09:49:06 UTC
Created attachment 716940 [details, diff]
Patch that needs  adding to netkit-rsh-0.17-patches-3.tar.lzma

Patch that needs  adding to netkit-rsh-0.17-patches-3.tar.lzma.
I created an update in my local repository as net-misc/netkit-rsh-0.17-r12, add
attached patch to netkit-rsh-0.17-patches-4.tar.lzma and tested OK.

I use netkit-rsh to do backups across my local network. rsh is quicker than ssh and greener.
Comment 4 Larry the Git Cow gentoo-dev 2021-06-25 00:31:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=231787a2484df850fe2299a25ef3e715c00c0358

commit 231787a2484df850fe2299a25ef3e715c00c0358
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2021-06-22 23:14:40 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-25 00:31:15 +0000

    net-misc/netkit-rsh: security fix, add myself as p-m
    
    This updates one of our existing patches with Debian's fix for
    CVE-2019-7282 and CVE-2019-7283. Minor other cleanups.
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Bug: https://bugs.gentoo.org/717794
    Closes: https://bugs.gentoo.org/710960
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Sam James <sam@gentoo.org>

 .../netkit-rsh/files/patches/000_all_sectty.patch  |  32 +++
 .../netkit-rsh/files/patches/010_all_rexec.patch   |  55 +++++
 .../netkit-rsh/files/patches/020_all_stdarg.patch  |  43 ++++
 .../netkit-rsh/files/patches/030_all_jbj.patch     |  33 +++
 .../netkit-rsh/files/patches/040_all_jbj4.patch    |  14 ++
 .../netkit-rsh/files/patches/050_all_prompt.patch  |  37 +++
 .../files/patches/060_all_rlogin-rsh.patch         |  10 +
 .../netkit-rsh/files/patches/070_all_nokrb.patch   | 231 +++++++++++++++++++
 .../netkit-rsh/files/patches/080_all_jbj5.patch    |  29 +++
 .../files/patches/090_all_userandhost.patch        |  70 ++++++
 .../netkit-rsh/files/patches/100_all_strip.patch   |  66 ++++++
 .../netkit-rsh/files/patches/110_all_lfs.patch     |  25 ++
 .../netkit-rsh/files/patches/120_all_chdir.patch   |  57 +++++
 .../files/patches/130_all_pam-nologin.patch        |  14 ++
 .../files/patches/140_all_nohostcheck.patch        | 134 +++++++++++
 .../files/patches/150_all_rexec-netrc.patch        | 251 +++++++++++++++++++++
 .../files/patches/160_all_pam-sess.patch           |  12 +
 .../netkit-rsh/files/patches/170_all_errno.patch   |  51 +++++
 .../files/patches/180_all_rexec-sig.patch          |  17 ++
 .../netkit-rsh/files/patches/190_all_nohost.patch  |  63 ++++++
 .../netkit-rsh/files/patches/200_all_ignchld.patch |  22 ++
 .../files/patches/210_all_checkdir-r1.patch        |  23 ++
 .../netkit-rsh/files/patches/220_all_fbsd.patch    | 222 ++++++++++++++++++
 .../netkit-rsh/files/patches/230_all_MAX_ARG.patch |  96 ++++++++
 net-misc/netkit-rsh/metadata.xml                   |   9 +-
 net-misc/netkit-rsh/netkit-rsh-0.17-r12.ebuild     |  78 +++++++
 26 files changed, 1693 insertions(+), 1 deletion(-)
Comment 5 NATTkA bot gentoo-dev 2021-06-30 18:44:42 UTC
Unable to check for sanity:

> no match for package: net-misc/netkit-rsh-0.17-r12
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-30 18:50:31 UTC
Let's go ahead with stabilisation now.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-27 12:59:16 UTC
commit 27d615c67745d0569e92a7fe38acf8c8e378441e
Author: Sam James <sam@gentoo.org>
Date:   Wed Jun 30 19:38:58 2021 +0100

    net-misc/netkit-rsh: add missing libcrypt dependency

    Signed-off-by: Sam James <sam@gentoo.org>

 rename net-misc/netkit-rsh/{netkit-rsh-0.17-r11.ebuild => netkit-rsh-0.17-r13.ebuild} (97%)
 rename net-misc/netkit-rsh/{netkit-rsh-0.17-r12.ebuild => netkit-rsh-0.17-r14.ebuild} (98%)

So, seems like we should be stabilizing r14?
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-04 21:55:08 UTC
Please cleanup.
Comment 9 Larry the Git Cow gentoo-dev 2021-10-17 20:39:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aaf273e56574bdea935812a6971cb837e4a4955d

commit aaf273e56574bdea935812a6971cb837e4a4955d
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-10-17 20:26:29 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-10-17 20:36:45 +0000

    net-misc/netkit-rsh: drop 0.17-r13
    
    Bug: https://bugs.gentoo.org/717794
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-misc/netkit-rsh/Manifest                   |  1 -
 net-misc/netkit-rsh/files/rexec.pamd-pambase   |  6 --
 net-misc/netkit-rsh/files/rexec.xinetd         | 12 ----
 net-misc/netkit-rsh/files/rlogin.pamd-pambase  |  9 ---
 net-misc/netkit-rsh/files/rlogin.xinetd        | 12 ----
 net-misc/netkit-rsh/files/rsh.pamd-pambase     | 11 ----
 net-misc/netkit-rsh/files/rsh.xinetd           | 12 ----
 net-misc/netkit-rsh/netkit-rsh-0.17-r13.ebuild | 78 --------------------------
 8 files changed, 141 deletions(-)
Comment 10 Hank Leininger 2022-12-04 00:31:22 UTC
Can this security bug be closed please?

The fix for this security bug was merged almost 1.5 years ago and the vulnerable version was removed over a year ago.

If a GLSA is needed, please let me know if I can help. I would think it'd be overkill/irrelevant at this point but I'm fine with whatever.
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-05 00:58:14 UTC
Indeed, impact is low and much time has passed so no GLSA. All done.