Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 116526 - net-misc/scponly: Privilege Escalation and Security Bypass Vulnerabilities
Summary: net-misc/scponly: Privilege Escalation and Security Bypass Vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: C1? [glsa]
Depends on:
Reported: 2005-12-23 11:45 UTC by JG
Modified: 2007-05-31 10:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

getopt patch from 4.2 changed for 4.3 (scponly-4.3-getopt.patch,592 bytes, patch)
2005-12-28 02:04 UTC, Johannes Greil
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description JG 2005-12-23 11:45:55 UTC
from the advisory:

Two vulnerabilities have been reported in scponly, which can be exploited by malicious, local users to gain escalated privileges, or by malicious users to bypass certain security restrictions.

1) A design error in "scponlyc" allows it to be used with arbitrary chroot directories that local users create in their home directories. This can be exploited by malicious users to gain escalated privileges by creating a hardlink to a setuid root binary in their own chroot directory, configuring LD_PRELOAD to overload a call to setuid with a malicious function, and then using "scponlyc" with the malicious chroot directory.

Successful exploitation allows local privilege escalation but requires that the chrooted setuid "scponlyc" binary is installed, a user executable setuid binary exists on the same file system mount as the user's home directory, and the OS supports LD_PRELOAD.

2) An error exists in the validation of user supplied command line. This can be exploited to supply additional command line arguments to rsync or scp, potentially bypassing the restricted shell and allowing the execution of arbitrary programs.

Successful exploitation requires that scp and rsync compatibility is enabled.

The vulnerabilities have been reported in version 4.1 and prior.

Update to version 4.2.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-23 11:56:39 UTC
No official maintainer, grabbed 3 guys from changelog. Somebody please give this bug some love and provide updated ebuilds. Jeeves mentioned that this package is a candidate for removal - so if nobody reacts in time we might have to do that.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-25 03:53:53 UTC
Come on, nobody wants to step up to fix this?
Comment 3 Tom Martin (RETIRED) gentoo-dev 2005-12-26 10:54:25 UTC
I'm afraid I only fixed a typo in $DESCRIPTION when I was tree-fixing ages ago, and I don't really have anything else to do with the package. It looks to me like matsuu's been doing all of the bumping.
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-26 11:24:04 UTC
Yeah! My personal hero of the day, kloeri, tries to provide a fixed ebuild, thanks.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-26 13:45:32 UTC
Thanks kloeri, arches please test and mark stable
Comment 6 Simon Stelling (RETIRED) gentoo-dev 2005-12-26 13:56:03 UTC
amd64 stable
Comment 7 Mark Loeser (RETIRED) gentoo-dev 2005-12-26 18:26:14 UTC
x86 done
Comment 8 JG 2005-12-27 11:52:58 UTC
thank you guys for the fixed ebuild!

according to the developer, 4.3 will be released today because of some issues in 4.2 (i'm also suffering from this "chroot dir writable by group/other" discussed in the freebsd thread on the scponly list).

Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-12-28 00:33:49 UTC
4.3 is released with stability fixorz, probably best to include that version and stableize it rather than break people systems by releasing the GLSA over 4.2 only...

kloeri: I know I'm asking a lot, but would you be so kind ?
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2005-12-28 02:04:19 UTC
4.3 in cvs now. It's only a few lines changed but I yanked keywords back to ~arch anyway.

Now, lets see if there'll be a 4.4 with my getopt patch in a day or two :)
Comment 11 Johannes Greil 2005-12-28 02:04:55 UTC
Created attachment 75668 [details, diff]
getopt patch from 4.2 changed for 4.3

i've used the ebuild and the changed the patch from 4.2. without the patch it isn't possible to compile 4.3 (as with 4.2) because of getopt errors in helper.c
scponly 4.3 works fine now and the users are able to login again.

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-28 02:09:25 UTC
Thx Kloeri for the swift response.

Arches please retest and mark stable.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-12-28 02:24:09 UTC
x86/amd64: Last arch out should remove version 4.2 which is buggy, so that application of the "unaffected:>=4.2" GLSA rule picks up 4.3 properly...

thx in advance.
Comment 14 Simon Stelling (RETIRED) gentoo-dev 2005-12-28 07:51:09 UTC
amd64 stable, the second
Comment 15 Mark Loeser (RETIRED) gentoo-dev 2005-12-28 13:59:23 UTC
x86 stable, removed 4.2
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-12-29 02:30:48 UTC
Thx everyone !
GLSA 200512-17 is out.