from the advisory:
Two vulnerabilities have been reported in scponly, which can be exploited by malicious, local users to gain escalated privileges, or by malicious users to bypass certain security restrictions.
1) A design error in "scponlyc" allows it to be used with arbitrary chroot directories that local users create in their home directories. This can be exploited by malicious users to gain escalated privileges by creating a hardlink to a setuid root binary in their own chroot directory, configuring LD_PRELOAD to overload a call to setuid with a malicious function, and then using "scponlyc" with the malicious chroot directory.
Successful exploitation allows local privilege escalation but requires that the chrooted setuid "scponlyc" binary is installed, a user executable setuid binary exists on the same file system mount as the user's home directory, and the OS supports LD_PRELOAD.
2) An error exists in the validation of user supplied command line. This can be exploited to supply additional command line arguments to rsync or scp, potentially bypassing the restricted shell and allowing the execution of arbitrary programs.
Successful exploitation requires that scp and rsync compatibility is enabled.
The vulnerabilities have been reported in version 4.1 and prior.
Update to version 4.2.
No official maintainer, grabbed 3 guys from changelog. Somebody please give this bug some love and provide updated ebuilds. Jeeves mentioned that this package is a candidate for removal - so if nobody reacts in time we might have to do that.
Come on, nobody wants to step up to fix this?
I'm afraid I only fixed a typo in $DESCRIPTION when I was tree-fixing ages ago, and I don't really have anything else to do with the package. It looks to me like matsuu's been doing all of the bumping.
Yeah! My personal hero of the day, kloeri, tries to provide a fixed ebuild, thanks.
Thanks kloeri, arches please test and mark stable
thank you guys for the fixed ebuild!
according to the developer, 4.3 will be released today because of some issues in 4.2 (i'm also suffering from this "chroot dir writable by group/other" discussed in the freebsd thread on the scponly list).
4.3 is released with stability fixorz, probably best to include that version and stableize it rather than break people systems by releasing the GLSA over 4.2 only...
kloeri: I know I'm asking a lot, but would you be so kind ?
4.3 in cvs now. It's only a few lines changed but I yanked keywords back to ~arch anyway.
Now, lets see if there'll be a 4.4 with my getopt patch in a day or two :)
Created attachment 75668 [details, diff]
getopt patch from 4.2 changed for 4.3
i've used the ebuild and the changed the patch from 4.2. without the patch it isn't possible to compile 4.3 (as with 4.2) because of getopt errors in helper.c
scponly 4.3 works fine now and the users are able to login again.
Thx Kloeri for the swift response.
Arches please retest and mark stable.
x86/amd64: Last arch out should remove version 4.2 which is buggy, so that application of the "unaffected:>=4.2" GLSA rule picks up 4.3 properly...
thx in advance.
amd64 stable, the second
x86 stable, removed 4.2
Thx everyone !
GLSA 200512-17 is out.