Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 415255 (CVE-2012-3478) - <app-shells/rssh-2.3.3-r1 upstream reports circumvention; developer has ceased maintenance (CVE-2012-3478)
Summary: <app-shells/rssh-2.3.3-r1 upstream reports circumvention; developer has cease...
Status: RESOLVED FIXED
Alias: CVE-2012-3478
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-09 15:59 UTC by erik falor
Modified: 2013-11-28 08:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch to 2.3.4 (rssh.2.3.4.patch,6.92 KB, text/plain)
2012-06-12 16:02 UTC, Marios Andreopoulos
no flags Details
rssh 2.3.3-r1 (rssh-2.3.3-r1.ebuild,960 bytes, text/plain)
2012-06-12 16:03 UTC, Marios Andreopoulos
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description erik falor 2012-05-09 15:59:38 UTC
From an email posted by the author of rssh to the bugtraq mailing list:

<quote>
Henrik Erkkonen has discovered that, through clever manipulation of
environment variables on the ssh command line, it is possible to
circumvent rssh.  As far as I can tell, there is no way to effect a
root compromise, except of course if the root account is the one
you're attempting to protect with rssh...

This project is old, and I have no interest in continuing to maintain
it.  I looked for easy solutions to the problem, but in discussing
them with Henrik, none which we found satisfactorily address the
problem.  Fixing this properly will require more work than I want to
put into it.

Note in particular that ensuring that the AcceptEnv sshd configuration
option need not be turned on for this exploit to work.
</quote>

As this project is no longer actively maintained, the best course of action may be to drop app-shells/rssh and sec-policy/selinux-rssh from portage
Comment 1 erik falor 2012-05-09 16:03:05 UTC
Here's the link to the mailing list archive's copy of the email to which I referred.  The message begins about halfway down the page, below the gratuitous calendars.

http://sourceforge.net/mailarchive/forum.php?forum_name=rssh-discuss&max_rows=25&style=nested&viewmonth=201205
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-05-09 23:06:12 UTC
Thanks for the bug, erik. Without an upstream, I suggest this be treecleaned.
Comment 3 Pacho Ramos gentoo-dev 2012-05-10 09:16:20 UTC
I agree
Comment 4 Sean Amoss gentoo-dev Security 2012-05-16 00:47:40 UTC
Update: the upstream developer states [1] that he has a patch for this issue he will publish later in the week (of course we do not know if he is willing to fix other issues, should they arise, and I guess we don't have anyone looking to maintain this).

[1] http://www.securityfocus.com/archive/1/522716/30/0/
Comment 5 Marios Andreopoulos 2012-06-12 16:02:27 UTC
Created attachment 315111 [details]
patch to 2.3.4

The developer issued a patch that fixes the security problem.

I attach an updated ebuild and the corresponding patch. My ebuild skills are minimal, so errors are to be expected. For my arch (~amd64) it seems to be working though.



The patch can also be found at rssh's mailing list (last message, hit "Message as HTML"):
http://sourceforge.net/mailarchive/forum.php?thread_name=20120605185223.GI17652%40dragontoe.org&forum_name=rssh-discuss
Comment 6 Marios Andreopoulos 2012-06-12 16:03:18 UTC
Created attachment 315113 [details]
rssh 2.3.3-r1
Comment 7 Pacho Ramos gentoo-dev 2012-06-12 18:45:59 UTC
I would still treeclean as this doesn't have any other fixes upstream for a long time and is poorly maintained (upstream maintainer stated we won't maintain it any more), also, looks like nobody is willing to maintain it downstream
Comment 8 Marios Andreopoulos 2012-06-12 22:44:18 UTC
I can't really argue with your reasoning.

For dialog's sake only, I'll say that it is an application made for a specific purpose (restrict ssh access) and it does it well, so no new features are needed. Also it has very few upstream bug reports, two I think for the last 6 years, both fixed.

The only mildly good excuse to keep it I can find, is that it is mentioned by many online guides about "securing your server".
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2012-06-13 18:34:05 UTC
(In reply to comment #8)
> I can't really argue with your reasoning.
> 
> For dialog's sake only, I'll say that it is an application made for a
> specific purpose (restrict ssh access) and it does it well, so no new
> features are needed. Also it has very few upstream bug reports, two I think
> for the last 6 years, both fixed.
> 
> The only mildly good excuse to keep it I can find, is that it is mentioned
> by many online guides about "securing your server".

I don't mind keeping this in portage if a user wants to proxy maintain it until a serious bug pops up
Comment 10 Pacho Ramos gentoo-dev 2012-06-13 19:25:15 UTC
(In reply to comment #9)
> (In reply to comment #8)
> > I can't really argue with your reasoning.
> > 
> > For dialog's sake only, I'll say that it is an application made for a
> > specific purpose (restrict ssh access) and it does it well, so no new
> > features are needed. Also it has very few upstream bug reports, two I think
> > for the last 6 years, both fixed.
> > 
> > The only mildly good excuse to keep it I can find, is that it is mentioned
> > by many online guides about "securing your server".
> 
> I don't mind keeping this in portage if a user wants to proxy maintain it
> until a serious bug pops up

+1
Comment 11 Marios Andreopoulos 2012-06-14 01:55:40 UTC
Ok then, I am willing to proxy maintain it for as long as upstream keeps it safe and the ebuild is within my skills.

I just subscribed to rssh's mailing list to stay up to date with security announcements.
Comment 12 Martin 2012-06-14 08:34:15 UTC
Thanks greatly.

(From one lurker at least!)

Regards,
Martin
Comment 13 Markos Chandras (RETIRED) gentoo-dev 2012-06-16 09:58:40 UTC
Ok we will save it. Please contact proxy-maint once the security patch is available and you have created a new ebuild
Comment 14 Marios Andreopoulos 2012-06-16 15:09:35 UTC
I have already attached the new ebuild and the security patch here. Should I do something more?

The two files I attached are:
$PORTAGE/app-shells/rssh/rssh-2.3.3-r1.ebuild
$PORTAGE/app-shells/rssh/files/rssh.2.3.4.patch
Comment 15 Markos Chandras (RETIRED) gentoo-dev 2012-06-16 16:58:04 UTC
Thanks. Bumped and old ebuilds removed
Comment 16 Sean Amoss gentoo-dev Security 2012-06-16 17:49:22 UTC
Thanks, Marios and Markos. 

Arches, please test and mark stable:
=app-shells/rssh-2.3.3-r1
Target KEYWORDS="amd64 ppc sparc x86"
Comment 17 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-06-17 05:51:37 UTC
x86 stable
Comment 18 Agostino Sarubbo gentoo-dev 2012-06-17 15:03:42 UTC
amd64 stable
Comment 19 Markos Chandras (RETIRED) gentoo-dev 2012-06-21 21:24:39 UTC
Please move to -r2. Marios sent me a new ebuild with minor fixes. I already marked it stable for amd64/x86

Arches, please test and mark stable:
=app-shells/rssh-2.3.3-r2
Target KEYWORDS="ppc sparc"
Comment 20 Raúl Porcel (RETIRED) gentoo-dev 2012-07-15 16:59:41 UTC
sparc keywords dropped
Comment 21 Michael Weber (RETIRED) gentoo-dev 2012-08-22 14:18:35 UTC
ppc stable.
Comment 22 Tim Sammut (RETIRED) gentoo-dev 2012-08-24 14:16:49 UTC
Thanks, folks. GLSA request filed.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2012-09-05 11:55:25 UTC
CVE-2012-3478 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3478):
  rssh 2.3.3 and earlier allows local users to bypass intended restricted
  shell access via crafted environment variables in the command line.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2013-11-28 08:48:41 UTC
This issue was resolved and addressed in
 GLSA 201311-19 at http://security.gentoo.org/glsa/glsa-201311-19.xml
by GLSA coordinator Sergey Popov (pinkbyte).