From an email posted by the author of rssh to the bugtraq mailing list: <quote> Henrik Erkkonen has discovered that, through clever manipulation of environment variables on the ssh command line, it is possible to circumvent rssh. As far as I can tell, there is no way to effect a root compromise, except of course if the root account is the one you're attempting to protect with rssh... This project is old, and I have no interest in continuing to maintain it. I looked for easy solutions to the problem, but in discussing them with Henrik, none which we found satisfactorily address the problem. Fixing this properly will require more work than I want to put into it. Note in particular that ensuring that the AcceptEnv sshd configuration option need not be turned on for this exploit to work. </quote> As this project is no longer actively maintained, the best course of action may be to drop app-shells/rssh and sec-policy/selinux-rssh from portage
Here's the link to the mailing list archive's copy of the email to which I referred. The message begins about halfway down the page, below the gratuitous calendars. http://sourceforge.net/mailarchive/forum.php?forum_name=rssh-discuss&max_rows=25&style=nested&viewmonth=201205
Thanks for the bug, erik. Without an upstream, I suggest this be treecleaned.
I agree
Update: the upstream developer states [1] that he has a patch for this issue he will publish later in the week (of course we do not know if he is willing to fix other issues, should they arise, and I guess we don't have anyone looking to maintain this). [1] http://www.securityfocus.com/archive/1/522716/30/0/
Created attachment 315111 [details] patch to 2.3.4 The developer issued a patch that fixes the security problem. I attach an updated ebuild and the corresponding patch. My ebuild skills are minimal, so errors are to be expected. For my arch (~amd64) it seems to be working though. The patch can also be found at rssh's mailing list (last message, hit "Message as HTML"): http://sourceforge.net/mailarchive/forum.php?thread_name=20120605185223.GI17652%40dragontoe.org&forum_name=rssh-discuss
Created attachment 315113 [details] rssh 2.3.3-r1
I would still treeclean as this doesn't have any other fixes upstream for a long time and is poorly maintained (upstream maintainer stated we won't maintain it any more), also, looks like nobody is willing to maintain it downstream
I can't really argue with your reasoning. For dialog's sake only, I'll say that it is an application made for a specific purpose (restrict ssh access) and it does it well, so no new features are needed. Also it has very few upstream bug reports, two I think for the last 6 years, both fixed. The only mildly good excuse to keep it I can find, is that it is mentioned by many online guides about "securing your server".
(In reply to comment #8) > I can't really argue with your reasoning. > > For dialog's sake only, I'll say that it is an application made for a > specific purpose (restrict ssh access) and it does it well, so no new > features are needed. Also it has very few upstream bug reports, two I think > for the last 6 years, both fixed. > > The only mildly good excuse to keep it I can find, is that it is mentioned > by many online guides about "securing your server". I don't mind keeping this in portage if a user wants to proxy maintain it until a serious bug pops up
(In reply to comment #9) > (In reply to comment #8) > > I can't really argue with your reasoning. > > > > For dialog's sake only, I'll say that it is an application made for a > > specific purpose (restrict ssh access) and it does it well, so no new > > features are needed. Also it has very few upstream bug reports, two I think > > for the last 6 years, both fixed. > > > > The only mildly good excuse to keep it I can find, is that it is mentioned > > by many online guides about "securing your server". > > I don't mind keeping this in portage if a user wants to proxy maintain it > until a serious bug pops up +1
Ok then, I am willing to proxy maintain it for as long as upstream keeps it safe and the ebuild is within my skills. I just subscribed to rssh's mailing list to stay up to date with security announcements.
Thanks greatly. (From one lurker at least!) Regards, Martin
Ok we will save it. Please contact proxy-maint once the security patch is available and you have created a new ebuild
I have already attached the new ebuild and the security patch here. Should I do something more? The two files I attached are: $PORTAGE/app-shells/rssh/rssh-2.3.3-r1.ebuild $PORTAGE/app-shells/rssh/files/rssh.2.3.4.patch
Thanks. Bumped and old ebuilds removed
Thanks, Marios and Markos. Arches, please test and mark stable: =app-shells/rssh-2.3.3-r1 Target KEYWORDS="amd64 ppc sparc x86"
x86 stable
amd64 stable
Please move to -r2. Marios sent me a new ebuild with minor fixes. I already marked it stable for amd64/x86 Arches, please test and mark stable: =app-shells/rssh-2.3.3-r2 Target KEYWORDS="ppc sparc"
sparc keywords dropped
ppc stable.
Thanks, folks. GLSA request filed.
CVE-2012-3478 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3478): rssh 2.3.3 and earlier allows local users to bypass intended restricted shell access via crafted environment variables in the command line.
This issue was resolved and addressed in GLSA 201311-19 at http://security.gentoo.org/glsa/glsa-201311-19.xml by GLSA coordinator Sergey Popov (pinkbyte).