CVE-2019-1000018 (https://nvd.nist.gov/vuln/detail/CVE-2019-1000018): rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission. CVE-2019-3464 (https://nvd.nist.gov/vuln/detail/CVE-2019-3464): Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands. CVE-2019-3463 (https://nvd.nist.gov/vuln/detail/CVE-2019-3463): Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.
@maintainer(s), please apply the patches or another distribution have used, and create a suitable ebuild.
@maintainer(s): ping
I haven't used it in years, let's just last ride it.
(In reply to Christoph Junghans from comment #3) > I haven't used it in years, let's just last ride it. Sure. I was considering bumping it but I use OpenSSH's config to fulfil the purpose of this.. so.. CCing treecleaners.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e00101ac084c702c716b10363ec55effb51bd28 commit 7e00101ac084c702c716b10363ec55effb51bd28 Author: Christoph Junghans <junghans@gentoo.org> AuthorDate: 2020-05-19 20:20:57 +0000 Commit: Christoph Junghans <junghans@gentoo.org> CommitDate: 2020-05-19 20:22:01 +0000 profiles: Mask app-shells/rssh for removal Bug: https://bugs.gentoo.org/699842 Signed-off-by: Christoph Junghans <junghans@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a710a9190556d70ad498474dd9594f534fbf4322 commit a710a9190556d70ad498474dd9594f534fbf4322 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 04:46:11 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 04:46:11 +0000 app-shells/rssh: drop last-rited pkg Bug: https://bugs.gentoo.org/699842 Signed-off-by: Aaron Bauman <bman@gentoo.org> app-shells/rssh/Manifest | 2 - .../rssh/files/rssh-2.3.4_p3-autotools.patch | 33 ---------------- app-shells/rssh/metadata.xml | 11 ------ app-shells/rssh/rssh-2.3.4.ebuild | 37 ----------------- app-shells/rssh/rssh-2.3.4_p3.ebuild | 46 ---------------------- profiles/package.mask | 5 --- 6 files changed, 134 deletions(-)
glsa opened.
This issue was resolved and addressed in GLSA 202007-29 at https://security.gentoo.org/glsa/202007-29 by GLSA coordinator Sam James (sam_c).