Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 699842 (CVE-2019-1000018, CVE-2019-3463, CVE-2019-3464) - app-shells/rssh: multiple vulnerabilities (CVE-2019-{3463,3464,1000018})
Summary: app-shells/rssh: multiple vulnerabilities (CVE-2019-{3463,3464,1000018})
Status: IN_PROGRESS
Alias: CVE-2019-1000018, CVE-2019-3463, CVE-2019-3464
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [ebuild+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-11 16:59 UTC by GLSAMaker/CVETool Bot
Modified: 2020-05-19 20:22 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-11-11 16:59:48 UTC
CVE-2019-1000018 (https://nvd.nist.gov/vuln/detail/CVE-2019-1000018):
  rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special
  Elements used in a Command ('Command Injection') vulnerability in allowscp
  permission that can result in Local command execution. This attack appear to
  be exploitable via An authorized SSH user with the allowscp permission.

CVE-2019-3464 (https://nvd.nist.gov/vuln/detail/CVE-2019-3464):
  Insufficient sanitization of environment variables passed to rsync can
  bypass the restrictions imposed by rssh, a restricted shell that should
  restrict users to perform only rsync operations, resulting in the execution
  of arbitrary shell commands.

CVE-2019-3463 (https://nvd.nist.gov/vuln/detail/CVE-2019-3463):
  Insufficient sanitization of arguments passed to rsync can bypass the
  restrictions imposed by rssh, a restricted shell that should restrict users
  to perform only rsync operations, resulting in the execution of arbitrary
  shell commands.
Comment 1 Sam James (sec padawan) 2020-03-25 01:57:38 UTC
@maintainer(s), please apply the patches or another distribution have used, and create a suitable ebuild.
Comment 2 Sam James (sec padawan) 2020-04-22 01:28:58 UTC
@maintainer(s): ping
Comment 3 Christoph Junghans gentoo-dev 2020-04-22 02:43:13 UTC
I haven't used it in years, let's just last ride it.
Comment 4 Sam James (sec padawan) 2020-04-22 11:37:47 UTC
(In reply to Christoph Junghans from comment #3)
> I haven't used it in years, let's just last ride it.

Sure. I was considering bumping it but I use OpenSSH's config to fulfil the purpose of this.. so..

CCing treecleaners.
Comment 5 Larry the Git Cow gentoo-dev 2020-05-19 20:22:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e00101ac084c702c716b10363ec55effb51bd28

commit 7e00101ac084c702c716b10363ec55effb51bd28
Author:     Christoph Junghans <junghans@gentoo.org>
AuthorDate: 2020-05-19 20:20:57 +0000
Commit:     Christoph Junghans <junghans@gentoo.org>
CommitDate: 2020-05-19 20:22:01 +0000

    profiles: Mask app-shells/rssh for removal
    
    Bug: https://bugs.gentoo.org/699842
    Signed-off-by: Christoph Junghans <junghans@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)