Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 733802 (CVE-2020-15778) - net-misc/openssh: Command injection via scp (CVE-2020-15778)
Summary: net-misc/openssh: Command injection via scp (CVE-2020-15778)
Status: UNCONFIRMED
Alias: CVE-2020-15778
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/cpandya2909/CVE-20...
Whiteboard: B1 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-24 17:55 UTC by John Helmert III (ajak)
Modified: 2020-12-09 16:23 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) gentoo-dev Security 2020-07-24 17:55:05 UTC
CVE-2020-15778:

scp in OpenSSH through 8.3p1 allows command injection in scp.c remote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
Comment 1 John Helmert III (ajak) gentoo-dev Security 2020-07-24 17:56:14 UTC
Upstream's reply from $URL:

The scp command is a historical protocol (called rcp) which relies upon that style of argument passing and encounters expansion problems. It has proven very difficult to add "security" to the scp model. All attempts to "detect" and "prevent" anomalous argument transfers stand a great chance of breaking existing workflows. Yes, we recognize it the situation sucks. But we don't want to break the easy patterns people use scp for, until there is a commonplace replacement. People should use rsync or something else instead if they are concerned.
Comment 2 Larry the Git Cow gentoo-dev 2020-07-24 21:12:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9c13abcdabcbde0e879fcff5b650216e8649ebb

commit b9c13abcdabcbde0e879fcff5b650216e8649ebb
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2020-07-24 21:10:03 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-07-24 21:10:11 +0000

    net-misc/openssh-8.3_p1-r3: Add default-off USE flag for scp (bug #733802)
    
    Bug: https://bugs.gentoo.org/733802
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-misc/openssh/metadata.xml             |   1 +
 net-misc/openssh/openssh-8.3_p1-r3.ebuild | 498 ++++++++++++++++++++++++++++++
 2 files changed, 499 insertions(+)
Comment 3 Kevin Korb 2020-07-26 00:41:45 UTC
I am a big fan of rsync so this doesn't bother me a bit but I thought I would point out another alternative (that I don't actually use)...

Putty's pscp command is command line compatible with scp but it uses (by default) sftp so it is immune from these problems.  It will use an authentication agent if you have one however it uses a different key file format and it will not use your ssh_config file settings if you have them.
Comment 4 Sergey 'L29Ah' Alirzaev 2020-07-27 07:17:47 UTC
Return scp plz. Not having scp installed does nothing to alleviate the vulnerability.
Comment 5 Larry the Git Cow gentoo-dev 2020-07-27 21:19:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0dc8c82d4cd5ad3976601916b0afe4f9427f513b

commit 0dc8c82d4cd5ad3976601916b0afe4f9427f513b
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2020-07-27 17:17:48 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-07-27 21:19:30 +0000

    net-misc/openssh-9.3_p1-r4: Default enable the scp USE flag (bug #733802)
    
    Bug: https://bugs.gentoo.org/733802
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-misc/openssh/{openssh-8.3_p1-r3.ebuild => openssh-8.3_p1-r4.ebuild} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Hanno Böck gentoo-dev 2020-11-09 08:36:32 UTC
Some update here, it seems there is work happening on replacing the "scp" command with something that works like scp (i.e. mostly syntax-compatible), but uses the sftp protocol internally.

https://lwn.net/SubscriberLink/835962/ae41b27bc20699ad/
https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-June/038594.html
https://github.com/openssh/openssh-portable/pull/194

Discussion in the pull request sounds to me this will eventually end up in default openssh and hopefully resolve this for good.