diff options
-rw-r--r-- | debian/changelog | 12 | ||||
-rw-r--r-- | debian/patches/0009-Verify-scp-command-options.patch | 52 | ||||
-rw-r--r-- | util.c | 36 |
3 files changed, 52 insertions, 48 deletions
diff --git a/debian/changelog b/debian/changelog index be183fb..04dea30 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +rssh (2.3.4-11) unstable; urgency=high + + * The fix for the scp security vulneraability in 2.3.4-9 introduced a + regression that blocked scp of multiple files from a server using + rssh. Based on further analysis of scp's command-line parsing, relax + the check to require the server command contain -f or -t, which should + deactivate scp's support for remote files. (Closes: #921655) + + -- Russ Allbery <rra@debian.org> Sun, 10 Feb 2019 11:17:28 -0800 + rssh (2.3.4-10) unstable; urgency=high * Also reject rsync --daemon and --config command-line options, which @@ -7,7 +17,7 @@ rssh (2.3.4-10) unstable; urgency=high (against which rsync is linked) from loading a ~/.popt configuration file, which can run arbitrary commands on the server or redefine command-line options to bypass argument checking. Thanks, Nick - Cleaton. (CVE-2019-3463) + Cleaton. (CVE-2019-3464) * Do not stop checking the rsync command line at --, since this can be an argument to some other option and later arguments may still be interpreted as options. In the few cases where one needs to rsync to diff --git a/debian/patches/0009-Verify-scp-command-options.patch b/debian/patches/0009-Verify-scp-command-options.patch index 3e252eb..da94f0c 100644 --- a/debian/patches/0009-Verify-scp-command-options.patch +++ b/debian/patches/0009-Verify-scp-command-options.patch @@ -16,21 +16,19 @@ first. Attempt to protect against this attack by checking the command line of scp and only allowing the options that are passed to the server -end of the connection. Specifically, do not allow multiple -non-option arguments, which attempts to prevent causing the server -to initiate an scp command. (This will break scp -3 through rssh, -which seems like an acceptable tradeoff.) +end of the connection. Require either -f or -t be given, which +disables scp's attempts to connect to a remote host. Debian Bug#919623 --- - util.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 44 insertions(+), 2 deletions(-) + util.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/util.c b/util.c -index 52a751b..4d58616 100644 +index 52a751b..391ad4a 100644 --- a/util.c +++ b/util.c -@@ -263,6 +263,45 @@ static int rsync_okay( char **vec ) +@@ -263,6 +263,43 @@ static int rsync_okay( char **vec ) } @@ -42,41 +40,39 @@ index 52a751b..4d58616 100644 + */ +static int scp_okay( char **vec ) +{ -+ int saw_file = FALSE; -+ int saw_end = FALSE; ++ int saw_f_or_t = FALSE; + + for ( vec++; vec && *vec; vec++ ){ + /* Allowed options. */ -+ if ( !saw_end ) { -+ if ( strcmp(*vec, "-v") == 0 ) continue; -+ if ( strcmp(*vec, "-r") == 0 ) continue; -+ if ( strcmp(*vec, "-p") == 0 ) continue; -+ if ( strcmp(*vec, "-d") == 0 ) continue; -+ if ( strcmp(*vec, "-f") == 0 ) continue; -+ if ( strcmp(*vec, "-t") == 0 ) continue; ++ if ( strcmp(*vec, "-v") == 0 ) continue; ++ if ( strcmp(*vec, "-r") == 0 ) continue; ++ if ( strcmp(*vec, "-p") == 0 ) continue; ++ if ( strcmp(*vec, "-d") == 0 ) continue; ++ if ( strcmp(*vec, "-f") == 0 ){ ++ saw_f_or_t = TRUE; ++ continue; + } -+ -+ /* End of arguments. One more argument allowed after this. */ -+ if ( !saw_end && strcmp(*vec, "--") == 0 ){ -+ saw_end = TRUE; ++ if ( strcmp(*vec, "-t") == 0 ){ ++ saw_f_or_t = TRUE; + continue; + } + -+ /* No other options allowed, but allow file starting with -. */ -+ if ( *vec[0] == '-' && !saw_end ) return FALSE; -+ if ( saw_file ) return FALSE; -+ saw_file = TRUE; ++ /* End of arguments. */ ++ if ( strcmp(*vec, "--") == 0 ) break; ++ ++ /* Any other argument is not allowed. */ ++ if ( *vec[0] == '-' ) return FALSE; + } + -+ /* We must have seen a single file. */ -+ return saw_file; ++ /* Either -f or -t must have been given. */ ++ return saw_f_or_t; +} + + /* * check_command_line() - take the command line passed to rssh, and verify * that the specified command is one the user is -@@ -278,8 +317,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) +@@ -278,8 +315,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) return PATH_SFTP_SERVER; if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){ @@ -271,34 +271,32 @@ static int rsync_okay( char **vec ) */ static int scp_okay( char **vec ) { - int saw_file = FALSE; - int saw_end = FALSE; + int saw_f_or_t = FALSE; for ( vec++; vec && *vec; vec++ ){ /* Allowed options. */ - if ( !saw_end ) { - if ( strcmp(*vec, "-v") == 0 ) continue; - if ( strcmp(*vec, "-r") == 0 ) continue; - if ( strcmp(*vec, "-p") == 0 ) continue; - if ( strcmp(*vec, "-d") == 0 ) continue; - if ( strcmp(*vec, "-f") == 0 ) continue; - if ( strcmp(*vec, "-t") == 0 ) continue; + if ( strcmp(*vec, "-v") == 0 ) continue; + if ( strcmp(*vec, "-r") == 0 ) continue; + if ( strcmp(*vec, "-p") == 0 ) continue; + if ( strcmp(*vec, "-d") == 0 ) continue; + if ( strcmp(*vec, "-f") == 0 ){ + saw_f_or_t = TRUE; + continue; } - - /* End of arguments. One more argument allowed after this. */ - if ( !saw_end && strcmp(*vec, "--") == 0 ){ - saw_end = TRUE; + if ( strcmp(*vec, "-t") == 0 ){ + saw_f_or_t = TRUE; continue; } - /* No other options allowed, but allow file starting with -. */ - if ( *vec[0] == '-' && !saw_end ) return FALSE; - if ( saw_file ) return FALSE; - saw_file = TRUE; + /* End of arguments. */ + if ( strcmp(*vec, "--") == 0 ) break; + + /* Any other argument is not allowed. */ + if ( *vec[0] == '-' ) return FALSE; } - /* We must have seen a single file. */ - return saw_file; + /* Either -f or -t must have been given. */ + return saw_f_or_t; } |