Bug 74633 - [Maintainer update] shells/scponly: Update to 4.0 (security vulnerability fixed in this version)
Summary: [Maintainer update] shells/scponly: Update to 4.0 (security vulnerability fix...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-02 22:50 UTC by Hideyuki KURASHINA
Modified: 2004-12-04 23:57 UTC (History)
0 users

See Also:

Attachments
file.diff (2.76 KB, patch)
2004-12-02 22:50 UTC, Hideyuki KURASHINA 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hideyuki KURASHINA freebsd_committer freebsd_triage 2004-12-02 22:50:07 UTC 
	Update to 4.0, which include a fix for security issue (Arbitrary
	command execution) recently discoverd by Jason Wies.

	See followings for details:

	  http://www.sublimation.org/scponly/#relnotes
	  http://www.securityfocus.com/archive/1/383046
	  http://marc.theaimsgroup.com/?l=bugtraq&m=110202047507273&w=2

Fix: Apply following patch,

How-To-Repeat: 
	According to the Jason's report,

	  ssh restricteduser@remotehost 'rsync -e "touch /tmp/example --" localhost:/dev/null /tmp'

	  scp command.sh restricteduser@remotehost:/tmp/command.sh
	  ssh restricteduser@remotehost 'scp -S /tmp/command.sh localhost:/dev/null /tmp'

	Regarding to the first item, /tmp/example is actually touch(1)'ed
	(Please note that touch(1) is not allowed program by scponly).
	Second item is confirmed to work.
Comment 1 Hideyuki KURASHINA freebsd_committer freebsd_triage 2004-12-02 23:22:26 UTC 
Hi,

> >Category:       ports
> >Responsible:    freebsd-ports-bugs
> >Synopsis:       [Maintainer update] shells/scponly: Update to 4.0 (security vulnerability fixed in this version)
> >Arrival-Date:   Thu Dec 02 22:50:07 GMT 2004

I made a patch for this issue.

Please consider applying following one to ports/security/vuxml/vuln.xml.
Any improvements are welcome including words/grammer corrections.

Regards,

-- rushani

--- vuln.xml.orig	Fri Dec  3 08:13:10 2004
+++ vuln.xml	Fri Dec  3 08:14:30 2004
@@ -32,6 +32,39 @@
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="f11b219a-44b6-11d9-ae2f-021106004fd6">
+    <topic>rssh &amp; scponly -- arbitrary command execution</topic>
+    <affects>
+      <package>
+	<name>rssh</name>
+	<range><le>2.2.2</le></range>
+      </package>
+      <package>
+	<name>scponly</name>
+	<range><lt>4.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Jason Wies identified both rssh &amp; scponly has a vulnerability
+	  that allows arbitrary command execution.  He reports:</p>
+	<blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110202047507273">
+	  <p>The problem is compounded when you recognize that the main use of rssh and
+	    scponly is to allow file transfers, which in turn allows a malicious user to
+	    transfer and execute entire custom scripts on the remote machine.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <freebsdpr>ports/74633</freebsdpr>
+      <mlist msgid="20041202135143.GA7105@xc.net">http://marc.theaimsgroup.com/?l=bugtraq&amp;m=110202047507273</mlist>
+    </references>
+    <dates>
+      <discovery>2004-11-28</discovery>
+      <entry>2004-12-02</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="2b4d5288-447e-11d9-9ebb-000854d03344">
     <topic>rockdodger -- buffer overflows</topic>
     <affects>
Comment 2 Pav Lucistnik freebsd_committer freebsd_triage 2004-12-04 23:57:12 UTC 
State Changed
From-To: open->closed

Committed, thanks!