|
rssh (2.3.4-7ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: Command injection
- debian/patches/0009-Verify-scp-command-options.patch: Validate
the allowed scp command line and only permit the flags used in
server mode and only a single argument, to attempt to prevent use
of ssh options to run arbitrary code on the server. This will
break scp -3 to a system running rssh, which seems like an
acceptable loss. (LP #1815935)
- debian/patches/0007-Verify-rsync-command-options.patch: Tighten
validation of the rsync command line to require --server be the
first argument, which should prevent initiation of an outbound rsync
command from the server, which in turn might allow execution of
arbitrary code via ssh configuration similar to scp.
Also reject rsync --daemon and --config command-line options, which
can be used to run arbitrary commands. Thanks, Nick Cleaton.
Do not stop checking the rsync command line at --, since this can
be an argument to some other option and later arguments may still
be interpreted as options. In the few cases where one needs to
rsync to files named things like --rsh, the client can use ./--rsh
instead. Thanks, Nick Cleaton.
- debian/patches/0010-Check-command-line-after-chroot.patch: Unset
the HOME environment variable when running rsync to prevent popt
(against which rsync is linked) from loading a ~/.popt
configuration file, which can run arbitrary commands on the server
or redefine command-line options to bypass argument checking.
Thanks, Nick Cleaton.
- CVE-2019-1000018
- CVE-2019-3463
- CVE-2019-3464
-- Mike Salvatore <email address hidden> Wed, 10 Apr 2019 13:23:31 -0400
|
