Attachment 660999 Details for Bug 877279 – Update to 2.3.4

Update to 2.3.4

rssh-2.3.4.diff (text/plain), 11.72 KB, created by Tomas Hoger on 2012-12-10 17:52:02 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Tomas Hoger

Created: 2012-12-10 17:52:02 UTC

Size: 11.72 KB

patch

obsolete

>commit 347ec7ae1282afce854a4a56ecb02c8a1aa3975b
>Author: Tomas Hoger <thoger@redhat.com>
>Date:   Mon Dec 10 18:46:00 2012 +0100
>
>    Update to rssh version 2.3.4
>    
>    This update fixes 3 security issues: CVE-2012-3478, CVE-2012-2251 and
>    CVE-2012-2252
>
>diff --git a/rssh-2.3.2-makefile.patch b/rssh-2.3.2-makefile.patch
>deleted file mode 100644
>index c28167e..0000000
>--- a/rssh-2.3.2-makefile.patch
>+++ /dev/null
>@@ -1,11 +0,0 @@
>---- rssh-2.3.2/Makefile.in.old	2008-07-21 19:52:51.000000000 -0400
>-+++ rssh-2.3.2/Makefile.in	2008-07-21 19:52:54.000000000 -0400
>-@@ -728,7 +728,7 @@
>- 	$(CC) -c $(DEFS) $(ourdefs) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $<
>- 
>- install-exec-hook:
>--	chmod u+s $(libexecdir)/rssh_chroot_helper
>-+	chmod u+s $(DESTDIR)$(libexecdir)/rssh_chroot_helper
>- 
>- rpm:	dist
>- 	rpmbuild -ta --sign $(base).tar.gz
>diff --git a/rssh-2.3.3-rsync-protocol.patch b/rssh-2.3.3-rsync-protocol.patch
>deleted file mode 100644
>index f4ea113..0000000
>--- a/rssh-2.3.3-rsync-protocol.patch
>+++ /dev/null
>@@ -1,65 +0,0 @@
>-As of rsync 3, rsync reused the -e option to pass protocol information
>-from the client to the server.  We therefore cannot reject all -e
>-options to rsync, only ones not sent with --server or containing
>-something other than protocol information as an argument.
>-
>-Based on work by Robert Hardy.
>-
>-Debian Bug#471803
>-
>---- rssh.orig/util.c
>-+++ rssh/util.c
>-@@ -56,6 +56,7 @@
>- #ifdef HAVE_LIBGEN_H
>- #include <libgen.h>
>- #endif /* HAVE_LIBGEN_H */
>-+#include <regex.h>
>- 
>- /* LOCAL INCLUDES */
>- #include "pathnames.h"
>-@@ -187,6 +188,33 @@
>- }
>- 
>- /*
>-+ * check_rsync_e() - take the command line passed to rssh and look for a -e
>-+ *                   option.  If one is found, make sure --server is provided
>-+ *                   and the option contains only the protocol information.
>-+ *                   Returns 1 if the command line is safe; 0 otherwise.
>-+ */
>-+static int check_rsync_e( char *cl )
>-+{
>-+	int	status;
>-+	regex_t	re;
>-+
>-+	/*
>-+	 * This is more complicated than it looks because we don't want to
>-+	 * trigger on the e in --server, but we do want to catch the common
>-+	 * case of -ltpre.iL (which contains -e.).
>-+	 */
>-+	static const char pattern[] = "[ \t\v\f]-([^-][^ ]*)?e[^.0-9]";
>-+
>-+	if ( strstr(cl, "--server") == NULL ) return 0;
>-+	if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
>-+		return 0;
>-+	}
>-+	status = regexec(&re, cl, 0, NULL, 0);
>-+	regfree(&re);
>-+	return (status == 0) ? 0 : 1;
>-+}
>-+
>-+/*
>-  * check_command_line() - take the command line passed to rssh, and verify
>-  * 			  that the specified command is one the user is
>-  * 			  allowed to run.  Return the path of the command
>-@@ -230,9 +258,9 @@
>- 
>- 	if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
>- 		/* filter -e option */
>--		if ( opt_exist(cl, 'e') ){
>-+		if ( opt_exist(cl, 'e') && !check_rsync_e(cl) ){
>- 			fprintf(stderr, "\ninsecure -e option not allowed.");
>--			log_msg("insecure -e option in rdist command line!");
>-+			log_msg("insecure -e option in rsync command line!");
>- 			return NULL;
>- 		}
>- 		
>diff --git a/rssh-2.3.4-command-line-error.patch b/rssh-2.3.4-command-line-error.patch
>new file mode 100644
>index 0000000..cec059c
>--- /dev/null
>+++ b/rssh-2.3.4-command-line-error.patch
>@@ -0,0 +1,26 @@
>+From: Russ Allbery <rra@debian.org>
>+Subject: [PATCH] Fix error message from invalid options
>+
>+Don't refer to all invalid options as invalid scp options.
>+
>+Signed-off-by: Russ Allbery <rra@debian.org>
>+
>+---
>+ util.c |    2 +-
>+ 1 file changed, 1 insertion(+), 1 deletion(-)
>+
>+diff --git a/util.c b/util.c
>+index 443dcba..774bdbe 100644
>+--- a/util.c
>++++ b/util.c
>+@@ -152,7 +152,7 @@ bool opt_filter(char **vec, const char opt)
>+ 	while (vec && *vec){
>+ 		if (opt_exist(*vec, opt)){
>+ 			fprintf(stderr, "\nillegal insecure %c option", opt);
>+-			log_msg("insecure %c option in scp command line!", opt);
>++			log_msg("insecure %c option in command line!", opt);
>+ 			return TRUE;
>+ 		}
>+ 		vec++;
>+-- 
>+tg: (05e48f5..) fixes/command-line-error (depends on: fixes/command-line-checking)
>diff --git a/rssh-2.3.4-makefile.patch b/rssh-2.3.4-makefile.patch
>new file mode 100644
>index 0000000..2296fea
>--- /dev/null
>+++ b/rssh-2.3.4-makefile.patch
>@@ -0,0 +1,16 @@
>+diff -pruN rssh-2.3.4.orig/Makefile.in rssh-2.3.4/Makefile.in
>+--- rssh-2.3.4.orig/Makefile.in	2012-11-27 01:19:34.000000000 +0100
>++++ rssh-2.3.4/Makefile.in	2012-11-28 18:21:03.154903684 +0100
>+@@ -727,10 +727,10 @@ uninstall-man: uninstall-man1 uninstall-
>+ 
>+ 
>+ .c.o:
>+-	$(CC) -c $(DEFS) $(ourdefs) $(AM_CFLAGS) $(CPPFLAGS) $(LDFLAGS) $<
>++	$(CC) -c $(DEFS) $(ourdefs) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $<
>+ 
>+ install-exec-hook:
>+-	chmod u+s $(libexecdir)/rssh_chroot_helper
>++	chmod u+s $(DESTDIR)$(libexecdir)/rssh_chroot_helper
>+ 
>+ rpm:	dist
>+ 	rpmbuild -ta --sign $(base).tar.gz
>diff --git a/rssh-2.3.4-rsync-protocol.patch b/rssh-2.3.4-rsync-protocol.patch
>new file mode 100644
>index 0000000..e1694ee
>--- /dev/null
>+++ b/rssh-2.3.4-rsync-protocol.patch
>@@ -0,0 +1,130 @@
>+From: Russ Allbery <rra@stanford.edu>
>+Subject: [PATCH] Handle the rsync v3 -e option for protocol information
>+
>+As of rsync 3, rsync reused the -e option to pass protocol information
>+from the client to the server.  We therefore cannot reject all -e
>+options to rsync, only ones not sent with --server or containing
>+something other than protocol information as an argument.
>+
>+Also scan the rsync command line for any --rsh option and reject it as
>+well.  This replaces and improves the upstream strategy for rejecting
>+that command-line option, taking advantage of the parsing added to
>+check the -e option.
>+
>+Based on work by Robert Hardy.
>+
>+Debian Bug#471803
>+
>+Signed-off-by: Russ Allbery <rra@stanford.edu>
>+
>+---
>+ util.c |   80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------
>+ 1 file changed, 72 insertions(+), 8 deletions(-)
>+
>+diff --git a/util.c b/util.c
>+index f98d2bc..a257b06 100644
>+--- a/util.c
>++++ b/util.c
>+@@ -56,6 +56,7 @@
>+ #ifdef HAVE_LIBGEN_H
>+ #include <libgen.h>
>+ #endif /* HAVE_LIBGEN_H */
>++#include <regex.h>
>+ 
>+ /* LOCAL INCLUDES */
>+ #include "pathnames.h"
>+@@ -198,6 +199,73 @@ bool check_command( char *cl, ShellOptions_t *opts, char *cmd, int cmdflag )
>+ 
>+ 
>+ /*
>++ * rsync_e_okay() - take the command line passed to rssh and look for an -e
>++ *		    option.  If one is found, make sure --server is provided
>++ *		    and the option contains only the protocol information.
>++ *		    Also check for and reject any --rsh option.	 Returns FALSE
>++ *		    if the command line should not be allowed, TRUE if it is
>++ *		    okay.
>++ */
>++static int rsync_e_okay( char **vec )
>++{
>++	regex_t	re;
>++	int	server = FALSE;
>++	int	e_found = FALSE;
>++
>++	/*
>++	 * rsync will send -e, followed by either just "." (meaning no special
>++	 * protocol) or "N.N" (meaning a pre-release protocol version),
>++	 * followed by some number of alphabetic flags indicating various
>++	 * supported options.  There may be other options between - and the e,
>++	 * but -e will always be the last option in the string.	 A typical
>++	 * option passed by the client is "-ltpre.iL".
>++	 *
>++	 * Note that if --server is given, this should never be parsed as a
>++	 * shell, but we'll tightly verify it anyway, just in case.
>++	 *
>++	 * This regex matches the acceptable flags containing -e, so if it
>++	 * does not match, the command line should be rejected.
>++	 */
>++	static const char pattern[]
>++	    = "^-[a-df-zA-Z]*e[0-9]*\\.[0-9]*[a-zA-Z]*$";
>++
>++	/*
>++	 * Only recognize --server if it's the first option.  rsync itself
>++	 * always passes it that way, and if it's not the first argument, it
>++	 * could be hidden from the server as an argument to some other
>++	 * option.
>++	 */
>++	if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){
>++		server = TRUE;
>++	}
>++
>++	/* Check the remaining options for -e or --rsh. */
>++	if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
>++		return FALSE;
>++	}
>++	while (vec && *vec){
>++		if ( strcmp(*vec, "--") == 0 ) break;
>++		if ( strcmp(*vec, "--rsh") == 0
>++		     || strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){
>++			regfree(&re);
>++			return FALSE;
>++		}
>++		if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){
>++			e_found = TRUE;
>++			if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){
>++				regfree(&re);
>++				return FALSE;
>++			}
>++		}
>++		vec++;
>++	}
>++	regfree(&re);
>++	if ( e_found && !server ) return FALSE;
>++	return TRUE;
>++}
>++
>++
>++/*
>+  * check_command_line() - take the command line passed to rssh, and verify
>+  *			  that the specified command is one the user is
>+  *			  allowed to run and validate the arguments.  Return the
>+@@ -230,14 +298,10 @@ char *check_command_line( char **cl, ShellOptions_t *opts )
>+ 
>+ 	if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
>+ 		/* filter -e option */
>+-		if ( opt_filter(cl, 'e') ) return NULL;
>+-		while (cl && *cl){
>+-			if ( strstr(*cl, "--rsh" ) ){
>+-				fprintf(stderr, "\ninsecure --rsh= not allowed.");
>+-				log_msg("insecure --rsh option in rsync command line!");
>+-				return NULL;
>+-			}
>+-			cl++;
>++		if ( !rsync_e_okay(cl) ){
>++			fprintf(stderr, "\ninsecure -e or --rsh option not allowed.");
>++			log_msg("insecure -e or --rsh option in rsync command line!");
>++			return NULL;
>+ 		}
>+ 		return PATH_RSYNC;
>+ 	}
>+-- 
>+tg: (f8b36e2..) fixes/rsync-protocol (depends on: upstream)
>diff --git a/rssh.spec b/rssh.spec
>index 986a059..135fdf4 100644
>--- a/rssh.spec
>+++ b/rssh.spec
>@@ -1,13 +1,15 @@
> Name:           rssh
>-Version:        2.3.3
>-Release:        4%{?dist}
>+Version:        2.3.4
>+Release:        1%{?dist}
> Summary:        Restricted shell for use with OpenSSH, allowing only scp and/or sftp
> Group:          Applications/Internet
> License:        BSD 
> URL:            http://www.pizzashack.org/rssh/
> Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
>-Patch0:         rssh-2.3.2-makefile.patch
>-Patch1:         rssh-2.3.3-rsync-protocol.patch
>+Source1:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz.sig
>+Patch0:         rssh-2.3.4-makefile.patch
>+Patch1:         rssh-2.3.4-rsync-protocol.patch
>+Patch2:         rssh-2.3.4-command-line-error.patch
> 
> BuildRequires:  openssh-server, openssh-clients
> BuildRequires:  cvs rsync rdist
>@@ -15,7 +17,6 @@ Requires:       openssh-server
> Requires(pre):  shadow-utils
> 
> %description
>-
> rssh is a restricted shell for use with OpenSSH, allowing only scp
> and/or sftp. For example, if you have a server which you only want
> to allow users to copy files off of via scp, without providing shell
>@@ -26,6 +27,7 @@ access, you can use rssh to do that. It is a alternative to scponly.
> %setup -q
> %patch0 -p1 -b .makefile
> %patch1 -p1 -b .rsync3
>+%patch2 -p1 -b .cmdline-error
> 
> chmod 644 conf_convert.sh
> chmod 644 mkchroot.sh
>@@ -39,6 +41,9 @@ make %{?_smp_mflags}
> %install
> rm -rf %{buildroot}
> make install INSTALL="%{__install} -p" DESTDIR=%{buildroot}
>+# since rssh 2.3.4, default config is installed as rssh.conf.default,
>+# rename it for packaging in rpm
>+mv %{buildroot}/%{_sysconfdir}/rssh.conf{.default,}
> 
> %clean
> rm -rf %{buildroot}
>@@ -59,6 +64,15 @@ exit 0
> 
> 
> %changelog
>+* Mon Dec 10 2012 Tomas Hoger <thoger@fedoraproject.org> - 2.3.4-1
>+- Update to upstream version 2.3.4, which fixes CVE-2012-3478 and CVE-2012-2252
>+- Updated rsync-protocol.patch to fix CVE-2012-2251, and to apply on top of the
>+  CVE-2012-3478 and CVE-2012-2252 fixes.
>+- Updated makefile.patch to preserve RPM CFLAGS.
>+- Added command-line-error.patch (from Debian), correcting error message
>+  generated when insecure command line option is used (CVE-2012-3478 fix
>+  regression).
>+
> * Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.3-4
> - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
> 
>@@ -96,4 +110,3 @@ exit 0
> * Tue Jul 22 2008 Rahul Sundaram <sundaram@fedoraproject.org> - 2.3.2-1
> - initial spec
> 
>-

Actions: View

Attachments on bug 877279: 648691 | 648713 | 660999