Bug 1247203

Summary: openssh: scp can send arbitrary control characters / escape sequences to the terminal
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, jjelen, mattias.ellert, mgrepl, plautrba, tmraz, vkaigoro
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 05:52:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1247204, 1247205, 1247206    
Bug Blocks: 1247211    

Description Vasyl Kaigorodov 2015-07-27 14:40:12 UTC 
It was reported that when outputting filenames to the terminal, scp doesn't filter out
non-printable characters. Example:

$ touch "ab`tput clear`cd"
$ ls ab*
ab?[H?[2Jcd
$ scp ab* localhost:/tmp

clears the screen.

Upstream bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2434
No upstream fix available yet.
Comment 2 Vasyl Kaigorodov 2015-07-27 14:40:44 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1247204]
Comment 3 Jakub Jelen 2015-07-28 08:11:34 UTC 
Proposed upstream patch and created fix for current Fedora based on the way we handle banner.

Why the bugs were closed for RHEL7? Why there is not a bug for RHEL6, since it is applicable also there?
Comment 5 Huzaifa S. Sidhpurwala 2015-07-29 05:52:28 UTC 
Analysis:

The scp utility shipped with OpenSSH does not filter out non-printable characters when it displays a progress meter during the actual secure-copy process. So when a file is created with embedded control characters and it is scp'ed those control characters are run on the local terminal (on the client side), these can have undesired visible affects on the current terminal.

Red Hat Product Security does not consider this issue as a security flaw. No trust boundary is crossed. The user running "scp" can only run control characters on the current local terminal. No arbitrary code can be run on the client side. (Assuming the client is running is a ssh restricted command environment) You need successful authentication on the server for the progress bar to be displayed.
Comment 6 Fedora Update System 2015-07-31 07:53:06 UTC 
openssh-6.9p1-4.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-08-03 04:31:07 UTC 
openssh-6.6.1p1-15.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.