Bug 1375941 (CVE-2016-5725)
| Summary: | CVE-2016-5725 jsch: ChannelSftp path traversal vulnerability | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | abhgupta, aileenc, alazarot, apmukher, aszczucz, bkearney, bmcclain, cbillett, chazlett, dbhole, dmcphers, eedri, etirelli, gvarsami, hhorak, java-maint, java-sig-commits, jcoleman, jerboaa, jialiu, jmatthew, jokerman, jolee, jorton, jshepherd, kanderso, krzysztof.daniel, kverlaen, ldimaggi, lmeyer, mbaluch, mgoldboi, michal.skrivanek, mizdebsk, mmccomas, mmccune, mnewsome, mwinkler, nobody+bgollahe, nwallace, ohadlevy, ohudlick, patrickm, rrajasek, rwagner, rzhang, rzima, satellite6-bugs, sbonazzo, soa-p-jira, tcunning, theute, tiwillia, tkirby, tlestach, tsanders, vondruch, ykaul | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | jsch 0.1.54 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: |
A vulnerability was discovered in JSch that allows a malicious sftp server to force a client-side relative path traversal in jsch's implementation for recursive sftp-get. An attacker could leverage this to write files outside the client's download basedir with effective permissions of the jsch sftp client process.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-10-21 00:55:02 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1375955 | ||||||
| Attachments: |
|
||||||
|
Description
Martin Prpič
2016-09-14 09:47:44 UTC
External References: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725 This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:3115 https://access.redhat.com/errata/RHSA-2017:3115 This was fixed upstream in version 0.1.54, as noted in the upstream release announcement: https://sourceforge.net/p/jsch/mailman/message/35318093/ Created attachment 1366981 [details]
Upstream fix
There does not seem to be any public source repository for this project, hence attaching the relevant part of the diff between 0.1.53 and 0.1.54.
This issue only affected Windows and platforms where backslash character '\' is a valid filesystem path separator. Prior to the fix, a malicious sftp server could send a file with a name containing a sequence of ..\ which was then appended to the local destination directory name and resulted in the directory traversal on those platforms. The code prior to the patch attempted to locate the last occurrence of slash '/' in the server-provided name to extract base file name to append to the destination directory name. Therefore, directory traversal using ../ sequence was not possible. The applied fix is more generic - it checks whether the constructed destination file name contains '..' and performs path name canonicalization if it does, followed by a check to ensure that the path does not point outside of the intended destination directory. |