Bug 1677794

Summary: CVE-2019-6111 affects krb5-appl kerberized rcp
Product: [Community] softwarecollections.org Reporter: Vern Staats <staatsvr>
Component: OtherAssignee: Honza Horak <hhorak>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.0CC: hhorak, msuchy
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-17 08:36:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
Response from MITRE to my request to add this info to CVE-2019-611 none

Description Vern Staats 2019-02-15 22:05:49 UTC
Created attachment 1535343 [details]
Response from MITRE to my request to add this info to CVE-2019-611

Description of problem:
krb5-appl rcp has the same CVE-2019-6111 vulnerability as openssh scp.
I reported this to krbcore-security; they consider this package end-of-life / unsupported.
I have a PoC exploit and partial mitigation patches for src/krb5-appl-1.0.1/bsd/krcp.c

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Apply patch krb5-appl-2019-6111-poc.diff (available on request)
2.  Run kshd with now-evil rcp
3.1  rcp remote-host:test.txt .
3.2  rcp remote-host:dirtest.txt .

Actual results:
3.1  mode 0755 ./.badrcp.rc with nc | bash script.
3.2  mode 0755 /tmp/.badrcp.rc with same remote access script.

Expected results:
Requested file, or nothing if remote file non-existant.

Additional info:
My first report to bugzilla.redhat.com, apologies for any mistakes.  Not sure how you wanted "Product / Component" categorised.  The affected package is available at

Comment 1 Honza Horak 2021-12-17 08:36:20 UTC
I'm sorry for ignoring this long, the report is for a wrong product, but even if the product was filled correctly for RHEL6, it would be closed WONTFIX anyway, because RHEL-6 is already EOL for long time. Closing for now.