Bug 168167 (CVE-2006-0225)

Summary: CVE-2006-0225 local to local copy uses shell expansion twice
Product: [Other] Security Response Reporter: Ulrich Drepper <drepper>
Component: vulnerabilityAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-23 17:07:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Use posix_spawnp instead of system
none
Patch to use posix_spawnp
none
This patch uses fork + exec instead of posix_spawnp none

Description Ulrich Drepper 2005-09-13 04:41:52 UTC 
Description of problem:
scp currently implements local-to-local copy by constructing a command line
using 'cp' in a string and then using system().  Beside the fact the using
system() is really always wrong (only lazy people use it) which has the added
problem that the file name is exposed twice to shell expansion.  The file name
could contain characters which need quoting, like $ or spaces.  This second
expansion must be avoided.

Version-Release number of selected component (if applicable):
openssh-clients-4.2p1-1.x86_64

How reproducible:
always

Steps to Reproduce:
1.touch foo\ bar
2.mkdir somedir
3.scp foo\ bar somedir
  
Actual results:
cp: cannot stat `foo': No such file or directory
cp: cannot stat `bar': No such file or directory


Expected results:
no message, file copied

Additional info:
I'll attach a patch.  Upstream would probably not like it but it glibc is
advanced enough to provide the necessary functions.

There are also a few more places where I've seen TEMP_FAILURE_RETRY or
equivalent code missing.
Comment 1 Ulrich Drepper 2005-09-13 04:41:53 UTC 
Created attachment 118749 [details]
Use posix_spawnp instead of system
Comment 4 Ulrich Drepper 2005-09-13 17:55:17 UTC 
Created attachment 118770 [details]
Patch to use posix_spawnp
Comment 9 Josh Bressers 2005-09-19 19:53:42 UTC 
Yes, this is a security issue.  I spent some time looking at this today, and
this distrubs me:

bress@link:/tmp/josh% ls -l
total 4
drwxrwxr-x  2 bress bress 4096 Sep 19 14:51 a
-rw-rw-r--  1 bress bress    0 Sep 19 14:51 `touch feh`
bress@link:/tmp/josh% scp * a
cp: omitting directory `a'
cp: missing destination file
Try `cp --help' for more information.
zsh: exit 1     scp * a
bress@link:/tmp/josh% ls -l
total 4
drwxrwxr-x  2 bress bress 4096 Sep 19 14:51 a
-rw-rw-r--  1 bress bress    0 Sep 19 14:52 feh
-rw-rw-r--  1 bress bress    0 Sep 19 14:51 `touch feh`


While I know most people don't use scp to move files around their local system,
I do leave off the trailing : quite often.
Comment 12 Tomas Mraz 2005-09-28 20:51:05 UTC 
Created attachment 119390 [details]
This patch uses fork + exec instead of posix_spawnp

This patch uses fork + exec instead of posix_spawnp and also fixes the remote
to remote copy.
Comment 13 Josh Bressers 2005-11-23 20:54:35 UTC 
I'm reassigning this to FC5T1.  Please be sure to update FC4 and FC3 if it is
still supported when this update goes out.
Comment 14 Tomas Mraz 2005-11-24 10:12:51 UTC 
The patch is in rawhide since openssh-4.2p1-2. I'll do the FC3 and FC4 updates soon.
Comment 15 Fedora Update System 2006-01-23 17:04:59 UTC 
From User-Agent: XML-RPC

openssh-4.2p1-fc4.10 has been pushed for FC4, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 16 Tomas Mraz 2006-01-23 17:07:22 UTC 
Fixed in FC5Test1 and FC4 updates.