Bug 418201 (CVE-2007-6350)
| Summary: | CVE-2007-6350 scponly: rsync, svn and unison support may be dangerous | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Lubomir Kundrak <lkundrak> |
| Component: | vulnerability | Assignee: | Warren Togami <wtogami> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | a.badger, kevin, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437148 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-02-22 14:11:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 429731, 429732 | ||
| Bug Blocks: | |||
|
Description
Lubomir Kundrak
2007-12-10 15:36:50 UTC
rsync support disabled in devel since this is a security issue. warren, I'd like to get your permission before pushing to other releases as it would be a feature that is going away. If you think that removing the feature for released distro versions would be disruptive we could look at backporting the fixes talked about in the Debian bug report. They don't close the hole for the svn case but they are supposed to close it for rsync. (Might want to review it, though). For rsync specifically, scponly is insecure only if you use a non-default option in rsyncd.conf? You are clearly shooting yourself in the foot if you set those options. (no opinion yet, need time to fully review the Debian bug) AIUI, you can upload an rsyncd.conf file from your local machine using scponly. Then, using the rsync passthrough feature of scponly start an rsync daemon that uses the uploaded rsyncd.conf file. Since rsync has config options that let you invoke a program, this lets the user escape the constraints of scponly. (In reply to comment #4) > Note http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6350 scponly 4.6 and earlier allows remote authenticated users to bypass intended restrictions and execute code by invoking dangerous subcommands including (1) unison, (2) rsync, and (3) svn , as originally demonstrated by creating a Subversion (SVN) repository with malicious hooks, then using svn to trigger execution of those hooks. Fedora packages in F7 and F8 are only compiled to support rsync. unison and svn compatibility is not enabled / compiled in. Converting to Security Response bug. scponly-4.6-10.fc8 has been submitted as an update for Fedora 8 scponly-4.6-10.fc7 has been submitted as an update for Fedora 7 scponly-4.6-10.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. scponly-4.6-10.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1728 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1743 |