Bug 120147 - CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files
Summary: CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Whiteboard: impact=low,public=20000901
Depends On:
TreeView+ depends on / blocked
Reported: 2004-04-06 12:28 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-05-18 13:48:31 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:106 0 normal SHIPPED_LIVE Low: openssh security update 2005-05-18 04:00:00 UTC

Description Mark J. Cox 2004-04-06 12:28:10 UTC
Back in 2000 it was reported that a malicious ssh server could cause
scp to write to arbitrary files outside of the current directory. 

This is a valid behaviour of the rcp protocol.

The issue was rediscovered in Mar 2004 and discussed amongst OSS
vendors, with Markus Friedl from OpenBSD writing a proposed patch for
this issue but warned that it needed a lot of testing:

Comment 1 Mark J. Cox 2004-04-06 12:30:05 UTC
We are currently evaluating this issue; in the meantime concerned
users can use sftp as an alternative way to copy files, or be careful
not to scp files from untrusted hosts.

Comment 2 Barry K. Nathan 2004-09-07 23:56:21 UTC
Is Red Hat still "evaluating this issue"? (I think Apple released a
patch to fix this vuln on Mac OS X earlier today, for what that's worth.)

Comment 6 Tim Powers 2005-05-18 13:48:31 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Comment 7 Barry K. Nathan 2005-05-19 06:18:12 UTC
Will there be errata packages to fix this for RHEL 2.1?

Comment 8 Josh Bressers 2005-05-26 20:27:17 UTC
The fix for RHEL2.1 is now being tracked by bug 158915

Note You need to log in before you can comment on or make changes to this bug.