Bug 120147 - CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files
Summary: CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh
Version: 3.0
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard: impact=low,public=20000901
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-04-06 12:28 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2005-05-18 13:48:31 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:106 normal SHIPPED_LIVE Low: openssh security update 2005-05-18 04:00:00 UTC

Description Mark J. Cox 2004-04-06 12:28:10 UTC
Back in 2000 it was reported that a malicious ssh server could cause
scp to write to arbitrary files outside of the current directory. 
See:    
http://cert.uni-stuttgart.de/archive/bugtraq/2000/09/msg00499.html

This is a valid behaviour of the rcp protocol.

The issue was rediscovered in Mar 2004 and discussed amongst OSS
vendors, with Markus Friedl from OpenBSD writing a proposed patch for
this issue but warned that it needed a lot of testing:
        
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.113&r2=1.114

Comment 1 Mark J. Cox 2004-04-06 12:30:05 UTC
We are currently evaluating this issue; in the meantime concerned
users can use sftp as an alternative way to copy files, or be careful
not to scp files from untrusted hosts.

Comment 2 Barry K. Nathan 2004-09-07 23:56:21 UTC
Is Red Hat still "evaluating this issue"? (I think Apple released a
patch to fix this vuln on Mac OS X earlier today, for what that's worth.)

Comment 6 Tim Powers 2005-05-18 13:48:31 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-106.html


Comment 7 Barry K. Nathan 2005-05-19 06:18:12 UTC
Will there be errata packages to fix this for RHEL 2.1?

Comment 8 Josh Bressers 2005-05-26 20:27:17 UTC
The fix for RHEL2.1 is now being tracked by bug 158915


Note You need to log in before you can comment on or make changes to this bug.