Bug 123014 - CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files
CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: openssh (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 1, rh90, rh73, 2
: Security
: 141679 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-11 05:58 EDT by Mark J. Cox (Product Security)
Modified: 2007-03-27 00:17 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-11 18:28:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2004-05-11 05:58:25 EDT
Back in 2000 it was reported that a malicious ssh server could cause
scp to write to arbitrary files outside of the current directory. 
See:    
http://cert.uni-stuttgart.de/archive/bugtraq/2000/09/msg00499.html

This is a valid behaviour of the rcp protocol.

The issue was rediscovered in Mar 2004 and discussed amongst OSS
vendors, with Markus Friedl from OpenBSD writing a proposed patch for
this issue but warned that it needed a lot of testing:
        
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.113&r2=1.114

We are currently evaluating this issue; in the meantime concerned
users can use sftp as an alternative way to copy files, or be careful
not to scp files from untrusted hosts.

Affects: FC1
Affects: FC2
Comment 1 Mark J. Cox (Product Security) 2004-12-03 05:20:57 EST
Affects: FC2
Affects: FC3
Comment 2 Josh Bressers 2005-01-26 14:44:38 EST
This issue has been fixed in FC3 (fixed in openssh-3.9p1)
Comment 3 Tomas Mraz 2005-04-07 03:08:23 EDT
FC2 is EOLed.
Comment 4 Matthew Miller 2005-04-12 18:48:41 EDT
Well, it wasn't EOLed when you wrote that, but it is now. :)
Comment 5 Marc Deslauriers 2005-04-20 18:59:07 EDT
See also bug 120147

This may apply to older releases too.
Comment 6 Michal Jaegermann 2005-06-03 20:15:16 EDT
openssh-3.1p1-18.src.rpm as referenced in 
https://rhn.redhat.com/errata/RHSA-2005-481.html
does compile and works without any changes on RHL 7.3.

If elsewhere another version is needed then openssh-3.6.1p2-33.30.4.src.rpm
https://rhn.redhat.com/errata/RHSA-2005-106.html
will likely be a good fit.  Patches are simple in any case.
Comment 7 Marc Deslauriers 2005-06-10 21:47:25 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

Changelog:
* Fri Jun 10 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 3.1p1-14.1.legacy
- - CAN-2004-0175 don't allow scp to overwrite files in other directories
- - don't leak whether root password is right if root isn't allowed

rh73:
dfbd498e0766e28cf39e260b7f71d0323daadca3  openssh-3.1p1-14.1.legacy.i386.rpm
433204017936df8823ad43a628a995727826e64f  openssh-3.1p1-14.1.legacy.src.rpm
a82c597172d0cc714edfc9456ddacf2683026a53  openssh-askpass-3.1p1-14.1.legacy.i386.rpm
d9924563b239fe94ff6e0fd0ac391cef5dff392f 
openssh-askpass-gnome-3.1p1-14.1.legacy.i386.rpm
92d579150b1d955e9469fd223bf283bcbbed1c18  openssh-clients-3.1p1-14.1.legacy.i386.rpm
06a0063a15e0e9f41edfcace83c738221a607334  openssh-server-3.1p1-14.1.legacy.i386.rpm

7.3 Source:
http://www.infostrategique.com/linuxrpms/legacy/7.3/openssh-3.1p1-14.1.legacy.src.rpm
7.3 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/7.3/

rh9:
9ea0a951497d0ac124448f4ca9875cda73a90d86  openssh-3.5p1-11.1.legacy.i386.rpm
601f54d595b99c02623710bd936181a9660156a3  openssh-3.5p1-11.1.legacy.src.rpm
b67ad47bab6fc51ce6ce16c7b317b3d2d220c654  openssh-askpass-3.5p1-11.1.legacy.i386.rpm
16cc691a2f8780c56207a1c21aa0bbee25a76178 
openssh-askpass-gnome-3.5p1-11.1.legacy.i386.rpm
3e58c90bda61f6a4ba2e26bdd7900f32c015e9dd  openssh-clients-3.5p1-11.1.legacy.i386.rpm
31bdd5e908da54906ec770c5779d20037aad75ee  openssh-server-3.5p1-11.1.legacy.i386.rpm

9 Source:
http://www.infostrategique.com/linuxrpms/legacy/9/openssh-3.5p1-11.1.legacy.src.rpm
9 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/9/

fc1:
4c03e7bcad0b0016020a53ac03cb8f941dd77111  openssh-3.6.1p2-19.1.legacy.i386.rpm
383e6fb9fc16d79b039c47d6cf21d7c1152a1b19  openssh-3.6.1p2-19.1.legacy.src.rpm
a4e13eb677234b8b3f56d797e8ed382b027ac4d1 
openssh-askpass-3.6.1p2-19.1.legacy.i386.rpm
91ea052b88ae10a586465c4dc2990f775c247496 
openssh-askpass-gnome-3.6.1p2-19.1.legacy.i386.rpm
6aca4a876825e7e449c47c21b558f109c5a2b063 
openssh-clients-3.6.1p2-19.1.legacy.i386.rpm
ef2aab7b6dabcfe7569a81cec64228aa6d62efa0 
openssh-server-3.6.1p2-19.1.legacy.i386.rpm

fc1 Source:
http://www.infostrategique.com/linuxrpms/legacy/1/openssh-3.6.1p2-19.1.legacy.src.rpm
fc1 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/1/

fc2:
7b4c104555e820353776407982162557bca7499b  openssh-3.6.1p2-34.1.legacy.i386.rpm
c8e9b6f5bc31c9da74a5aca89303f405777d1215  openssh-3.6.1p2-34.1.legacy.src.rpm
17cb8bea25d80bf45a7089927821686e97cbd0d1 
openssh-askpass-3.6.1p2-34.1.legacy.i386.rpm
b50d0a1793aae58347e8f1b1890cdf5b41e5a1b6 
openssh-askpass-gnome-3.6.1p2-34.1.legacy.i386.rpm
0eda792ec77b946b73133b2932159bf654abd5a5 
openssh-clients-3.6.1p2-34.1.legacy.i386.rpm
5fc665801caaa553de199c954d630e3689f0b288 
openssh-server-3.6.1p2-34.1.legacy.i386.rpm

fc2 Source:
http://www.infostrategique.com/linuxrpms/legacy/2/openssh-3.6.1p2-34.1.legacy.src.rpm
fc2 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/2/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCqkJwLMAs/0C4zNoRAsVxAKCWcFLO2IOwKblFsV2vls/azmbaCACgnm29
Xzyvd+JIsSmPBUGi4pbdIpg=
=0C9T
-----END PGP SIGNATURE-----
Comment 8 Marc Deslauriers 2005-06-10 21:48:19 EDT
*** Bug 141679 has been marked as a duplicate of this bug. ***
Comment 9 Pekka Savola 2005-06-17 02:59:19 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                 
QA w/ rpm-build-compare.sh
 - spec file changes are minimal
 - source integrity good
 - patches are identical to those in RHEL21 (3.1p1)
                                                                               
                                 
+PUBLISH RHL73, RHL9, FC1, FC2
                                                                               
                                 
433204017936df8823ad43a628a995727826e64f  openssh-3.1p1-14.1.legacy.src.rpm
601f54d595b99c02623710bd936181a9660156a3  openssh-3.5p1-11.1.legacy.src.rpm
383e6fb9fc16d79b039c47d6cf21d7c1152a1b19  openssh-3.6.1p2-19.1.legacy.src.rpm
c8e9b6f5bc31c9da74a5aca89303f405777d1215  openssh-3.6.1p2-34.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                                 
iD8DBQFCsnRoGHbTkzxSL7QRAns7AKCf/AkE8AgCmXQeLrKqxc7YWRS0ywCdGua/
hn7P1+xm00s6dTBhqeS1WaI=
=0gdX
-----END PGP SIGNATURE-----
Comment 10 Marc Deslauriers 2005-06-24 14:50:04 EDT
These were pushed to updates-testing
Comment 11 Tom Yates 2005-06-26 03:35:39 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

d23f5da5bae703ee28a1de84999ce8fb4945ba20 openssh-server-3.5p1-11.2.legacy.i386.rpm
598d2940ce65b82de88a7e563b0450752d679d50 openssh-clients-3.5p1-11.2.legacy.i386.rpm
35820cc8261fffa5e1bbce4b22abb6075966418a openssh-3.5p1-11.2.legacy.i386.rpm

installed.  ssh server restarts fine, ssh'ing with and without password is fine,
port
forwarding is fine.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCvlqEePtvKV31zw4RAtEoAJ96MK5sLL7mfZ/YdTrJILTd62KYOwCghmKO
MKkKmk3F/BsnUsStCFuAlcE=
=OIK5
-----END PGP SIGNATURE-----
Comment 12 Pekka Savola 2005-06-28 10:03:46 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tested telnet RPMs for RHL9.  'ssh' worked; 'scp' worked; I could log on
with root and regular user. +VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCwVihGHbTkzxSL7QRAuukAKDI9iHn7KEvsnNhmHrtHTLHsOhscQCgr9RN
/Li6E24vC76IC8ByFo5v73w=
=8J9m
-----END PGP SIGNATURE-----
Comment 13 Eric Jon Rostetter 2005-06-28 15:09:00 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                                
++VERIFY for RHL 7.3
++VERIFY for RHL 9
                                                                                
Packages:
openssh-3.5p1-11.2.legacy.i386.rpm
openssh-askpass-3.5p1-11.2.legacy.i386.rpm
openssh-askpass-gnome-3.5p1-11.2.legacy.i386.rpm
openssh-clients-3.5p1-11.2.legacy.i386.rpm
openssh-server-3.5p1-11.2.legacy.i386.rpm
                                                                                
SHA1 checksums all match test update advisory.  Signatures verify okay.
                                                                                
Installed on two RHL 9 machines and two RHL 7.3 machine without problems.
Made ssh conections between the machines both ways, tested X11 forwarding,
tested scp copies.  All worked as expected.  Saw no obvious problems
or issues.
                                                                                
Vote for release. ++VERIFY
                                                                                
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
                                                                                
iD8DBQFCwZ/14jZRbknHoPIRAgZZAKCxknVNgNYbhyesOxs4Dzl+KwGZzQCeIIgD
RhEiS2An4rRyoP4EnYcYOjY=
=C4Ru
-----END PGP SIGNATURE-----
Comment 14 Pekka Savola 2005-07-11 00:56:05 EDT
Timeout over..
Comment 15 Marc Deslauriers 2005-07-11 18:28:55 EDT
Packages were officially released.

Note You need to log in before you can comment on or make changes to this bug.