Bug 1247203 - openssh: scp can send arbitrary control characters / escape sequences to the terminal
openssh: scp can send arbitrary control characters / escape sequences to the ...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150723,repor...
: Security
Depends On: 1247204 1247205 1247206
Blocks: 1247211
  Show dependency treegraph
 
Reported: 2015-07-27 10:40 EDT by Vasyl Kaigorodov
Modified: 2015-08-03 00:31 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-29 01:52:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vasyl Kaigorodov 2015-07-27 10:40:12 EDT
It was reported that when outputting filenames to the terminal, scp doesn't filter out
non-printable characters. Example:

$ touch "ab`tput clear`cd"
$ ls ab*
ab?[H?[2Jcd
$ scp ab* localhost:/tmp

clears the screen.

Upstream bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2434
No upstream fix available yet.
Comment 2 Vasyl Kaigorodov 2015-07-27 10:40:44 EDT
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1247204]
Comment 3 Jakub Jelen 2015-07-28 04:11:34 EDT
Proposed upstream patch and created fix for current Fedora based on the way we handle banner.

Why the bugs were closed for RHEL7? Why there is not a bug for RHEL6, since it is applicable also there?
Comment 5 Huzaifa S. Sidhpurwala 2015-07-29 01:52:28 EDT
Analysis:

The scp utility shipped with OpenSSH does not filter out non-printable characters when it displays a progress meter during the actual secure-copy process. So when a file is created with embedded control characters and it is scp'ed those control characters are run on the local terminal (on the client side), these can have undesired visible affects on the current terminal.

Red Hat Product Security does not consider this issue as a security flaw. No trust boundary is crossed. The user running "scp" can only run control characters on the current local terminal. No arbitrary code can be run on the client side. (Assuming the client is running is a ssh restricted command environment) You need successful authentication on the server for the progress bar to be displayed.
Comment 6 Fedora Update System 2015-07-31 03:53:06 EDT
openssh-6.9p1-4.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-08-03 00:31:07 EDT
openssh-6.6.1p1-15.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.