Red Hat Bugzilla – Bug 1247203
openssh: scp can send arbitrary control characters / escape sequences to the terminal
Last modified: 2015-08-03 00:31:07 EDT
It was reported that when outputting filenames to the terminal, scp doesn't filter out
non-printable characters. Example:
$ touch "ab`tput clear`cd"
$ ls ab*
$ scp ab* localhost:/tmp
clears the screen.
Upstream bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2434
No upstream fix available yet.
Created openssh tracking bugs for this issue:
Affects: fedora-all [bug 1247204]
Proposed upstream patch and created fix for current Fedora based on the way we handle banner.
Why the bugs were closed for RHEL7? Why there is not a bug for RHEL6, since it is applicable also there?
The scp utility shipped with OpenSSH does not filter out non-printable characters when it displays a progress meter during the actual secure-copy process. So when a file is created with embedded control characters and it is scp'ed those control characters are run on the local terminal (on the client side), these can have undesired visible affects on the current terminal.
Red Hat Product Security does not consider this issue as a security flaw. No trust boundary is crossed. The user running "scp" can only run control characters on the current local terminal. No arbitrary code can be run on the client side. (Assuming the client is running is a ssh restricted command environment) You need successful authentication on the server for the progress bar to be displayed.
openssh-6.9p1-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
openssh-6.6.1p1-15.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.