Bug 158915 - CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files
Summary: CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files
Status: CLOSED DUPLICATE of bug 146881
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: openssh
Version: 2.1
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard: impact=low,public=20000901
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-26 20:26 UTC by Josh Bressers
Modified: 2007-11-30 22:06 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2005-05-27 06:35:07 UTC


Attachments (Terms of Use)

Description Josh Bressers 2005-05-26 20:26:22 UTC
+++ This bug was initially created as a clone of Bug #120147 +++

Back in 2000 it was reported that a malicious ssh server could cause
scp to write to arbitrary files outside of the current directory. 
See:    
http://cert.uni-stuttgart.de/archive/bugtraq/2000/09/msg00499.html

This is a valid behaviour of the rcp protocol.

The issue was rediscovered in Mar 2004 and discussed amongst OSS
vendors, with Markus Friedl from OpenBSD writing a proposed patch for
this issue but warned that it needed a lot of testing:
        
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.113&r2=1.114

Comment 1 Tomas Mraz 2005-05-27 06:35:07 UTC

*** This bug has been marked as a duplicate of 146881 ***


Note You need to log in before you can comment on or make changes to this bug.