Bug 168167 (CVE-2006-0225) - CVE-2006-0225 local to local copy uses shell expansion twice
Summary: CVE-2006-0225 local to local copy uses shell expansion twice
Status: CLOSED ERRATA
Alias: CVE-2006-0225
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard: impact=low,reported=20050913,public=2...
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-09-13 04:41 UTC by Ulrich Drepper
Modified: 2018-08-15 22:43 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-23 17:07:22 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Use posix_spawnp instead of system (1 bytes, patch)
2005-09-13 04:41 UTC, Ulrich Drepper
no flags Details | Diff
Patch to use posix_spawnp (1.55 KB, patch)
2005-09-13 17:55 UTC, Ulrich Drepper
no flags Details | Diff
This patch uses fork + exec instead of posix_spawnp (4.37 KB, patch)
2005-09-28 20:51 UTC, Tomas Mraz
no flags Details | Diff

Description Ulrich Drepper 2005-09-13 04:41:52 UTC
Description of problem:
scp currently implements local-to-local copy by constructing a command line
using 'cp' in a string and then using system().  Beside the fact the using
system() is really always wrong (only lazy people use it) which has the added
problem that the file name is exposed twice to shell expansion.  The file name
could contain characters which need quoting, like $ or spaces.  This second
expansion must be avoided.

Version-Release number of selected component (if applicable):
openssh-clients-4.2p1-1.x86_64

How reproducible:
always

Steps to Reproduce:
1.touch foo\ bar
2.mkdir somedir
3.scp foo\ bar somedir
  
Actual results:
cp: cannot stat `foo': No such file or directory
cp: cannot stat `bar': No such file or directory


Expected results:
no message, file copied

Additional info:
I'll attach a patch.  Upstream would probably not like it but it glibc is
advanced enough to provide the necessary functions.

There are also a few more places where I've seen TEMP_FAILURE_RETRY or
equivalent code missing.

Comment 1 Ulrich Drepper 2005-09-13 04:41:53 UTC
Created attachment 118749 [details]
Use posix_spawnp instead of system

Comment 4 Ulrich Drepper 2005-09-13 17:55:17 UTC
Created attachment 118770 [details]
Patch to use posix_spawnp

Comment 9 Josh Bressers 2005-09-19 19:53:42 UTC
Yes, this is a security issue.  I spent some time looking at this today, and
this distrubs me:

bress@link:/tmp/josh% ls -l
total 4
drwxrwxr-x  2 bress bress 4096 Sep 19 14:51 a
-rw-rw-r--  1 bress bress    0 Sep 19 14:51 `touch feh`
bress@link:/tmp/josh% scp * a
cp: omitting directory `a'
cp: missing destination file
Try `cp --help' for more information.
zsh: exit 1     scp * a
bress@link:/tmp/josh% ls -l
total 4
drwxrwxr-x  2 bress bress 4096 Sep 19 14:51 a
-rw-rw-r--  1 bress bress    0 Sep 19 14:52 feh
-rw-rw-r--  1 bress bress    0 Sep 19 14:51 `touch feh`


While I know most people don't use scp to move files around their local system,
I do leave off the trailing : quite often.

Comment 12 Tomas Mraz 2005-09-28 20:51:05 UTC
Created attachment 119390 [details]
This patch uses fork + exec instead of posix_spawnp

This patch uses fork + exec instead of posix_spawnp and also fixes the remote
to remote copy.

Comment 13 Josh Bressers 2005-11-23 20:54:35 UTC
I'm reassigning this to FC5T1.  Please be sure to update FC4 and FC3 if it is
still supported when this update goes out.

Comment 14 Tomas Mraz 2005-11-24 10:12:51 UTC
The patch is in rawhide since openssh-4.2p1-2. I'll do the FC3 and FC4 updates soon.


Comment 15 Fedora Update System 2006-01-23 17:04:59 UTC
From User-Agent: XML-RPC

openssh-4.2p1-fc4.10 has been pushed for FC4, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Comment 16 Tomas Mraz 2006-01-23 17:07:22 UTC
Fixed in FC5Test1 and FC4 updates.



Note You need to log in before you can comment on or make changes to this bug.