Description of problem: scp currently implements local-to-local copy by constructing a command line using 'cp' in a string and then using system(). Beside the fact the using system() is really always wrong (only lazy people use it) which has the added problem that the file name is exposed twice to shell expansion. The file name could contain characters which need quoting, like $ or spaces. This second expansion must be avoided. Version-Release number of selected component (if applicable): openssh-clients-4.2p1-1.x86_64 How reproducible: always Steps to Reproduce: 1.touch foo\ bar 2.mkdir somedir 3.scp foo\ bar somedir Actual results: cp: cannot stat `foo': No such file or directory cp: cannot stat `bar': No such file or directory Expected results: no message, file copied Additional info: I'll attach a patch. Upstream would probably not like it but it glibc is advanced enough to provide the necessary functions. There are also a few more places where I've seen TEMP_FAILURE_RETRY or equivalent code missing.
Created attachment 118749 [details] Use posix_spawnp instead of system
Created attachment 118770 [details] Patch to use posix_spawnp
Yes, this is a security issue. I spent some time looking at this today, and this distrubs me: bress@link:/tmp/josh% ls -l total 4 drwxrwxr-x 2 bress bress 4096 Sep 19 14:51 a -rw-rw-r-- 1 bress bress 0 Sep 19 14:51 `touch feh` bress@link:/tmp/josh% scp * a cp: omitting directory `a' cp: missing destination file Try `cp --help' for more information. zsh: exit 1 scp * a bress@link:/tmp/josh% ls -l total 4 drwxrwxr-x 2 bress bress 4096 Sep 19 14:51 a -rw-rw-r-- 1 bress bress 0 Sep 19 14:52 feh -rw-rw-r-- 1 bress bress 0 Sep 19 14:51 `touch feh` While I know most people don't use scp to move files around their local system, I do leave off the trailing : quite often.
Created attachment 119390 [details] This patch uses fork + exec instead of posix_spawnp This patch uses fork + exec instead of posix_spawnp and also fixes the remote to remote copy.
I'm reassigning this to FC5T1. Please be sure to update FC4 and FC3 if it is still supported when this update goes out.
The patch is in rawhide since openssh-4.2p1-2. I'll do the FC3 and FC4 updates soon.
From User-Agent: XML-RPC openssh-4.2p1-fc4.10 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
Fixed in FC5Test1 and FC4 updates.