Red Hat Bugzilla – Bug 418201
CVE-2007-6350 scponly: rsync, svn and unison support may be dangerous
Last modified: 2008-02-22 09:11:45 EST
Similar tricks can be played with rsync (create an rsyncd.conf with a
pre-xfer exec or post-xfer exec option; start a daemon, and connect to
it) and unison (provided that you can create files in ~/.unison, which
is quite likely).
rsync support disabled in devel since this is a security issue.
warren, I'd like to get your permission before pushing to other releases as it
would be a feature that is going away.
If you think that removing the feature for released distro versions would be
disruptive we could look at backporting the fixes talked about in the Debian bug
report. They don't close the hole for the svn case but they are supposed to
close it for rsync. (Might want to review it, though).
For rsync specifically, scponly is insecure only if you use a non-default option
in rsyncd.conf? You are clearly shooting yourself in the foot if you set those
(no opinion yet, need time to fully review the Debian bug)
AIUI, you can upload an rsyncd.conf file from your local machine using scponly.
Then, using the rsync passthrough feature of scponly start an rsync daemon that
uses the uploaded rsyncd.conf file. Since rsync has config options that let you
invoke a program, this lets the user escape the constraints of scponly.
(In reply to comment #4)
> Note http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6350
scponly 4.6 and earlier allows remote authenticated users to bypass intended
restrictions and execute code by invoking dangerous subcommands including (1)
unison, (2) rsync, and (3) svn , as originally demonstrated by creating a
Subversion (SVN) repository with malicious hooks, then using svn to trigger
execution of those hooks.
Fedora packages in F7 and F8 are only compiled to support rsync. unison and svn
compatibility is not enabled / compiled in.
Converting to Security Response bug.
scponly-4.6-10.fc8 has been submitted as an update for Fedora 8
scponly-4.6-10.fc7 has been submitted as an update for Fedora 7
scponly-4.6-10.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
scponly-4.6-10.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: