This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 418201 - (CVE-2007-6350) CVE-2007-6350 scponly: rsync, svn and unison support may be dangerous
CVE-2007-6350 scponly: rsync, svn and unison support may be dangerous
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity high
: ---
: ---
Assigned To: Warren Togami
Fedora Extras Quality Assurance
http://bugs.debian.org/cgi-bin/bugrep...
source=debian,reported=20071012,publi...
: Security
Depends On: 429731 429732
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-10 10:36 EST by Lubomir Kundrak
Modified: 2008-02-22 09:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-22 09:11:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-12-10 10:36:50 EST
[snip]
Similar tricks can be played with rsync (create an rsyncd.conf with a
pre-xfer exec or post-xfer exec option; start a daemon, and connect to
it) and unison (provided that you can create files in ~/.unison, which
is quite likely).
[snip]

Additional information:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437148
Comment 1 Toshio Ernie Kuratomi 2007-12-11 15:14:57 EST
rsync support disabled in devel since this is a security issue.

warren, I'd like to get your permission before pushing to other releases as it
would be a feature that is going away.

If you think that removing the feature for released distro versions would be
disruptive we could look at backporting the fixes talked about in the Debian bug
report.  They don't close the hole for the svn case but they are supposed to
close it for rsync.  (Might want to review it, though).
Comment 2 Warren Togami 2007-12-11 16:07:17 EST
For rsync specifically, scponly is insecure only if you use a non-default option
in rsyncd.conf?  You are clearly shooting yourself in the foot if you set those
options.

(no opinion yet, need time to fully review the Debian bug)
Comment 3 Toshio Ernie Kuratomi 2007-12-11 16:44:34 EST
AIUI, you can upload an rsyncd.conf file from your local machine using scponly.
 Then, using the rsync passthrough feature of scponly start an rsync daemon that
uses the uploaded rsyncd.conf file.  Since rsync has config options that let you
invoke a program, this lets the user escape the constraints of scponly.
Comment 4 Kevin Fenzi 2007-12-14 20:27:16 EST
Note http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6350
Comment 5 Tomas Hoger 2007-12-17 05:40:06 EST
(In reply to comment #4)
> Note http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6350

scponly 4.6 and earlier allows remote authenticated users to bypass intended
restrictions and execute code by invoking dangerous subcommands including (1)
unison, (2) rsync, and (3) svn , as originally demonstrated by creating a
Subversion (SVN) repository with malicious hooks, then using svn to trigger
execution of those hooks.


Fedora packages in F7 and F8 are only compiled to support rsync.  unison and svn
compatibility is not enabled / compiled in.
Comment 6 Tomas Hoger 2007-12-17 05:43:16 EST
Converting to Security Response bug.
Comment 8 Fedora Update System 2008-02-13 16:12:03 EST
scponly-4.6-10.fc8 has been submitted as an update for Fedora 8
Comment 9 Fedora Update System 2008-02-13 16:14:20 EST
scponly-4.6-10.fc7 has been submitted as an update for Fedora 7
Comment 10 Fedora Update System 2008-02-15 21:08:57 EST
scponly-4.6-10.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-02-15 21:14:38 EST
scponly-4.6-10.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Red Hat Product Security 2008-02-22 09:11:45 EST
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1728
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1743


Note You need to log in before you can comment on or make changes to this bug.