Bug 440268 - (CVE-2008-1657) CVE-2008-1657 openssh: commands in ~/.ssh/rc override ForceCommand directive
CVE-2008-1657 openssh: commands in ~/.ssh/rc override ForceCommand directive
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=gentoo,reported=20080401,publi...
: Security
Depends On: 280461 440375 440376
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-02 11:34 EDT by Tomas Hoger
Modified: 2010-12-23 11:54 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 11:54:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-04-02 11:34:40 EDT
OpenSSH version 4.9 fixed an issue that allowed local users with write access to
their ~/.ssh/rc file to override administratively set ForceCommand, possibly
bypassing intended security restrictions.

References:
http://marc.info/?l=openssh-unix-dev&m=120692745026265&w=2
http://secunia.com/advisories/29602/
http://openbsd.org/errata43.html#001_openssh
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/001_openssh.patch
Comment 1 Tomas Mraz 2008-04-02 12:12:20 EDT
Affects only F7, F8 & Rawhide.
Comment 2 Tomas Hoger 2008-04-03 03:11:11 EDT
Tomas is obviously right.  ForceCommand directive was introduced in OpenSSH
version 4.4 (http://openssh.org/txt/release-4.4):

Changes since OpenSSH 4.3:
============================

[...]

 * Added a "ForceCommand" directive to sshd_config(5). Similar to the
   command="..." option accepted in ~/.ssh/authorized_keys, this forces
   the execution of the specified command regardless of what the user
   requested. This is very useful in conjunction with the new "Match"
   option.

Therefore, this issue did not affect versions of openssh packages as shipped
with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

Note You need to log in before you can comment on or make changes to this bug.