Bug 418201 (CVE-2007-6350) - CVE-2007-6350 scponly: rsync, svn and unison support may be dangerous
Summary: CVE-2007-6350 scponly: rsync, svn and unison support may be dangerous
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-6350
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Warren Togami
QA Contact: Fedora Extras Quality Assurance
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:
Depends On: 429731 429732
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-10 15:36 UTC by Lubomir Kundrak
Modified: 2019-09-29 12:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-22 14:11:45 UTC
Embargoed:

Attachments (Terms of Use)

Description Lubomir Kundrak 2007-12-10 15:36:50 UTC 
[snip]
Similar tricks can be played with rsync (create an rsyncd.conf with a
pre-xfer exec or post-xfer exec option; start a daemon, and connect to
it) and unison (provided that you can create files in ~/.unison, which
is quite likely).
[snip]

Additional information:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437148
Comment 1 Toshio Ernie Kuratomi 2007-12-11 20:14:57 UTC 
rsync support disabled in devel since this is a security issue.

warren, I'd like to get your permission before pushing to other releases as it
would be a feature that is going away.

If you think that removing the feature for released distro versions would be
disruptive we could look at backporting the fixes talked about in the Debian bug
report.  They don't close the hole for the svn case but they are supposed to
close it for rsync.  (Might want to review it, though).
Comment 2 Warren Togami 2007-12-11 21:07:17 UTC 
For rsync specifically, scponly is insecure only if you use a non-default option
in rsyncd.conf?  You are clearly shooting yourself in the foot if you set those
options.

(no opinion yet, need time to fully review the Debian bug)
Comment 3 Toshio Ernie Kuratomi 2007-12-11 21:44:34 UTC 
AIUI, you can upload an rsyncd.conf file from your local machine using scponly.
 Then, using the rsync passthrough feature of scponly start an rsync daemon that
uses the uploaded rsyncd.conf file.  Since rsync has config options that let you
invoke a program, this lets the user escape the constraints of scponly.
Comment 4 Kevin Fenzi 2007-12-15 01:27:16 UTC 
Note http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6350
Comment 5 Tomas Hoger 2007-12-17 10:40:06 UTC 
(In reply to comment #4)
> Note http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6350

scponly 4.6 and earlier allows remote authenticated users to bypass intended
restrictions and execute code by invoking dangerous subcommands including (1)
unison, (2) rsync, and (3) svn , as originally demonstrated by creating a
Subversion (SVN) repository with malicious hooks, then using svn to trigger
execution of those hooks.


Fedora packages in F7 and F8 are only compiled to support rsync.  unison and svn
compatibility is not enabled / compiled in.
Comment 6 Tomas Hoger 2007-12-17 10:43:16 UTC 
Converting to Security Response bug.
Comment 8 Fedora Update System 2008-02-13 21:12:03 UTC 
scponly-4.6-10.fc8 has been submitted as an update for Fedora 8
Comment 9 Fedora Update System 2008-02-13 21:14:20 UTC 
scponly-4.6-10.fc7 has been submitted as an update for Fedora 7
Comment 10 Fedora Update System 2008-02-16 02:08:57 UTC 
scponly-4.6-10.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-02-16 02:14:38 UTC 
scponly-4.6-10.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Red Hat Product Security 2008-02-22 14:11:45 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1728
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1743
Note You need to log in before you can comment on or make changes to this bug.