diff options
author | Ariadne Conill <ariadne@dereferenced.org> | 2021-06-22 00:39:53 -0600 |
---|---|---|
committer | Ariadne Conill <ariadne@dereferenced.org> | 2021-06-22 00:40:29 -0600 |
commit | babf657f3b1af2b2bc8c17e392d250759cc8b2c9 (patch) | |
tree | ae8aad35708a66e2888a22de925f8eee1bad3aba | |
parent | bb2f44d691df9ccb424ed21c1f6325dcccb87e40 (diff) |
-rw-r--r-- | main/rssh/APKBUILD | 21 | ||||
-rw-r--r-- | main/rssh/check-command-line-after-chroot.patch | 30 | ||||
-rw-r--r-- | main/rssh/verify-scp-options.patch | 89 |
3 files changed, 136 insertions, 4 deletions
diff --git a/main/rssh/APKBUILD b/main/rssh/APKBUILD index 4be25a4140f..7e1d00f4d81 100644 --- a/main/rssh/APKBUILD +++ b/main/rssh/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Jakub Jirutka <jakub@jirutka.cz> pkgname=rssh pkgver=2.3.4 -pkgrel=1 +pkgrel=2 pkgdesc="Restricted shell for use with OpenSSH, allowing only scp, sftp, and/or rsync" url="http://www.pizzashack.org/rssh/" arch="all" @@ -14,9 +14,18 @@ subpackages="$pkgname-doc" source="https://prdownloads.sourceforge.net/rssh/rssh-$pkgver.tar.gz makefile.patch fix-error-message-for-invalid-option.patch - handle-rsync-v3-e-option.patch" + handle-rsync-v3-e-option.patch + verify-scp-options.patch + check-command-line-after-chroot.patch" options="suid" +# secfixes: +# 2.3.4-r2: +# - CVE-2019-3463 +# - CVE-2019-1000018 +# 2.3.4-r1: +# - CVE-2019-3464 + build() { ./configure \ --build=$CBUILD \ @@ -33,7 +42,11 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="c1a77abdf4abe5f936fb1c9c008fc81fabf7b624d69ed31fe2ae5619dfa4a79f1d4a4f2daa5291a36d40353fa2168e74e5ba61294230d702fcdc88ae0d520487 rssh-2.3.4.tar.gz +sha512sums=" +c1a77abdf4abe5f936fb1c9c008fc81fabf7b624d69ed31fe2ae5619dfa4a79f1d4a4f2daa5291a36d40353fa2168e74e5ba61294230d702fcdc88ae0d520487 rssh-2.3.4.tar.gz 7b1120b47a1c5d251f002d4196ffac66bcc4518b34284831932d7ef0aae839777c8188cb2addacb57241b6208c03c5b14f1845a50bb5b72461f80a7f943ef051 makefile.patch abad4a707f7851c60549d6073c331a4a2b47bdcf97956d5cbad3af9bcb83d6ad33694ac3270df5c7df6ec709026e0253c49024fa20a33a453524547031df77aa fix-error-message-for-invalid-option.patch -942dd8e0495cf13bbb679332cab6c1781560e32ade0905527fe71e5399f930edfe0c442653deb218a182b11e49599c3bd78d0fc715de45cf9aa078e6a586b9c7 handle-rsync-v3-e-option.patch" +942dd8e0495cf13bbb679332cab6c1781560e32ade0905527fe71e5399f930edfe0c442653deb218a182b11e49599c3bd78d0fc715de45cf9aa078e6a586b9c7 handle-rsync-v3-e-option.patch +1be9e3be58e44359e51ad16e10fa3674bf322059131a93ed44487f0fefa89130806f7851d725e20eeff5af40f5b5558ca471ab5eba932a8ce654b25845a7328e verify-scp-options.patch +d4d8518b109c6d2d99a8c9a3a49f4df1b29e621f9826e80c599aa2c991ca9c4b6fe683d2475da7935e375e5049a8c33e8dd9019e83ed2111804bba02e03c6f48 check-command-line-after-chroot.patch +" diff --git a/main/rssh/check-command-line-after-chroot.patch b/main/rssh/check-command-line-after-chroot.patch new file mode 100644 index 00000000000..8ef515d4756 --- /dev/null +++ b/main/rssh/check-command-line-after-chroot.patch @@ -0,0 +1,30 @@ +From: Russ Allbery <rra@debian.org> +Date: Mon, 28 Jan 2019 20:15:30 -0800 +Subject: Check command line after chroot + +When a command was configured with a chroot, rssh did not check +the safety of the command line after chroot, allowing various +vectors of remote code execution inside the chroot environment. +Perform the same check after chroot as is performed before running +the command when a chroot is not configured. +--- + rssh_chroot_helper.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/rssh_chroot_helper.c b/rssh_chroot_helper.c +index 8a35cdc..73d8c7b 100644 +--- a/rssh_chroot_helper.c ++++ b/rssh_chroot_helper.c +@@ -218,6 +218,12 @@ int main( int argc, char **argv ) + ch_fatal_error("build_arg_vector()", argv[2], + "bad expansion"); + ++ /* check the command for safety */ ++ if ( !check_command_line(argvec, &opts) ){ ++ fprintf(stderr, "\n"); ++ exit(1); ++ } ++ + /* + * This is the old way to figure out what program to run. Since we're + * re-parsing the config file in rssh_chroot helper, we could get rid diff --git a/main/rssh/verify-scp-options.patch b/main/rssh/verify-scp-options.patch new file mode 100644 index 00000000000..3b256966b8a --- /dev/null +++ b/main/rssh/verify-scp-options.patch @@ -0,0 +1,89 @@ +From: Russ Allbery <rra@debian.org> +Date: Thu, 17 Jan 2019 19:21:40 -0800 +Subject: Verify scp command options + +ESnet discovered a security vulnerability in the scp backend for +rssh. Since the arguments to scp on the server side were not +checked, the client could pass in arbitrary scp command-line flags, +including setting arbitrary scp options. This allows setting the +option PKCS11Provider, which loads and executes code from a shared +module. + +Even if the -o flag is blocked, this is still possible via -F to +load an already-uploaded ssh configuration file, or, if .ssh/config +is writable, by just uploading that configuration file directly +first. + +Attempt to protect against this attack by checking the command line +of scp and only allowing the options that are passed to the server +end of the connection. Require either -f or -t be given, which +disables scp's attempts to connect to a remote host. Allow these as +-pf and -pt, which are sent by libssh2. + +Debian Bug#919623 +--- + util.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 42 insertions(+), 2 deletions(-) + +diff --git a/util.c b/util.c +index dc8c8fb..4203eac 100644 +--- a/util.c ++++ b/util.c +@@ -266,6 +266,43 @@ static int rsync_okay( char **vec ) + } + + ++/* ++ * scp_okay() - take the command line and check that it is a hopefully-safe scp ++ * server command line, accepting only very specific options. ++ * Returns FALSE if the command line should not be allowed, TRUE ++ * if it is okay. ++ */ ++static int scp_okay( char **vec ) ++{ ++ int saw_f_or_t = FALSE; ++ ++ for ( vec++; vec && *vec; vec++ ){ ++ /* Allowed options. */ ++ if ( strcmp(*vec, "-v") == 0 ) continue; ++ if ( strcmp(*vec, "-r") == 0 ) continue; ++ if ( strcmp(*vec, "-p") == 0 ) continue; ++ if ( strcmp(*vec, "-d") == 0 ) continue; ++ if ( strcmp(*vec, "-f") == 0 || strcmp(*vec, "-pf") == 0 ){ ++ saw_f_or_t = TRUE; ++ continue; ++ } ++ if ( strcmp(*vec, "-t") == 0 || strcmp(*vec, "-pt") == 0 ){ ++ saw_f_or_t = TRUE; ++ continue; ++ } ++ ++ /* End of arguments. */ ++ if ( strcmp(*vec, "--") == 0 ) break; ++ ++ /* Any other argument is not allowed. */ ++ if ( *vec[0] == '-' ) return FALSE; ++ } ++ ++ /* Either -f or -t must have been given. */ ++ return saw_f_or_t; ++} ++ ++ + /* + * check_command_line() - take the command line passed to rssh, and verify + * that the specified command is one the user is +@@ -281,8 +318,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) + return PATH_SFTP_SERVER; + + if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){ +- /* filter -S option */ +- if ( opt_filter(cl, 'S') ) return NULL; ++ if ( !scp_okay(cl) ){ ++ fprintf(stderr, "\ninsecure scp option not allowed."); ++ log_msg("insecure scp option in scp command line"); ++ return NULL; ++ } + return PATH_SCP; + } + |