main/rssh: add mitigations for CVE-2019-3463 and CVE-2019-1000018, secfixes data for CVE-2019-3464

3 files changed, 136 insertions, 4 deletions

diff --git a/main/rssh/APKBUILD b/main/rssh/APKBUILD
index 4be25a4140f..7e1d00f4d81 100644
--- a/main/rssh/APKBUILD
+++ b/main/rssh/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Jakub Jirutka <jakub@jirutka.cz>
 pkgname=rssh
 pkgver=2.3.4
-pkgrel=1
+pkgrel=2
 pkgdesc="Restricted shell for use with OpenSSH, allowing only scp, sftp, and/or rsync"
 url="http://www.pizzashack.org/rssh/"
 arch="all"
@@ -14,9 +14,18 @@ subpackages="$pkgname-doc"
 source="https://prdownloads.sourceforge.net/rssh/rssh-$pkgver.tar.gz
 	makefile.patch
 	fix-error-message-for-invalid-option.patch
-	handle-rsync-v3-e-option.patch"
+	handle-rsync-v3-e-option.patch
+	verify-scp-options.patch
+	check-command-line-after-chroot.patch"
 options="suid"
 
+# secfixes:
+#   2.3.4-r2:
+#     - CVE-2019-3463
+#     - CVE-2019-1000018
+#   2.3.4-r1:
+#     - CVE-2019-3464
+
 build() {
 	./configure \
 		--build=$CBUILD \
@@ -33,7 +42,11 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="c1a77abdf4abe5f936fb1c9c008fc81fabf7b624d69ed31fe2ae5619dfa4a79f1d4a4f2daa5291a36d40353fa2168e74e5ba61294230d702fcdc88ae0d520487  rssh-2.3.4.tar.gz
+sha512sums="
+c1a77abdf4abe5f936fb1c9c008fc81fabf7b624d69ed31fe2ae5619dfa4a79f1d4a4f2daa5291a36d40353fa2168e74e5ba61294230d702fcdc88ae0d520487  rssh-2.3.4.tar.gz
 7b1120b47a1c5d251f002d4196ffac66bcc4518b34284831932d7ef0aae839777c8188cb2addacb57241b6208c03c5b14f1845a50bb5b72461f80a7f943ef051  makefile.patch
 abad4a707f7851c60549d6073c331a4a2b47bdcf97956d5cbad3af9bcb83d6ad33694ac3270df5c7df6ec709026e0253c49024fa20a33a453524547031df77aa  fix-error-message-for-invalid-option.patch
-942dd8e0495cf13bbb679332cab6c1781560e32ade0905527fe71e5399f930edfe0c442653deb218a182b11e49599c3bd78d0fc715de45cf9aa078e6a586b9c7  handle-rsync-v3-e-option.patch"
+942dd8e0495cf13bbb679332cab6c1781560e32ade0905527fe71e5399f930edfe0c442653deb218a182b11e49599c3bd78d0fc715de45cf9aa078e6a586b9c7  handle-rsync-v3-e-option.patch
+1be9e3be58e44359e51ad16e10fa3674bf322059131a93ed44487f0fefa89130806f7851d725e20eeff5af40f5b5558ca471ab5eba932a8ce654b25845a7328e  verify-scp-options.patch
+d4d8518b109c6d2d99a8c9a3a49f4df1b29e621f9826e80c599aa2c991ca9c4b6fe683d2475da7935e375e5049a8c33e8dd9019e83ed2111804bba02e03c6f48  check-command-line-after-chroot.patch
+"
diff --git a/main/rssh/check-command-line-after-chroot.patch b/main/rssh/check-command-line-after-chroot.patch
new file mode 100644
index 00000000000..8ef515d4756
--- /dev/null
+++ b/main/rssh/check-command-line-after-chroot.patch
@@ -0,0 +1,30 @@
+From: Russ Allbery <rra@debian.org>
+Date: Mon, 28 Jan 2019 20:15:30 -0800
+Subject: Check command line after chroot
+
+When a command was configured with a chroot, rssh did not check
+the safety of the command line after chroot, allowing various
+vectors of remote code execution inside the chroot environment.
+Perform the same check after chroot as is performed before running
+the command when a chroot is not configured.
+---
+ rssh_chroot_helper.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/rssh_chroot_helper.c b/rssh_chroot_helper.c
+index 8a35cdc..73d8c7b 100644
+--- a/rssh_chroot_helper.c
++++ b/rssh_chroot_helper.c
+@@ -218,6 +218,12 @@ int main( int argc, char **argv )
+ 		ch_fatal_error("build_arg_vector()", argv[2],
+ 				"bad expansion");
+ 
++	/* check the command for safety */
++	if ( !check_command_line(argvec, &opts) ){
++		fprintf(stderr, "\n");
++		exit(1);
++	}
++
+ 	/* 
+ 	 * This is the old way to figure out what program to run.  Since we're
+ 	 * re-parsing the config file in rssh_chroot helper, we could get rid
diff --git a/main/rssh/verify-scp-options.patch b/main/rssh/verify-scp-options.patch
new file mode 100644
index 00000000000..3b256966b8a
--- /dev/null
+++ b/main/rssh/verify-scp-options.patch
@@ -0,0 +1,89 @@
+From: Russ Allbery <rra@debian.org>
+Date: Thu, 17 Jan 2019 19:21:40 -0800
+Subject: Verify scp command options
+
+ESnet discovered a security vulnerability in the scp backend for
+rssh.  Since the arguments to scp on the server side were not
+checked, the client could pass in arbitrary scp command-line flags,
+including setting arbitrary scp options.  This allows setting the
+option PKCS11Provider, which loads and executes code from a shared
+module.
+
+Even if the -o flag is blocked, this is still possible via -F to
+load an already-uploaded ssh configuration file, or, if .ssh/config
+is writable, by just uploading that configuration file directly
+first.
+
+Attempt to protect against this attack by checking the command line
+of scp and only allowing the options that are passed to the server
+end of the connection.  Require either -f or -t be given, which
+disables scp's attempts to connect to a remote host.  Allow these as
+-pf and -pt, which are sent by libssh2.
+
+Debian Bug#919623
+---
+ util.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 42 insertions(+), 2 deletions(-)
+
+diff --git a/util.c b/util.c
+index dc8c8fb..4203eac 100644
+--- a/util.c
++++ b/util.c
+@@ -266,6 +266,43 @@ static int rsync_okay( char **vec )
+ }
+ 
+ 
++/*
++ * scp_okay() - take the command line and check that it is a hopefully-safe scp
++ *		server command line, accepting only very specific options.
++ *		Returns FALSE if the command line should not be allowed, TRUE
++ *		if it is okay.
++ */
++static int scp_okay( char **vec )
++{
++	int saw_f_or_t = FALSE;
++
++	for ( vec++; vec && *vec; vec++ ){
++		/* Allowed options. */
++		if ( strcmp(*vec, "-v") == 0 ) continue;
++		if ( strcmp(*vec, "-r") == 0 ) continue;
++		if ( strcmp(*vec, "-p") == 0 ) continue;
++		if ( strcmp(*vec, "-d") == 0 ) continue;
++		if ( strcmp(*vec, "-f") == 0 || strcmp(*vec, "-pf") == 0 ){
++			saw_f_or_t = TRUE;
++			continue;
++		}
++		if ( strcmp(*vec, "-t") == 0 || strcmp(*vec, "-pt") == 0 ){
++			saw_f_or_t = TRUE;
++			continue;
++		}
++
++		/* End of arguments. */
++		if ( strcmp(*vec, "--") == 0 ) break;
++
++		/* Any other argument is not allowed. */
++		if ( *vec[0] == '-' ) return FALSE;
++	}
++
++	/* Either -f or -t must have been given. */
++	return saw_f_or_t;
++}
++
++
+ /*
+  * check_command_line() - take the command line passed to rssh, and verify
+  *			  that the specified command is one the user is
+@@ -281,8 +318,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts )
+ 		return PATH_SFTP_SERVER;
+ 
+ 	if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){
+-		/* filter -S option */
+-		if ( opt_filter(cl, 'S') ) return NULL;
++		if ( !scp_okay(cl) ){
++			fprintf(stderr, "\ninsecure scp option not allowed.");
++			log_msg("insecure scp option in scp command line");
++			return NULL;
++		}
+ 		return PATH_SCP;
+ 	}
+