diff -Nru rssh-2.3.4/debian/changelog rssh-2.3.4/debian/changelog --- rssh-2.3.4/debian/changelog 2019-02-07 22:18:02.000000000 +0000 +++ rssh-2.3.4/debian/changelog 2019-02-12 01:25:14.000000000 +0000 @@ -1,3 +1,15 @@ +rssh (2.3.4-4+deb8u2ubuntu0.14.04.1) trusty-security; urgency=medium + + * SECURITY REGRESSION: The fix for the scp security vulnerability + in 2.3.4-4+deb8u2build0.14.04.1 introduced a regression that + blocked scp of multiple files from a server using rssh. Based on + further analysis of scp's command-line parsing, relax the check + to require the server command contain -f or -t, which should + deactivate scp's support for remote files. (Closes: #921655) + - Merged from Debian, thanks to Russ Allbery for the patch. + + -- Steve Beattie Mon, 11 Feb 2019 17:24:20 -0800 + rssh (2.3.4-4+deb8u2build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian diff -Nru rssh-2.3.4/debian/control rssh-2.3.4/debian/control --- rssh-2.3.4/debian/control 2019-02-02 04:28:01.000000000 +0000 +++ rssh-2.3.4/debian/control 2019-02-12 01:24:04.000000000 +0000 @@ -1,7 +1,8 @@ Source: rssh Section: net Priority: optional -Maintainer: Russ Allbery +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Russ Allbery Build-Depends: debhelper (>= 9), dh-autoreconf Standards-Version: 3.9.5 Homepage: http://www.pizzashack.org/rssh/ diff -Nru rssh-2.3.4/debian/NEWS rssh-2.3.4/debian/NEWS --- rssh-2.3.4/debian/NEWS 2019-02-02 04:28:01.000000000 +0000 +++ rssh-2.3.4/debian/NEWS 2019-02-12 01:43:23.000000000 +0000 @@ -1,3 +1,27 @@ +rssh (2.3.4-4+deb8u2ubuntu0.14.04.1) trusty-security; urgency=medium + + [ Russ Allbery ] + scp and rsync command verification have been made stricter to try to + prevent ways of running arbitrary code on the server via ssh + configuration options. As a side effect, this will break scp -3 to an + account using rssh, and will disallow using rssh to run arbitrary scp + and rsync commands on the server. Only the server end of an scp or + rsync command should now be allowed. + + THE CVS SUPPORT IN RSSH IS PROBABLY NOT SECURE, as is already documented + in the manual page. While no variation of this attack for cvs is + currently known, cvs has many options and commands and the small amount + of filtering rssh does is probably not sufficient. Use the cvs support + at your own risk. + + The approach rssh takes to try to restrict commands is fragile, + regularly broken by new features in the commands it tries to wrap, and + probably has additional bugs. It is no longer supported upstream and + will likely be removed from future versions of Debian. Please consider + switching to another security approach. + + -- Steve Beattie Mon, 11 Feb 2019 16:45:15 -0800 + rssh (2.3.2-9) unstable; urgency=low This version of the rssh package adds support for Subversion by adding diff -Nru rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch --- rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch 2019-02-02 04:28:01.000000000 +0000 +++ rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch 2019-02-12 01:24:04.000000000 +0000 @@ -16,21 +16,19 @@ Attempt to protect against this attack by checking the command line of scp and only allowing the options that are passed to the server -end of the connection. Specifically, do not allow multiple -non-option arguments, which attempts to prevent causing the server -to initiate an scp command. (This will break scp -3 through rssh, -which seems like an acceptable tradeoff.) +end of the connection. Require either -f or -t be given, which +disables scp's attempts to connect to a remote host. Debian Bug#919623 --- - util.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 44 insertions(+), 2 deletions(-) + util.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/util.c b/util.c -index dc8c8fb..60b8ff6 100644 +index dc8c8fb..71e54a5 100644 --- a/util.c +++ b/util.c -@@ -266,6 +266,45 @@ static int rsync_okay( char **vec ) +@@ -266,6 +266,43 @@ static int rsync_okay( char **vec ) } @@ -42,41 +40,39 @@ + */ +static int scp_okay( char **vec ) +{ -+ int saw_file = FALSE; -+ int saw_end = FALSE; ++ int saw_f_or_t = FALSE; + + for ( vec++; vec && *vec; vec++ ){ + /* Allowed options. */ -+ if ( !saw_end ) { -+ if ( strcmp(*vec, "-v") == 0 ) continue; -+ if ( strcmp(*vec, "-r") == 0 ) continue; -+ if ( strcmp(*vec, "-p") == 0 ) continue; -+ if ( strcmp(*vec, "-d") == 0 ) continue; -+ if ( strcmp(*vec, "-f") == 0 ) continue; -+ if ( strcmp(*vec, "-t") == 0 ) continue; ++ if ( strcmp(*vec, "-v") == 0 ) continue; ++ if ( strcmp(*vec, "-r") == 0 ) continue; ++ if ( strcmp(*vec, "-p") == 0 ) continue; ++ if ( strcmp(*vec, "-d") == 0 ) continue; ++ if ( strcmp(*vec, "-f") == 0 ){ ++ saw_f_or_t = TRUE; ++ continue; + } -+ -+ /* End of arguments. One more argument allowed after this. */ -+ if ( !saw_end && strcmp(*vec, "--") == 0 ){ -+ saw_end = TRUE; ++ if ( strcmp(*vec, "-t") == 0 ){ ++ saw_f_or_t = TRUE; + continue; + } + -+ /* No other options allowed, but allow file starting with -. */ -+ if ( *vec[0] == '-' && !saw_end ) return FALSE; -+ if ( saw_file ) return FALSE; -+ saw_file = TRUE; ++ /* End of arguments. */ ++ if ( strcmp(*vec, "--") == 0 ) break; ++ ++ /* Any other argument is not allowed. */ ++ if ( *vec[0] == '-' ) return FALSE; + } + -+ /* We must have seen a single file. */ -+ return saw_file; ++ /* Either -f or -t must have been given. */ ++ return saw_f_or_t; +} + + /* * check_command_line() - take the command line passed to rssh, and verify * that the specified command is one the user is -@@ -281,8 +320,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) +@@ -281,8 +318,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) return PATH_SFTP_SERVER; if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){