Bug#346322: Intention to NMU rssh for security vulnerability

Fri, 17 Mar 2006 13:48:58 -0800 

Hi Jesus,

I haven't heard anything back about this bug (#346322), which is a serious
security vulnerability affecting unstable and testing.

I've checked the latest upstream release (2.3.2) and compared it to 2.3.0
currently in Debian, and the following patch fixes this vulnerability and
another segfault issue.  I intend to upload an NMU for rssh applying this
patch on Monday (March 20th) if I haven't heard back from you saying to
hold off.

Please let me know if you need any help or have any questions or concerns,
or if you have an upload prepared already for this problem.

diff -ru rssh-2.3.0/main.c.in rssh-2.3.2/main.c.in
--- rssh-2.3.0/main.c.in        2005-11-27 14:36:19.000000000 -0800
+++ rssh-2.3.2/main.c.in        2006-01-03 09:25:05.000000000 -0800
@@ -1,7 +1,7 @@
 /*
  * rssh.c - restricted shell for ssh to allow scp or sftp only
  * 
- * Copyright 2003 Derek D. Martin ( code at pizzashack dot org ).
+ * Copyright 2003-2006 Derek D. Martin ( code at pizzashack dot org ).
  *
  * This program is licensed under a BSD-style license, as follows: 
  *
@@ -174,8 +174,6 @@
                         char **cmd )
 {
        char    **argvec;       /* argument vector for new cmd line */
-       char    *homedir;       /* relative to chroot */
-       char    *root;          /* the chroot dir */
        char    *temp;          /* to build chroot helper cmd line */
        int     len;
 
@@ -229,8 +227,8 @@
                *cmd = PATH_CHROOT_HELPER;
 
                /* set up buffer to log command line ('"' + ' ' + '\0' = 9) */
-               len = strlen(cmdline) + strlen(root) + strlen(homedir) + 
-                     strlen(argvec[2]) + strlen(PATH_CHROOT_HELPER) + 9;
+               len = strlen(cmdline) +  strlen(argvec[2]) + 
+                       strlen(PATH_CHROOT_HELPER) + 9;
                if ( !(temp = (char *)malloc(len)) ){
                        log_set_priority(LOG_ERR);
                        log_msg("OOM error in build_shell_args() (fatal)");
diff -ru rssh-2.3.0/util.c rssh-2.3.2/util.c
--- rssh-2.3.0/util.c   2005-11-27 09:01:52.000000000 -0800
+++ rssh-2.3.2/util.c   2006-01-03 09:37:39.000000000 -0800
@@ -1,7 +1,7 @@
 /*
  * util.c - utility functions for rssh
  * 
- * Copyright 2003 Derek D. Martin ( code at pizzashack dot org ).
+ * Copyright 2003-2006 Derek D. Martin ( code at pizzashack dot org ).
  *
  * This program is licensed under a BSD-style license, as follows: 
  *
@@ -209,13 +209,14 @@
                return PATH_SCP;
        }
 
-       if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) )
+       if ( check_command(cl, opts, PATH_CVS, RSSH_ALLOW_CVS) ){
                if ( opt_exist(cl, 'e') ){
                        fprintf(stderr, "\ninsecure -e option not allowed.");
                        log_msg("insecure -e option in cvs command line!");
                        return NULL;
                }
                return PATH_CVS;
+       }
 
        if ( check_command(cl, opts, PATH_RDIST, RSSH_ALLOW_RDIST) ){
                /* filter -P option */


-- 
Russ Allbery ([EMAIL PROTECTED])               <http://www.eyrie.org/~eagle/>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to