On Wed, Sep 24, 2014 at 12:28 PM, Stefan Sperling <s...@elego.de> wrote: > On Wed, Sep 24, 2014 at 11:06:13AM -0500, Les Mikesell wrote: >> Does the recently announced bash bug: >> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ >> affect the security of the way people generally configure svn+ssh access? >> >> -- >> Les Mikesell > > From what I understand after reading about the problem briefly: > > In an svn+ssh setup svn clients run 'svnserve -t' by default. > But there is no reason this could not be changed to '/bin/bash' by > an attacker. > > Note that forcing a command in the authorized_keys file will *not* > work around the problem: http://seclists.org/oss-sec/2014/q3/651 > > It should be possible to mitigate this attack vector by having > svnserve run in an environment that doesn't have bash available, > either with no bash binary at all on the system, or within a chroot.
Setting up a chroot for Subversion for just this purpose gets... potentially adventuresome. The maintainers of OpenSSH have generically refused to support chroot changes, so it's a bit awkward to even set up. Various folks have published patches or integration kits to support genuine chroot cages: heck, even I used to publish patches for OpenSSH to provide them. But this is a very disturbing bug.....
