[Secure-testing-team] rssh: incorrect filtering of command line options
Yves-Alexis Perez
corsac at debian.org
Tue Nov 27 23:21:03 UTC 2012
Hi people,
I've just released DSA 2578-1 which affects rssh after coordination on
the distro list and I'm now posting to oss-sec per policy.
Package : rssh
Vulnerability : incorrect filtering of command line options
Problem type : remote
CVE ID : CVE-2012-2251 CVE-2012-2252
James Clawson discovered that rssh, a restricted shell for OpenSSH to be used
with scp/sftp, rdist and cvs, was not correctly filtering command line options.
This could be used to force the execution of a remote script and thus allow
arbitrary command execution. Two CVE were assigned:
CVE-2012-2251
Incorrect filtering of command line when using rsync protocol. It was
for example possible to pass dangerous options after a "--" switch. The rsync
protocol support has been added in a Debian (and Fedora/Red Hat) specific
patch, so this vulnerability doesn't affect upstream.
CVE-2012-2251
Incorrect filtering of the "--rsh" option: the filter preventing usage of the
"--rsh=" option would not prevent passing "--rsh". This vulnerability affects
upstream code.
Regards,
--
Yves-Alexis Perez
Debian Security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20121128/66226a31/attachment.pgp>
More information about the Secure-testing-team
mailing list