Security Information / 2012 / Security Information -- DSA-2578-1 rssh

Debian Security Advisory

DSA-2578-1 rssh -- insufficient filtering of rsync command line

Date Reported:

28 Nov 2012

Affected Packages:

rssh

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2012-2251, CVE-2012-2252.

More information:

James Clawson discovered that rssh, a restricted shell for OpenSSH to be used with scp, sftp, rdist and cvs, was not correctly filtering command line options. This could be used to force the execution of a remote script and thus allow arbitrary command execution. Two CVE were assigned:

• CVE-2012-2251

  Incorrect filtering of command line when using rsync protocol. It was for example possible to pass dangerous options after a -- switch. The rsync protocol support has been added in a Debian (and Fedora/Red Hat) specific patch, so this vulnerability doesn't affect upstream.

• CVE-2012-2252

  Incorrect filtering of the --rsh option: the filter preventing usage of the --rsh= option would not prevent passing --rsh. This vulnerability affects upstream code.

For the stable distribution (squeeze), this problem has been fixed in version 2.3.2-13squeeze3.

For the testing distribution (wheezy), this problem has been fixed in version 2.3.3-6.

For the unstable distribution (sid), this problem has been fixed in version 2.3.3-6.

We recommend that you upgrade your rssh packages.