Debian Security Advisory

DSA-2578-1 rssh -- insufficient filtering of rsync command line

Date Reported:
28 Nov 2012
Affected Packages:
rssh
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2012-2251, CVE-2012-2252.
More information:

James Clawson discovered that rssh, a restricted shell for OpenSSH to be used with scp, sftp, rdist and cvs, was not correctly filtering command line options. This could be used to force the execution of a remote script and thus allow arbitrary command execution. Two CVE were assigned:

  • CVE-2012-2251

    Incorrect filtering of command line when using rsync protocol. It was for example possible to pass dangerous options after a -- switch. The rsync protocol support has been added in a Debian (and Fedora/Red Hat) specific patch, so this vulnerability doesn't affect upstream.

  • CVE-2012-2252

    Incorrect filtering of the --rsh option: the filter preventing usage of the --rsh= option would not prevent passing --rsh. This vulnerability affects upstream code.

For the stable distribution (squeeze), this problem has been fixed in version 2.3.2-13squeeze3.

For the testing distribution (wheezy), this problem has been fixed in version 2.3.3-6.

For the unstable distribution (sid), this problem has been fixed in version 2.3.3-6.

We recommend that you upgrade your rssh packages.