Version in base suite: 2.3.4-5 Base version: rssh_2.3.4-5 Target version: rssh_2.3.4-5+deb9u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rssh/rssh_2.3.4-5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rssh/rssh_2.3.4-5+deb9u1.dsc NEWS | 23 ++++ README.Debian | 8 + changelog | 21 +++ patches/0007-Handle-rsync-v3-e-protocol-option.patch | 45 ++++---- patches/0008-Add-support-for-Subversion-svnserve.patch | 10 - patches/0009-Verify-scp-command-options.patch | 92 +++++++++++++++++ patches/0010-Check-command-line-after-chroot.patch | 30 +++++ patches/series | 2 8 files changed, 203 insertions(+), 28 deletions(-) diff -Nru rssh-2.3.4/debian/NEWS rssh-2.3.4/debian/NEWS --- rssh-2.3.4/debian/NEWS 2016-09-05 22:39:58.000000000 +0000 +++ rssh-2.3.4/debian/NEWS 2019-01-30 04:50:25.000000000 +0000 @@ -1,3 +1,26 @@ +rssh (2.3.4-5+deb9u1) stretch-security; urgency=high + + scp and rsync command verification have been made stricter to try to + prevent ways of running arbitrary code on the server via ssh + configuration options. As a side effect, this will break scp -3 to an + account using rssh, and will disallow using rssh to run arbitrary scp + and rsync commands on the server. Only the server end of an scp or + rsync command should now be allowed. + + THE CVS SUPPORT IN RSSH IS PROBABLY NOT SECURE, as is already documented + in the manual page. While no variation of this attack for cvs is + currently known, cvs has many options and commands and the small amount + of filtering rssh does is probably not sufficient. Use the cvs support + at your own risk. + + The approach rssh takes to try to restrict commands is fragile, + regularly broken by new features in the commands it tries to wrap, and + probably has additional bugs. It is no longer supported upstream and + will likely be removed from future versions of Debian. Please consider + switching to another security approach. + + -- Russ Allbery Tue, 29 Jan 2019 20:50:08 -0800 + rssh (2.3.2-9) unstable; urgency=low This version of the rssh package adds support for Subversion by adding diff -Nru rssh-2.3.4/debian/README.Debian rssh-2.3.4/debian/README.Debian --- rssh-2.3.4/debian/README.Debian 2016-09-05 22:39:58.000000000 +0000 +++ rssh-2.3.4/debian/README.Debian 2019-01-30 04:50:25.000000000 +0000 @@ -6,6 +6,12 @@ chroot into a jail before running the command and has a configuration file to specify which commands are allowed. +THE CVS SUPPORT IS PROBABLY NOT SECURE, as documented in the manual page. +cvs is a very large and complex program with many options, and rssh almost +certainly does not protect against all the ways to use cvs on the server +to run commands on the server, particularly if the attacker also has ways +to write to the local file system. Use the cvs support at your own risk. + Please thoroughly read the rssh man page before using this program. If rssh is not configured correctly, it may not be secure. You may also want to read the security history in /usr/share/doc/rssh/SECURITY. In @@ -42,4 +48,4 @@ to maintain a security-sensitive C program, consider taking over upstream maintenance. - -- Russ Allbery , Mon, 29 Mar 2010 11:23:15 -0700 + -- Russ Allbery , Tue, 29 Jan 2019 20:50:40 -0800 diff -Nru rssh-2.3.4/debian/changelog rssh-2.3.4/debian/changelog --- rssh-2.3.4/debian/changelog 2016-09-05 22:39:58.000000000 +0000 +++ rssh-2.3.4/debian/changelog 2019-01-30 04:50:25.000000000 +0000 @@ -1,3 +1,24 @@ +rssh (2.3.4-5+deb9u1) stretch-security; urgency=high + + * Validate the allowed scp command line and only permit the flags used + in server mode and only a single argument, to attempt to prevent use + of ssh options to run arbitrary code on the server. This will break + scp -3 to a system running rssh, which seems like an acceptable loss. + (Closes: #919623, CVE-2019-1000018) + * Tighten validation of the rsync command line to require --server be + the first argument, which should prevent initiation of an outbound + rsync command from the server, which in turn might allow execution of + arbitrary code via ssh configuration similar to scp. + * Add validation of the server command line after chroot when chroot is + enabled. Prior to this change, dangerous argument filtering was not + done when chroot was configured, allowing remote code execution inside + the chroot in some configurations via the previous two bugs and via + the mechanisms in CVE-2012-2251 and CVE-2012-2252. + * Further document that the cvs server-side dangerous option filtering + is probably insufficient and should not be considered secure. + + -- Russ Allbery Tue, 29 Jan 2019 20:50:25 -0800 + rssh (2.3.4-5) unstable; urgency=medium * Enable all hardening flags. diff -Nru rssh-2.3.4/debian/patches/0007-Handle-rsync-v3-e-protocol-option.patch rssh-2.3.4/debian/patches/0007-Handle-rsync-v3-e-protocol-option.patch --- rssh-2.3.4/debian/patches/0007-Handle-rsync-v3-e-protocol-option.patch 2016-09-05 22:39:58.000000000 +0000 +++ rssh-2.3.4/debian/patches/0007-Handle-rsync-v3-e-protocol-option.patch 2019-01-30 04:50:25.000000000 +0000 @@ -7,6 +7,11 @@ options to rsync, only ones not sent with --server or containing something other than protocol information as an argument. +Be stricter about the rsync command line and require --server as the +first argument, which disables attempts to initiate rsync outbound from +the server and in turn could trigger running code specified in ssh +client configuration options. + Also scan the rsync command line for any --rsh option and reject it as well. This replaces and improves the upstream strategy for rejecting that command-line option, taking advantage of the parsing added to @@ -16,11 +21,11 @@ Debian Bug#471803 --- - util.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------- - 1 file changed, 72 insertions(+), 8 deletions(-) + util.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 68 insertions(+), 8 deletions(-) diff --git a/util.c b/util.c -index ef1a5d8..b70899f 100644 +index ef1a5d8..6ee0799 100644 --- a/util.c +++ b/util.c @@ -56,6 +56,7 @@ @@ -31,18 +36,17 @@ /* LOCAL INCLUDES */ #include "pathnames.h" -@@ -198,6 +199,73 @@ bool check_command( char *cl, ShellOptions_t *opts, char *cmd, int cmdflag ) +@@ -197,6 +198,69 @@ bool check_command( char *cl, ShellOptions_t *opts, char *cmd, int cmdflag ) + } - /* -+ * rsync_e_okay() - take the command line passed to rssh and look for an -e -+ * option. If one is found, make sure --server is provided -+ * and the option contains only the protocol information. -+ * Also check for and reject any --rsh option. Returns FALSE -+ * if the command line should not be allowed, TRUE if it is -+ * okay. ++/* ++ * rsync_okay() - require --server on all rsh command lines, check that -e ++ * contains only protocol information, and reject any --rsh ++ * option. Returns FALSE if the command line should not be ++ * allowed, TRUE if it is okay. + */ -+static int rsync_e_okay( char **vec ) ++static int rsync_okay( char **vec ) +{ + regex_t re; + int server = FALSE; @@ -71,9 +75,8 @@ + * could be hidden from the server as an argument to some other + * option. + */ -+ if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){ -+ server = TRUE; -+ } ++ if ( !(vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0) ) ++ return FALSE; + + /* Check the remaining options for -e or --rsh. */ + if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){ @@ -96,16 +99,14 @@ + vec++; + } + regfree(&re); -+ if ( e_found && !server ) return FALSE; + return TRUE; +} + + -+/* + /* * check_command_line() - take the command line passed to rssh, and verify * that the specified command is one the user is - * allowed to run and validate the arguments. Return the -@@ -230,14 +298,10 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) +@@ -230,14 +294,10 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){ /* filter -e option */ @@ -117,9 +118,9 @@ - return NULL; - } - cl++; -+ if ( !rsync_e_okay(cl) ){ -+ fprintf(stderr, "\ninsecure -e or --rsh option not allowed."); -+ log_msg("insecure -e or --rsh option in rsync command line!"); ++ if ( !rsync_okay(cl) ){ ++ fprintf(stderr, "\ninsecure rsync options not allowed."); ++ log_msg("insecure rsync options in rsync command line!"); + return NULL; } return PATH_RSYNC; diff -Nru rssh-2.3.4/debian/patches/0008-Add-support-for-Subversion-svnserve.patch rssh-2.3.4/debian/patches/0008-Add-support-for-Subversion-svnserve.patch --- rssh-2.3.4/debian/patches/0008-Add-support-for-Subversion-svnserve.patch 2016-09-05 22:39:58.000000000 +0000 +++ rssh-2.3.4/debian/patches/0008-Add-support-for-Subversion-svnserve.patch 2019-01-30 04:50:25.000000000 +0000 @@ -25,7 +25,7 @@ util.c | 35 ++++++++++++++++++++++++++--------- util.h | 3 ++- 13 files changed, 194 insertions(+), 93 deletions(-) - create mode 100755 conf_convert + create mode 100644 conf_convert delete mode 100755 conf_convert.sh diff --git a/conf_convert b/conf_convert @@ -527,7 +527,7 @@ if (log) log_msg("chrooting %s to %s", user, path); opts->shell_flags |= RSSH_USE_CHROOT; diff --git a/util.c b/util.c -index b70899f..56f67ad 100644 +index 6ee0799..3ec01e1 100644 --- a/util.c +++ b/util.c @@ -80,7 +80,8 @@ void fail( int flags, int argc, char **argv ) @@ -551,7 +551,7 @@ } /* print error message to user and log attempt */ -@@ -305,6 +308,16 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) +@@ -301,6 +304,16 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) } return PATH_RSYNC; } @@ -568,7 +568,7 @@ /* No match, return NULL */ return NULL; } -@@ -329,6 +342,8 @@ char *get_command( char *cl, ShellOptions_t *opts ) +@@ -325,6 +338,8 @@ char *get_command( char *cl, ShellOptions_t *opts ) return PATH_RDIST; if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ) return PATH_RSYNC; @@ -577,7 +577,7 @@ return NULL; } -@@ -394,22 +409,24 @@ int validate_umask( const char *temp, int *mask ) +@@ -390,22 +405,24 @@ int validate_umask( const char *temp, int *mask ) * same name, and returns FALSE if the bits are not valid */ int validate_access( const char *temp, bool *allow_sftp, bool *allow_scp, diff -Nru rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch --- rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch 1970-01-01 00:00:00.000000000 +0000 +++ rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch 2019-01-30 04:50:25.000000000 +0000 @@ -0,0 +1,92 @@ +From: Russ Allbery +Date: Thu, 17 Jan 2019 19:21:40 -0800 +Subject: Verify scp command options + +ESnet discovered a security vulnerability in the scp backend for +rssh. Since the arguments to scp on the server side were not +checked, the client could pass in arbitrary scp command-line flags, +including setting arbitrary scp options. This allows setting the +option PKCS11Provider, which loads and executes code from a shared +module. + +Even if the -o flag is blocked, this is still possible via -F to +load an already-uploaded ssh configuration file, or, if .ssh/config +is writable, by just uploading that configuration file directly +first. + +Attempt to protect against this attack by checking the command line +of scp and only allowing the options that are passed to the server +end of the connection. Specifically, do not allow multiple +non-option arguments, which attempts to prevent causing the server +to initiate an scp command. (This will break scp -3 through rssh, +which seems like an acceptable tradeoff.) + +Debian Bug#919623 +--- + util.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 44 insertions(+), 2 deletions(-) + +diff --git a/util.c b/util.c +index 3ec01e1..6e668c9 100644 +--- a/util.c ++++ b/util.c +@@ -264,6 +264,45 @@ static int rsync_okay( char **vec ) + } + + ++/* ++ * scp_okay() - take the command line and check that it is a hopefully-safe scp ++ * server command line, accepting only very specific options. ++ * Returns FALSE if the command line should not be allowed, TRUE ++ * if it is okay. ++ */ ++static int scp_okay( char **vec ) ++{ ++ int saw_file = FALSE; ++ int saw_end = FALSE; ++ ++ for ( vec++; vec && *vec; vec++ ){ ++ /* Allowed options. */ ++ if ( !saw_end ) { ++ if ( strcmp(*vec, "-v") == 0 ) continue; ++ if ( strcmp(*vec, "-r") == 0 ) continue; ++ if ( strcmp(*vec, "-p") == 0 ) continue; ++ if ( strcmp(*vec, "-d") == 0 ) continue; ++ if ( strcmp(*vec, "-f") == 0 ) continue; ++ if ( strcmp(*vec, "-t") == 0 ) continue; ++ } ++ ++ /* End of arguments. One more argument allowed after this. */ ++ if ( !saw_end && strcmp(*vec, "--") == 0 ){ ++ saw_end = TRUE; ++ continue; ++ } ++ ++ /* No other options allowed, but allow file starting with -. */ ++ if ( *vec[0] == '-' && !saw_end ) return FALSE; ++ if ( saw_file ) return FALSE; ++ saw_file = TRUE; ++ } ++ ++ /* We must have seen a single file. */ ++ return saw_file; ++} ++ ++ + /* + * check_command_line() - take the command line passed to rssh, and verify + * that the specified command is one the user is +@@ -279,8 +318,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) + return PATH_SFTP_SERVER; + + if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){ +- /* filter -S option */ +- if ( opt_filter(cl, 'S') ) return NULL; ++ if ( !scp_okay(cl) ){ ++ fprintf(stderr, "\ninsecure scp option not allowed."); ++ log_msg("insecure scp option in scp command line"); ++ return NULL; ++ } + return PATH_SCP; + } + diff -Nru rssh-2.3.4/debian/patches/0010-Check-command-line-after-chroot.patch rssh-2.3.4/debian/patches/0010-Check-command-line-after-chroot.patch --- rssh-2.3.4/debian/patches/0010-Check-command-line-after-chroot.patch 1970-01-01 00:00:00.000000000 +0000 +++ rssh-2.3.4/debian/patches/0010-Check-command-line-after-chroot.patch 2019-01-30 04:50:25.000000000 +0000 @@ -0,0 +1,30 @@ +From: Russ Allbery +Date: Mon, 28 Jan 2019 20:15:30 -0800 +Subject: Check command line after chroot + +When a command was configured with a chroot, rssh did not check +the safety of the command line after chroot, allowing various +vectors of remote code execution inside the chroot environment. +Perform the same check after chroot as is performed before running +the command when a chroot is not configured. +--- + rssh_chroot_helper.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/rssh_chroot_helper.c b/rssh_chroot_helper.c +index 8a35cdc..73d8c7b 100644 +--- a/rssh_chroot_helper.c ++++ b/rssh_chroot_helper.c +@@ -218,6 +218,12 @@ int main( int argc, char **argv ) + ch_fatal_error("build_arg_vector()", argv[2], + "bad expansion"); + ++ /* check the command for safety */ ++ if ( !check_command_line(argvec, &opts) ){ ++ fprintf(stderr, "\n"); ++ exit(1); ++ } ++ + /* + * This is the old way to figure out what program to run. Since we're + * re-parsing the config file in rssh_chroot helper, we could get rid diff -Nru rssh-2.3.4/debian/patches/series rssh-2.3.4/debian/patches/series --- rssh-2.3.4/debian/patches/series 2016-09-05 22:39:58.000000000 +0000 +++ rssh-2.3.4/debian/patches/series 2019-01-30 04:50:25.000000000 +0000 @@ -6,3 +6,5 @@ 0006-Fixes-and-improvements-to-mkchroot.sh.patch 0007-Handle-rsync-v3-e-protocol-option.patch 0008-Add-support-for-Subversion-svnserve.patch +0009-Verify-scp-command-options.patch +0010-Check-command-line-after-chroot.patch