mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2025-07-13 19:29:53 +03:00
89 lines
2.7 KiB
Diff
89 lines
2.7 KiB
Diff
From: Russ Allbery <rra@debian.org>
|
|
Date: Thu, 17 Jan 2019 19:21:40 -0800
|
|
Subject: Verify scp command options
|
|
|
|
ESnet discovered a security vulnerability in the scp backend for
|
|
rssh. Since the arguments to scp on the server side were not
|
|
checked, the client could pass in arbitrary scp command-line flags,
|
|
including setting arbitrary scp options. This allows setting the
|
|
option PKCS11Provider, which loads and executes code from a shared
|
|
module.
|
|
|
|
Even if the -o flag is blocked, this is still possible via -F to
|
|
load an already-uploaded ssh configuration file, or, if .ssh/config
|
|
is writable, by just uploading that configuration file directly
|
|
first.
|
|
|
|
Attempt to protect against this attack by checking the command line
|
|
of scp and only allowing the options that are passed to the server
|
|
end of the connection. Require either -f or -t be given, which
|
|
disables scp's attempts to connect to a remote host. Allow these as
|
|
-pf and -pt, which are sent by libssh2.
|
|
|
|
Debian Bug#919623
|
|
---
|
|
util.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
|
|
1 file changed, 42 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/util.c b/util.c
|
|
index dc8c8fb..4203eac 100644
|
|
--- a/util.c
|
|
+++ b/util.c
|
|
@@ -266,6 +266,43 @@ static int rsync_okay( char **vec )
|
|
}
|
|
|
|
|
|
+/*
|
|
+ * scp_okay() - take the command line and check that it is a hopefully-safe scp
|
|
+ * server command line, accepting only very specific options.
|
|
+ * Returns FALSE if the command line should not be allowed, TRUE
|
|
+ * if it is okay.
|
|
+ */
|
|
+static int scp_okay( char **vec )
|
|
+{
|
|
+ int saw_f_or_t = FALSE;
|
|
+
|
|
+ for ( vec++; vec && *vec; vec++ ){
|
|
+ /* Allowed options. */
|
|
+ if ( strcmp(*vec, "-v") == 0 ) continue;
|
|
+ if ( strcmp(*vec, "-r") == 0 ) continue;
|
|
+ if ( strcmp(*vec, "-p") == 0 ) continue;
|
|
+ if ( strcmp(*vec, "-d") == 0 ) continue;
|
|
+ if ( strcmp(*vec, "-f") == 0 || strcmp(*vec, "-pf") == 0 ){
|
|
+ saw_f_or_t = TRUE;
|
|
+ continue;
|
|
+ }
|
|
+ if ( strcmp(*vec, "-t") == 0 || strcmp(*vec, "-pt") == 0 ){
|
|
+ saw_f_or_t = TRUE;
|
|
+ continue;
|
|
+ }
|
|
+
|
|
+ /* End of arguments. */
|
|
+ if ( strcmp(*vec, "--") == 0 ) break;
|
|
+
|
|
+ /* Any other argument is not allowed. */
|
|
+ if ( *vec[0] == '-' ) return FALSE;
|
|
+ }
|
|
+
|
|
+ /* Either -f or -t must have been given. */
|
|
+ return saw_f_or_t;
|
|
+}
|
|
+
|
|
+
|
|
/*
|
|
* check_command_line() - take the command line passed to rssh, and verify
|
|
* that the specified command is one the user is
|
|
@@ -281,8 +318,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts )
|
|
return PATH_SFTP_SERVER;
|
|
|
|
if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){
|
|
- /* filter -S option */
|
|
- if ( opt_filter(cl, 'S') ) return NULL;
|
|
+ if ( !scp_okay(cl) ){
|
|
+ fprintf(stderr, "\ninsecure scp option not allowed.");
|
|
+ log_msg("insecure scp option in scp command line");
|
|
+ return NULL;
|
|
+ }
|
|
return PATH_SCP;
|
|
}
|
|
|