[gentoo-announce] [ GLSA 201311-19 ] rssh: Access restriction bypass - gentoo-announce

From:	Sergey Popov <pinkbyte@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201311-19 ] rssh: Access restriction bypass
Date:	Thu, 28 Nov 2013 08:49:50
Message-Id:	`52970346.1080803@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201311-19

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: rssh: Access restriction bypass

9

     Date: November 28, 2013

10

     Bugs: #415255, #445166

11

       ID: 201311-19

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in rssh, allowing local

19

attackers to bypass access restrictions.

20

21

Background

22

==========

23

24

rssh is a restricted shell, allowing only a few commands like scp or

25

sftp. It is often used as a complement to OpenSSH to provide limited

26

access to users.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  app-shells/rssh              < 2.3.4                    >= 2.3.4

35

36

Description

37

===========

38

39

Multiple command line parsing and validation vulnerabilities have been

40

discovered in rssh. Please review the CVE identifiers referenced below

41

for details.

42

43

Impact

44

======

45

46

Multiple parsing and validation vulnerabilities can cause the

47

restrictions set up by rssh to be bypassed.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All rssh users should upgrade to the latest version:

58

59

  # emerge --sync

60

  # emerge --ask --oneshot --verbose ">=app-shells/rssh-2.3.4"

61

62

References

63

==========

64

65

[ 1 ] CVE-2012-2252

66

      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2252

67

[ 2 ] CVE-2012-3478

68

      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3478

69

70

Availability

71

============

72

73

This GLSA and any updates to it are available for viewing at

74

the Gentoo Security Website:

75

76

 http://security.gentoo.org/glsa/glsa-201311-19.xml

77

78

Concerns?

79

=========

80

81

Security is a primary focus of Gentoo Linux and ensuring the

82

confidentiality and security of our users' machines is of utmost

83

importance to us. Any security concerns should be addressed to

84

security@g.o or alternatively, you may file a bug at

85

https://bugs.gentoo.org.

86

87

License

88

=======

89

90

Copyright 2013 Gentoo Foundation, Inc; referenced text

91

belongs to its owner(s).

92

93

The contents of this document are licensed under the

94

Creative Commons - Attribution / Share Alike license.

95

96

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201311-19
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: rssh: Access restriction bypass
9	Date: November 28, 2013
10	Bugs: #415255, #445166
11	ID: 201311-19
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in rssh, allowing local
19	attackers to bypass access restrictions.
20
21	Background
22	==========
23
24	rssh is a restricted shell, allowing only a few commands like scp or
25	sftp. It is often used as a complement to OpenSSH to provide limited
26	access to users.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 app-shells/rssh < 2.3.4 >= 2.3.4
35
36	Description
37	===========
38
39	Multiple command line parsing and validation vulnerabilities have been
40	discovered in rssh. Please review the CVE identifiers referenced below
41	for details.
42
43	Impact
44	======
45
46	Multiple parsing and validation vulnerabilities can cause the
47	restrictions set up by rssh to be bypassed.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All rssh users should upgrade to the latest version:
58
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=app-shells/rssh-2.3.4"
61
62	References
63	==========
64
65	[ 1 ] CVE-2012-2252
66	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2252
67	[ 2 ] CVE-2012-3478
68	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3478
69
70	Availability
71	============
72
73	This GLSA and any updates to it are available for viewing at
74	the Gentoo Security Website:
75
76	http://security.gentoo.org/glsa/glsa-201311-19.xml
77
78	Concerns?
79	=========
80
81	Security is a primary focus of Gentoo Linux and ensuring the
82	confidentiality and security of our users' machines is of utmost
83	importance to us. Any security concerns should be addressed to
84	security@g.o or alternatively, you may file a bug at
85	https://bugs.gentoo.org.
86
87	License
88	=======
89
90	Copyright 2013 Gentoo Foundation, Inc; referenced text
91	belongs to its owner(s).
92
93	The contents of this document are licensed under the
94	Creative Commons - Attribution / Share Alike license.
95
96	http://creativecommons.org/licenses/by-sa/2.5