[gentoo-announce] [ GLSA 200602-11 ] OpenSSH, Dropbear: Insecure use of system() call - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200602-11 ] OpenSSH, Dropbear: Insecure use of system() call
Date:	Mon, 20 Feb 2006 20:26:40
Message-Id:	`43FA21E2.3060903@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200602-11

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Low

8

     Title: OpenSSH, Dropbear: Insecure use of system() call

9

      Date: February 20, 2006

10

      Bugs: #119232

11

        ID: 200602-11

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A flaw in OpenSSH and Dropbear allows local users to elevate their

19

privileges via scp.

20

21

Background

22

==========

23

24

OpenSSH is a free application suite consisting of server and clients

25

that replace tools like telnet, rlogin, rcp and ftp with more secure

26

versions offering additional functionality. Dropbear is an SSH server

27

and client designed with a small memory footprint that includes OpenSSH

28

scp code.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package            /   Vulnerable   /                  Unaffected

35

    -------------------------------------------------------------------

36

  1  net-misc/openssh       < 4.2_p1-r1                   >= 4.2_p1-r1

37

  2  net-misc/dropbear       < 0.47-r1                      >= 0.47-r1

38

    -------------------------------------------------------------------

39

     2 affected packages on all of their supported architectures.

40

    -------------------------------------------------------------------

41

42

Description

43

===========

44

45

To copy from a local filesystem to another local filesystem, scp

46

constructs a command line using 'cp' which is then executed via

47

system(). Josh Bressers discovered that special characters are not

48

escaped by scp, but are simply passed to the shell.

49

50

Impact

51

======

52

53

By tricking other users or applications to use scp on maliciously

54

crafted filenames, a local attacker user can execute arbitrary commands

55

with the rights of the user running scp.

56

57

Workaround

58

==========

59

60

There is no known workaround at this time.

61

62

Resolution

63

==========

64

65

All OpenSSH users should upgrade to the latest version:

66

67

    # emerge --sync

68

    # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.2_p1-r1"

69

70

All Dropbear users should upgrade to the latest version:

71

72

    # emerge --sync

73

    # emerge --ask --oneshot --verbose ">=net-misc/dropbear-0.47-r1"

74

75

References

76

==========

77

78

  [ 1 ] CVE-2006-0225

79

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225

80

81

Availability

82

============

83

84

This GLSA and any updates to it are available for viewing at

85

the Gentoo Security Website:

86

87

  http://security.gentoo.org/glsa/glsa-200602-11.xml

88

89

Concerns?

90

=========

91

92

Security is a primary focus of Gentoo Linux and ensuring the

93

confidentiality and security of our users machines is of utmost

94

importance to us. Any security concerns should be addressed to

95

security@g.o or alternatively, you may file a bug at

96

http://bugs.gentoo.org.

97

98

License

99

=======

100

101

Copyright 2006 Gentoo Foundation, Inc; referenced text

102

belongs to its owner(s).

103

104

The contents of this document are licensed under the

105

Creative Commons - Attribution / Share Alike license.

106

107

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200602-11
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: OpenSSH, Dropbear: Insecure use of system() call
9	Date: February 20, 2006
10	Bugs: #119232
11	ID: 200602-11
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A flaw in OpenSSH and Dropbear allows local users to elevate their
19	privileges via scp.
20
21	Background
22	==========
23
24	OpenSSH is a free application suite consisting of server and clients
25	that replace tools like telnet, rlogin, rcp and ftp with more secure
26	versions offering additional functionality. Dropbear is an SSH server
27	and client designed with a small memory footprint that includes OpenSSH
28	scp code.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 net-misc/openssh < 4.2_p1-r1 >= 4.2_p1-r1
37	2 net-misc/dropbear < 0.47-r1 >= 0.47-r1
38	-------------------------------------------------------------------
39	2 affected packages on all of their supported architectures.
40	-------------------------------------------------------------------
41
42	Description
43	===========
44
45	To copy from a local filesystem to another local filesystem, scp
46	constructs a command line using 'cp' which is then executed via
47	system(). Josh Bressers discovered that special characters are not
48	escaped by scp, but are simply passed to the shell.
49
50	Impact
51	======
52
53	By tricking other users or applications to use scp on maliciously
54	crafted filenames, a local attacker user can execute arbitrary commands
55	with the rights of the user running scp.
56
57	Workaround
58	==========
59
60	There is no known workaround at this time.
61
62	Resolution
63	==========
64
65	All OpenSSH users should upgrade to the latest version:
66
67	# emerge --sync
68	# emerge --ask --oneshot --verbose ">=net-misc/openssh-4.2_p1-r1"
69
70	All Dropbear users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=net-misc/dropbear-0.47-r1"
74
75	References
76	==========
77
78	[ 1 ] CVE-2006-0225
79	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225
80
81	Availability
82	============
83
84	This GLSA and any updates to it are available for viewing at
85	the Gentoo Security Website:
86
87	http://security.gentoo.org/glsa/glsa-200602-11.xml
88
89	Concerns?
90	=========
91
92	Security is a primary focus of Gentoo Linux and ensuring the
93	confidentiality and security of our users machines is of utmost
94	importance to us. Any security concerns should be addressed to
95	security@g.o or alternatively, you may file a bug at
96	http://bugs.gentoo.org.
97
98	License
99	=======
100
101	Copyright 2006 Gentoo Foundation, Inc; referenced text
102	belongs to its owner(s).
103
104	The contents of this document are licensed under the
105	Creative Commons - Attribution / Share Alike license.
106
107	http://creativecommons.org/licenses/by-sa/2.0