Package: rssh / 2.3.4-5+deb9u4

Metadata

Package Version Patches format
rssh 2.3.4-5+deb9u4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 Fix invalid option error.patch | (download)

util.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix invalid option error

Don't refer to all invalid options as invalid scp options.

0002 Honor CFLAGS CPPFLAGS passed to configure.patch | (download)

Makefile.am | 8 2 + 6 - 0 !
1 file changed, 2 insertions(+), 6 deletions(-)

 honor cflags/cppflags passed to configure

The CFLAGS from dpkg-buildflags are missing because they are
overwritten in Makefile.am.

The attached patch removes an incorrect build rule and passes the
custom flags through AM_CFLAGS/AM_CPPFLAGS.  All custom flags are
still passed correctly.

Signed-off-by: Russ Allbery <rra@debian.org>

0003 Fix buffer allocation buffer for fail message.patch | (download)

util.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix buffer allocation buffer for fail message

The failure log message when the user isn't permitted to run the
command they're attempting includes a summary of the commands the
user is allowed to run.  The allocation for that string was not
reserving space for the nul byte at the end of the string, causing
a one-byte overwrite past the end of the string.

0004 Lower syslog priority to debug.patch | (download)

rsshconf.c | 20 10 + 10 - 0 !
1 file changed, 10 insertions(+), 10 deletions(-)

 lower syslog priority to debug

Lower priority of all of the routine syslog messages from info to debug
to cut down on log noise.

0005 Fix spelling errors in manual pages.patch | (download)

rssh.1 | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix spelling errors in manual pages


0006 Fixes and improvements to mkchroot.sh.patch | (download)

mkchroot.sh | 105 81 + 24 - 0 !
1 file changed, 81 insertions(+), 24 deletions(-)

 fixes and improvements to mkchroot.sh

Debian wants libnss_compat* in addition to libnss_files* for UID
lookups to work properly, and doesn't have a libnss1_files*.  With
multiarch, these libraries have also been moved into a subdirectory of
/lib.

Create the /dev/null device in the chroot, needed by sftp-server.
Create the /dev/log device in the chroot, for one less step.

Update the code to copy over libraries to be able to parse the new
output from ldd.

Update file paths for Debian.

Add better error handling.

Warn that /etc/passwd is being copied into the chroot jail and that
the user may wish to edit out some users and remove any sensitive
information.  (Debian Bug#366655)

Thanks to proctor mcduff and Jeremy Jongepier for their contributions.

0007 Verify rsync command options.patch | (download)

util.c | 95 86 + 9 - 0 !
1 file changed, 86 insertions(+), 9 deletions(-)

 verify rsync command options

As of rsync 3, rsync reused the -e option to pass protocol information
from the client to the server.  We therefore cannot reject all -e
options to rsync, only ones not sent with --server or containing
something other than protocol information as an argument.

Be stricter about the rsync command line and require --server as the
first argument, which disables attempts to initiate rsync outbound from
the server and in turn could trigger running code specified in ssh
client configuration options.

Also scan the rsync command line for any --rsh, --config, or --daemon
option and reject it as well.  This replaces and improves the upstream
strategy for rejecting that command-line option, taking advantage of
the parsing added to check the -e option.  --config can be used to run
commands via "pre-xfer exec" when running as a daemon, plus the client
should not be able to spawn daemons.

Unset the HOME environment variable to prevent popt from loading a
~/.popt configuration file, which could redefine rsync command-line
options like --server to instead mean some unsafe option, or even run
commands directly.

Based on work by Robert Hardy and a report by Nick Cleaton.

Debian Bug#471803

0008 Add support for Subversion svnserve.patch | (download)

conf_convert | 48 48 + 0 - 0 !
conf_convert.sh | 45 0 + 45 - 0 !
configure.ac | 22 20 + 2 - 0 !
main.c.in | 5 4 + 1 - 0 !
pathnames.h.in | 1 1 + 0 - 0 !
rssh.conf.5 | 17 11 + 6 - 0 !
rssh.conf.5.in | 17 11 + 6 - 0 !
rssh.conf.default | 28 15 + 13 - 0 !
rssh.h | 13 7 + 6 - 0 !
rssh_chroot_helper.c | 3 3 + 0 - 0 !
rsshconf.c | 50 46 + 4 - 0 !
util.c | 35 26 + 9 - 0 !
util.h | 3 2 + 1 - 0 !
13 files changed, 194 insertions(+), 93 deletions(-)

 add support for subversion (svnserve)

Adds support for svn access via svnserve.  This adds an additional
field to the bitmask in /etc/rssh.conf that's used to control Subversion
access.  Users authorized to run svnserve may run only svnserve -t
exactly.

Debian Bug#284756

Signed-off-by: Russ Allbery <rra@debian.org>

0009 Verify scp command options.patch | (download)

util.c | 44 42 + 2 - 0 !
1 file changed, 42 insertions(+), 2 deletions(-)

 verify scp command options

ESnet discovered a security vulnerability in the scp backend for
rssh.  Since the arguments to scp on the server side were not
checked, the client could pass in arbitrary scp command-line flags,
including setting arbitrary scp options.  This allows setting the
option PKCS11Provider, which loads and executes code from a shared
module.

Even if the -o flag is blocked, this is still possible via -F to
load an already-uploaded ssh configuration file, or, if .ssh/config
is writable, by just uploading that configuration file directly
first.

Attempt to protect against this attack by checking the command line
of scp and only allowing the options that are passed to the server
end of the connection.  Require either -f or -t be given, which
disables scp's attempts to connect to a remote host.  Allow these as
-pf and -pt, which are sent by libssh2.

Debian Bug#919623

0010 Check command line after chroot.patch | (download)

rssh_chroot_helper.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 check command line after chroot

When a command was configured with a chroot, rssh did not check
the safety of the command line after chroot, allowing various
vectors of remote code execution inside the chroot environment.
Perform the same check after chroot as is performed before running
the command when a chroot is not configured.