[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#796314: openssh: copying special crafted filenames executes shell-command

Source: openssh
Severity: important
Tags: upstream security


According to [1] special crafted filenames containing control characters
can cause scp to execute commands in the current shell. This works also on
copying files from remote (potential untrusted) servers
to local client.

this works:
remote:
$ touch "ab`tput clear`cd"

local:
$ scp user@host:"/dir/ab*" .

which clears the screen in jessie.

Fedora has fixed [2] this bug already.

[1]https://bugzilla.mindrot.org/show_bug.cgi?id=2434
[2]https://bugzilla.redhat.com/show_bug.cgi?id=1247204



-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-586
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: