Bug#796314: openssh: copying special crafted filenames executes shell-command
Source: openssh
Severity: important
Tags: upstream security
According to [1] special crafted filenames containing control characters
can cause scp to execute commands in the current shell. This works also on
copying files from remote (potential untrusted) servers
to local client.
this works:
remote:
$ touch "ab`tput clear`cd"
local:
$ scp user@host:"/dir/ab*" .
which clears the screen in jessie.
Fedora has fixed [2] this bug already.
[1]https://bugzilla.mindrot.org/show_bug.cgi?id=2434
[2]https://bugzilla.redhat.com/show_bug.cgi?id=1247204
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-586
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: