Re: rssh security update breaks rsync via Synology's "hyper backup"

To: Antoine Beaupré <anarcat@orangeseeds.org>
Cc: Roman Medina-Heigl Hernandez <roman@rs-labs.com>, Chris Lamb <lamby@debian.org>, Holger Levsen <holger@layer-acht.org>, debian-lts@lists.debian.org, debian-security@lists.debian.org
Subject: Re: rssh security update breaks rsync via Synology's "hyper backup"
From: Russ Allbery <eagle@eyrie.org>
Date: Mon, 18 Feb 2019 20:25:31 -0800
Message-id: <[🔎] 87lg2c4d6s.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 87va1h6m7q.fsf@hope.eyrie.org> (Russ Allbery's message of "Mon, 18 Feb 2019 09:27:37 -0800")
References: <75a71a7b-4022-0f43-5963-964a36a3ae53@rs-labs.com> <[🔎] 20190214173443.cupioumebaklmlab@layer-acht.org> <[🔎] 1550166453.328076.1658087792.7E953D37@webmail.messagingengine.com> <[🔎] ad2e1037-dbe9-4180-9dfd-d458faaac610@rs-labs.com> <[🔎] 875ztmi6on.fsf@hope.eyrie.org> <[🔎] 871s4aql1m.fsf@curie.anarc.at> <[🔎] 87va1h6m7q.fsf@hope.eyrie.org>

Russ Allbery <rra@debian.org> writes:

> I'll follow up with the proposed diffs for stable and oldstable.

Here are the proposed diffs for stable and oldstable.  The stable diff
just fixes the libssh2 interoperability regression.  The oldstable diff
fixes both that and the regression with downloading multiple files via a
wildcard.  Let me know if these are okay for upload.

I've not done an LTS security upload before, but it looks from the wiki
that it uses the same security-master process as stable security updates.
Please let me know if that's wrong.

-- 
Russ Allbery (eagle@eyrie.org)              <http://www.eyrie.org/~eagle/>

diff -Nru rssh-2.3.4/debian/changelog rssh-2.3.4/debian/changelog
--- rssh-2.3.4/debian/changelog	2019-02-10 11:26:30.000000000 -0800
+++ rssh-2.3.4/debian/changelog	2019-02-18 19:40:06.000000000 -0800
@@ -1,3 +1,12 @@
+rssh (2.3.4-5+deb9u4) stretch-security; urgency=high
+
+  * The fix for the scp security vulnerability in 2.3.4-9 combined with
+    the regression fix in 2.3.4-10 rejected the -pf and -pt options, which
+    are sent by libssh2's scp support.  Add support for those variants.
+    (LP #1815935)
+
+ -- Russ Allbery <rra@debian.org>  Mon, 18 Feb 2019 19:40:06 -0800
+
 rssh (2.3.4-5+deb9u3) stretch-security; urgency=high
 
   * The fix for the scp security vulneraability in 2.3.4-5+deb9u1
diff -Nru rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch
--- rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch	2019-02-10 11:26:30.000000000 -0800
+++ rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch	2019-02-18 19:40:06.000000000 -0800
@@ -17,7 +17,8 @@
 Attempt to protect against this attack by checking the command line
 of scp and only allowing the options that are passed to the server
 end of the connection.  Require either -f or -t be given, which
-disables scp's attempts to connect to a remote host.
+disables scp's attempts to connect to a remote host.  Allow these as
+-pf and -pt, which are sent by libssh2.
 
 Debian Bug#919623
 ---
@@ -25,7 +26,7 @@
  1 file changed, 42 insertions(+), 2 deletions(-)
 
 diff --git a/util.c b/util.c
-index dc8c8fb..71e54a5 100644
+index dc8c8fb..4203eac 100644
 --- a/util.c
 +++ b/util.c
 @@ -266,6 +266,43 @@ static int rsync_okay( char **vec )
@@ -48,11 +49,11 @@
 +		if ( strcmp(*vec, "-r") == 0 ) continue;
 +		if ( strcmp(*vec, "-p") == 0 ) continue;
 +		if ( strcmp(*vec, "-d") == 0 ) continue;
-+		if ( strcmp(*vec, "-f") == 0 ){
++		if ( strcmp(*vec, "-f") == 0 || strcmp(*vec, "-pf") == 0 ){
 +			saw_f_or_t = TRUE;
 +			continue;
 +		}
-+		if ( strcmp(*vec, "-t") == 0 ){
++		if ( strcmp(*vec, "-t") == 0 || strcmp(*vec, "-pt") == 0 ){
 +			saw_f_or_t = TRUE;
 +			continue;
 +		}

diff -Nru rssh-2.3.4/debian/changelog rssh-2.3.4/debian/changelog
--- rssh-2.3.4/debian/changelog	2019-02-01 20:28:01.000000000 -0800
+++ rssh-2.3.4/debian/changelog	2019-02-18 19:50:49.000000000 -0800
@@ -1,3 +1,15 @@
+rssh (2.3.4-4+deb8u3) jessie-security; urgency=high
+
+  * The fix for the scp security vulneraability in 2.3.4-5+deb9u1
+    introduced a regression that blocked scp of multiple files from a
+    server using rssh.  Based on further analysis of scp's command-line
+    parsing, relax the check to require the server command contain -f or
+    -t, plus the -pf and -pt variants sent by libssh2, which should
+    deactivate scp's support for remote files.  (Closes: #921655)
+    (LP: #1815935)
+
+ -- Russ Allbery <rra@debian.org>  Mon, 18 Feb 2019 19:50:49 -0800
+
 rssh (2.3.4-4+deb8u2) jessie-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
diff -Nru rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch
--- rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch	2019-02-01 20:28:01.000000000 -0800
+++ rssh-2.3.4/debian/patches/0009-Verify-scp-command-options.patch	2019-02-18 19:50:49.000000000 -0800
@@ -16,21 +16,20 @@
 
 Attempt to protect against this attack by checking the command line
 of scp and only allowing the options that are passed to the server
-end of the connection.  Specifically, do not allow multiple
-non-option arguments, which attempts to prevent causing the server
-to initiate an scp command.  (This will break scp -3 through rssh,
-which seems like an acceptable tradeoff.)
+end of the connection.  Require either -f or -t be given, which
+disables scp's attempts to connect to a remote host.  Allow these as
+-pf and -pt, which are sent by libssh2.
 
 Debian Bug#919623
 ---
- util.c | 46 ++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 44 insertions(+), 2 deletions(-)
+ util.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 42 insertions(+), 2 deletions(-)
 
 diff --git a/util.c b/util.c
-index dc8c8fb..60b8ff6 100644
+index dc8c8fb..4203eac 100644
 --- a/util.c
 +++ b/util.c
-@@ -266,6 +266,45 @@ static int rsync_okay( char **vec )
+@@ -266,6 +266,43 @@ static int rsync_okay( char **vec )
  }
  
  
@@ -42,41 +41,39 @@
 + */
 +static int scp_okay( char **vec )
 +{
-+	int saw_file = FALSE;
-+	int saw_end  = FALSE;
++	int saw_f_or_t = FALSE;
 +
 +	for ( vec++; vec && *vec; vec++ ){
 +		/* Allowed options. */
-+		if ( !saw_end ) {
-+			if ( strcmp(*vec, "-v") == 0 ) continue;
-+			if ( strcmp(*vec, "-r") == 0 ) continue;
-+			if ( strcmp(*vec, "-p") == 0 ) continue;
-+			if ( strcmp(*vec, "-d") == 0 ) continue;
-+			if ( strcmp(*vec, "-f") == 0 ) continue;
-+			if ( strcmp(*vec, "-t") == 0 ) continue;
++		if ( strcmp(*vec, "-v") == 0 ) continue;
++		if ( strcmp(*vec, "-r") == 0 ) continue;
++		if ( strcmp(*vec, "-p") == 0 ) continue;
++		if ( strcmp(*vec, "-d") == 0 ) continue;
++		if ( strcmp(*vec, "-f") == 0 || strcmp(*vec, "-pf") == 0 ){
++			saw_f_or_t = TRUE;
++			continue;
 +		}
-+
-+		/* End of arguments.  One more argument allowed after this. */
-+		if ( !saw_end && strcmp(*vec, "--") == 0 ){
-+			saw_end = TRUE;
++		if ( strcmp(*vec, "-t") == 0 || strcmp(*vec, "-pt") == 0 ){
++			saw_f_or_t = TRUE;
 +			continue;
 +		}
 +
-+		/* No other options allowed, but allow file starting with -. */
-+		if ( *vec[0] == '-' && !saw_end ) return FALSE;
-+		if ( saw_file ) return FALSE;
-+		saw_file = TRUE;
++		/* End of arguments. */
++		if ( strcmp(*vec, "--") == 0 ) break;
++
++		/* Any other argument is not allowed. */
++		if ( *vec[0] == '-' ) return FALSE;
 +	}
 +
-+	/* We must have seen a single file. */
-+	return saw_file;
++	/* Either -f or -t must have been given. */
++	return saw_f_or_t;
 +}
 +
 +
  /*
   * check_command_line() - take the command line passed to rssh, and verify
   *			  that the specified command is one the user is
-@@ -281,8 +320,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts )
+@@ -281,8 +318,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts )
  		return PATH_SFTP_SERVER;
  
  	if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){

Reply to:

Follow-Ups:
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Chris Lamb <lamby@debian.org>

References:
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Holger Levsen <holger@layer-acht.org>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Chris Lamb <lamby@debian.org>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Russ Allbery <rra@debian.org>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: rssh security update breaks rsync via Synology's "hyper backup"
Next by Date: Re: rssh security update breaks rsync via Synology's "hyper backup"
Previous by thread: Re: rssh security update breaks rsync via Synology's "hyper backup"
Next by thread: Re: rssh security update breaks rsync via Synology's "hyper backup"
Index(es):
- Date
- Thread