Bug#270770: ssh: CAN-2004-0175 "Directory traversal vulnerability in scp for OpenSSH before 3.4p1"
On Thu, Sep 09, 2004 at 04:11:34PM +0900, Hideki Yamane wrote:
> Package: ssh
> Version: 1:3.8.1p1-8
> Severity: critical
> Tags: security,woody
> Justification: causes serious data loss
>
> Dear ssh maintainer,
>
> CAN-2004-0175 says "Directory traversal vulnerability in scp for OpenSSH
> before 3.4p1" and woody's ssh package version is "1:3.4p1-1.woody.3".
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175)
>
> In RH bugzilla, pointed out fix code
> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.113&r2=1.114
> and I've checked woody's ssh code, but not found such fixes.
>
> So I think this vunlerability affects Debian.
>
>
> ---------------------------------------------------------------------------------
> * I cannot find no information about it in openssh website. (Why?)
> (http://www.openssh.com/security.html)
> [...]
> * In SuSE-SA:2004:009: Linux Kernel, as just "pending and workaroud"
> * issue.
> (http://www.suse.com/de/security/2004_09_kernel.html)
>
> * Red Hat has not yet released SA, but releated bugzilla post is here.
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120147
> ---------------------------------------------------------------------------------
The reason that you see this pattern is that:
- The flaw is truly in the rcp protocol, and I don't think it can be fixed
properly without incompatibly changing it
- The effects were not judged serious enough to implement the various
attempts at workarounds
- The OpenBSD CVS commit you reference is a partial workaround, not a fix
As far as I know, no vendors shipping OpenSSH have found this issue
appropriate for a security update.
The issue goes back to 2000:
http://cert.uni-stuttgart.de/archive/bugtraq/2000/09/msg00499.html
--
- mdz
Reply to: