severity 327019 grave thanks On Wed, Sep 07, 2005 at 12:36:03PM +0700, Alexey Feldgendler wrote: > Package: ssh > Version: 1:3.8.1p1-8.sarge.4 > Severity: critical > Here is my testcase: > $ scp remotehost@';uname -a' > Linux pancake 2.6.11-1-686 #1 Mon Jun 20 22:00:38 MDT 2005 i686 GNU/Linux > That line comes from the remote host (I verified this by trying > hostname command instead of uname -a, that gives the name of the > remote host). If this is a security bug, then it would seem to be a grave (user security hole) bug, not a critical (root security hole) bug. > I'm not sure that this is a security hole because a user can anyway > connect with ssh and execute arbitrary commands. But it can possibly > be a vulnerability if the user account has a restricted shell, or PAM > restrictions that allow scp but disallow ssh are in effect. I haven't > checked these cases, but I set this bug's severity to critical just in > case it really turns out to be a security hole. Ok, so if you configure your server to *disallow* arbitrary command execution via ssh, does this scp command still work? Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature