[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#349645: ssh: local code execution in scp [CVE-2006-0225]

On Tue, Jan 24, 2006 at 11:22:23AM +0100, Martin Pitt wrote:
> Package: ssh
> Severity: important
> Tags: security patch
> 
> Hi!
> 
> http://bugzilla.mindrot.org/show_bug.cgi?id=1094 describes a flaw in
> scp: it expands shell characters and escapes twice which could lead to
> unwanted shell code execution. It affects cases where scp is used to
> transfer untrusted directories, but this could happen in automated
> systems, cron jobs, etc.
> 
> The reporter provided a patch, but it has not yet been acknowledged by
> upstream.

It's not clear to me whether upstream will change this, because it's not
possible to fix many scp issues without breaking protocol compatibility:

  http://www.openssh.org/faq.html#2.10

The official line is to use sftp instead.

Therefore, unless and until upstream acknowledges the bug and decides
what to do about it, I don't intend to change this in Debian in case I
affect protocol compatibility with other systems. Users concerned about
the security impact of this bug should migrate away from scp to sftp,
rsync-over-ssh, or similar.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: