Bug#352254: scp shell metacharacter expansion

To: submit@bugs.debian.org
Subject: Bug#352254: scp shell metacharacter expansion
From: Niall Sheridan <niall@evil.ie>
Date: Fri, 10 Feb 2006 17:56:08 +0000
Message-id: <[🔎] 5121cf7c0602100956w7abca0aei7de6a7827236f555@mail.gmail.com>
Reply-to: Niall Sheridan <niall@evil.ie>, 352254@bugs.debian.org

Package: openssh
Version: 1:4.2p1-5

As per CVE-2006-0225, scp does not properly escape metacharacters when
doing local-local copying.
Most noticeable when you leave off the ':' of a hostname

$ touch "\`rm  -rf myfile\`"
$ touch myfile

$ ls -l
total 0
-rw-r-----  1 nsheridan eng 0 2006-02-09 17:41 myfile
-rw-r-----  1 nsheridan eng 0 2006-02-09 17:40 `rm  -rf myfile`

$ scp -vvv * somehost
Executing: exec cp myfile somehost
Executing: exec cp `rm  -rf myfile` somehost
cp: missing destination file
Try `cp --help' for more information.

$ ls -l
total 0
-rw-r-----  1 nsheridan eng 0 2006-02-09 17:40 `rm  -rf myfile`
-rw-r-----  1 nsheridan eng 0 2006-02-09 17:44 somehost

I swiped the patch from
http://bugzilla.mindrot.org/show_bug.cgi?id=1094 and merged it.
Attached.

Attachment: scp-expansion.patch
Description: Binary data

Reply to:

Follow-Ups:
- Bug#352254: scp shell metacharacter expansion
  - From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

Prev by Date: Bug#352042: Bug #352042: openssh-server: incompatible pointer types break, gssapi auth on alpha, possibly others
Next by Date: Processed: Re: Bug#352254: scp shell metacharacter expansion
Previous by thread: Bug#352042: Bug #352042: openssh-server: incompatible pointer types break, gssapi auth on alpha, possibly others
Next by thread: Bug#352254: scp shell metacharacter expansion
Index(es):
- Date
- Thread