[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions

On Wed, Feb 13, 2019 at 10:36:34AM +0200, Harry Sintonen wrote:
> The recent openssh upstream fix to "check in scp client that filenames sent during
> remote->local directory copies satisfy the wildcard specified by the user" (*) had an unfortunate
> side effect of breaking a legitimate use case of scp: deliberately copying the source directory
> permissions over the target directory. This is achieved by using syntax: "dir/.".

Hi,

Have you already reported this directly upstream (bugzilla.mindrot.org)?
I'd expect that to be the best approach here, since the upstream master
branch exhibits the same problem, and especially since the changes were
in response to your security vulnerability report.  We can of course
cherry-pick regression fixes that have landed upstream.

Note that it was actually
https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2
that broke this.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: