Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions

To: Colin Watson <cjwatson@debian.org>
Cc: 922205@bugs.debian.org
Subject: Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions
From: Harry Sintonen <debianbugs@kyber.fi>
Date: Tue, 26 Feb 2019 21:51:42 +0200 (EET)
Message-id: <[🔎] alpine.DEB.2.20.1902262049250.15056@o7.fi>
Reply-to: Harry Sintonen <debianbugs@kyber.fi>, 922205@bugs.debian.org
In-reply-to: <[🔎] 20190226145108.4z777kmfcd3f4yhn@riva.ucam.org>
References: <[🔎] 155004699167.19716.10540618687812793729.reportbug@o7.fi> <[🔎] 20190226145108.4z777kmfcd3f4yhn@riva.ucam.org> <[🔎] 155004699167.19716.10540618687812793729.reportbug@o7.fi>

On Tue, 26 Feb 2019, Colin Watson wrote:

On Wed, Feb 13, 2019 at 10:36:34AM +0200, Harry Sintonen wrote:

The recent openssh upstream fix to "check in scp client that filenames sent during
remote->local directory copies satisfy the wildcard specified by the user" (*) had an unfortunate
side effect of breaking a legitimate use case of scp: deliberately copying the source directory
permissions over the target directory. This is achieved by using syntax: "dir/.".


Hi,

Have you already reported this directly upstream (bugzilla.mindrot.org)?

No.

I'd expect that to be the best approach here, since the upstream master
branch exhibits the same problem, and especially since the changes were
in response to your security vulnerability report.  We can of course
cherry-pick regression fixes that have landed upstream.

Yeah likely would be the best course of action. If someone feels likeforwarding this to them, please do so.

Note that it was actually
https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2
that broke this.

Indeed, I now see that this patch was indeed different from the one Isuggested initially. At the time I didn't check for "." myself either, soI also added check for it. However, I then discovered the issue we havenow. So I adjusted my patches to cater this specific syntax, separatingthe check for the "." and adding some checks to allow it in certainsituations ("dir/." etc). It's even commented in the patch, so it shouldbe quite evident what the code is doing there and why.


How exactly this was missed in the official patches is a mystery to me.

While incomplete, GNU extension dependant and clearly not as consise asthe "official", my patch at least handles the "dir/." case properly:


https://sintonen.fi/advisories/scp-name-validator.patch

PS. This is by no means a suggestion to replace the upstream patches withmy mess. It merely tries to demonstrate how I handled this particularissue.

In part I feel responsible for this bug, but then on the other hand I didtry to handle this correctly while upstream did not. I find the wholething a bit depressing.

Reply to:

References:
- Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions
  - From: Harry Sintonen <debianbugs@kyber.fi>
- Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#923199: marked as done (openssh-server has a false dependency on libpam-systemd)
Next by Date: Bug#919344: adequate reports obsolete-conffile in openssh-client
Previous by thread: Bug#922205: openssh-client: scp regression: CVE-2019-6111 fix breaks syntax to overwrite target directory permissions
Next by thread: Nieuws - goud is een onmisbare bescherming voor schuldenberg van 250 miljard
Index(es):
- Date
- Thread