[rssh] Update to upstream version 2.3.4, which fixes CVE-2012-3478 and CVE-2012-2252
Adam Jackson
ajax at fedoraproject.org
Mon Dec 10 18:36:01 UTC 2012
commit 205b491aeb011ffa131a68c1a96b2dc068e89666
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Dec 10 13:35:58 2012 -0500
Update to upstream version 2.3.4, which fixes CVE-2012-3478 and CVE-2012-2252
- Updated rsync-protocol.patch to fix CVE-2012-2251, and to apply on top of the
CVE-2012-3478 and CVE-2012-2252 fixes.
- Updated makefile.patch to preserve RPM CFLAGS.
- Added command-line-error.patch (from Debian), correcting error message
generated when insecure command line option is used (CVE-2012-3478 fix
regression).
.gitignore | 2 +
rssh-2.3.2-makefile.patch | 11 ---
rssh-2.3.3-rsync-protocol.patch | 65 -----------------
rssh-2.3.4-command-line-error.patch | 26 +++++++
rssh-2.3.4-makefile.patch | 16 ++++
rssh-2.3.4-rsync-protocol.patch | 130 +++++++++++++++++++++++++++++++++++
rssh.spec | 25 +++++--
sources | 3 +-
8 files changed, 195 insertions(+), 83 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index a111713..6e6aef4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
rssh-2.3.2.tar.gz
/rssh-2.3.3.tar.gz
+/rssh-2.3.4.tar.gz
+/rssh-2.3.4.tar.gz.sig
diff --git a/rssh-2.3.4-command-line-error.patch b/rssh-2.3.4-command-line-error.patch
new file mode 100644
index 0000000..cec059c
--- /dev/null
+++ b/rssh-2.3.4-command-line-error.patch
@@ -0,0 +1,26 @@
+From: Russ Allbery <rra at debian.org>
+Subject: [PATCH] Fix error message from invalid options
+
+Don't refer to all invalid options as invalid scp options.
+
+Signed-off-by: Russ Allbery <rra at debian.org>
+
+---
+ util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util.c b/util.c
+index 443dcba..774bdbe 100644
+--- a/util.c
++++ b/util.c
+@@ -152,7 +152,7 @@ bool opt_filter(char **vec, const char opt)
+ while (vec && *vec){
+ if (opt_exist(*vec, opt)){
+ fprintf(stderr, "\nillegal insecure %c option", opt);
+- log_msg("insecure %c option in scp command line!", opt);
++ log_msg("insecure %c option in command line!", opt);
+ return TRUE;
+ }
+ vec++;
+--
+tg: (05e48f5..) fixes/command-line-error (depends on: fixes/command-line-checking)
diff --git a/rssh-2.3.4-makefile.patch b/rssh-2.3.4-makefile.patch
new file mode 100644
index 0000000..2296fea
--- /dev/null
+++ b/rssh-2.3.4-makefile.patch
@@ -0,0 +1,16 @@
+diff -pruN rssh-2.3.4.orig/Makefile.in rssh-2.3.4/Makefile.in
+--- rssh-2.3.4.orig/Makefile.in 2012-11-27 01:19:34.000000000 +0100
++++ rssh-2.3.4/Makefile.in 2012-11-28 18:21:03.154903684 +0100
+@@ -727,10 +727,10 @@ uninstall-man: uninstall-man1 uninstall-
+
+
+ .c.o:
+- $(CC) -c $(DEFS) $(ourdefs) $(AM_CFLAGS) $(CPPFLAGS) $(LDFLAGS) $<
++ $(CC) -c $(DEFS) $(ourdefs) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $<
+
+ install-exec-hook:
+- chmod u+s $(libexecdir)/rssh_chroot_helper
++ chmod u+s $(DESTDIR)$(libexecdir)/rssh_chroot_helper
+
+ rpm: dist
+ rpmbuild -ta --sign $(base).tar.gz
diff --git a/rssh-2.3.4-rsync-protocol.patch b/rssh-2.3.4-rsync-protocol.patch
new file mode 100644
index 0000000..e1694ee
--- /dev/null
+++ b/rssh-2.3.4-rsync-protocol.patch
@@ -0,0 +1,130 @@
+From: Russ Allbery <rra at stanford.edu>
+Subject: [PATCH] Handle the rsync v3 -e option for protocol information
+
+As of rsync 3, rsync reused the -e option to pass protocol information
+from the client to the server. We therefore cannot reject all -e
+options to rsync, only ones not sent with --server or containing
+something other than protocol information as an argument.
+
+Also scan the rsync command line for any --rsh option and reject it as
+well. This replaces and improves the upstream strategy for rejecting
+that command-line option, taking advantage of the parsing added to
+check the -e option.
+
+Based on work by Robert Hardy.
+
+Debian Bug#471803
+
+Signed-off-by: Russ Allbery <rra at stanford.edu>
+
+---
+ util.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 72 insertions(+), 8 deletions(-)
+
+diff --git a/util.c b/util.c
+index f98d2bc..a257b06 100644
+--- a/util.c
++++ b/util.c
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_LIBGEN_H
+ #include <libgen.h>
+ #endif /* HAVE_LIBGEN_H */
++#include <regex.h>
+
+ /* LOCAL INCLUDES */
+ #include "pathnames.h"
+@@ -198,6 +199,73 @@ bool check_command( char *cl, ShellOptions_t *opts, char *cmd, int cmdflag )
+
+
+ /*
++ * rsync_e_okay() - take the command line passed to rssh and look for an -e
++ * option. If one is found, make sure --server is provided
++ * and the option contains only the protocol information.
++ * Also check for and reject any --rsh option. Returns FALSE
++ * if the command line should not be allowed, TRUE if it is
++ * okay.
++ */
++static int rsync_e_okay( char **vec )
++{
++ regex_t re;
++ int server = FALSE;
++ int e_found = FALSE;
++
++ /*
++ * rsync will send -e, followed by either just "." (meaning no special
++ * protocol) or "N.N" (meaning a pre-release protocol version),
++ * followed by some number of alphabetic flags indicating various
++ * supported options. There may be other options between - and the e,
++ * but -e will always be the last option in the string. A typical
++ * option passed by the client is "-ltpre.iL".
++ *
++ * Note that if --server is given, this should never be parsed as a
++ * shell, but we'll tightly verify it anyway, just in case.
++ *
++ * This regex matches the acceptable flags containing -e, so if it
++ * does not match, the command line should be rejected.
++ */
++ static const char pattern[]
++ = "^-[a-df-zA-Z]*e[0-9]*\\.[0-9]*[a-zA-Z]*$";
++
++ /*
++ * Only recognize --server if it's the first option. rsync itself
++ * always passes it that way, and if it's not the first argument, it
++ * could be hidden from the server as an argument to some other
++ * option.
++ */
++ if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){
++ server = TRUE;
++ }
++
++ /* Check the remaining options for -e or --rsh. */
++ if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
++ return FALSE;
++ }
++ while (vec && *vec){
++ if ( strcmp(*vec, "--") == 0 ) break;
++ if ( strcmp(*vec, "--rsh") == 0
++ || strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){
++ regfree(&re);
++ return FALSE;
++ }
++ if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){
++ e_found = TRUE;
++ if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){
++ regfree(&re);
++ return FALSE;
++ }
++ }
++ vec++;
++ }
++ regfree(&re);
++ if ( e_found && !server ) return FALSE;
++ return TRUE;
++}
++
++
++/*
+ * check_command_line() - take the command line passed to rssh, and verify
+ * that the specified command is one the user is
+ * allowed to run and validate the arguments. Return the
+@@ -230,14 +298,10 @@ char *check_command_line( char **cl, ShellOptions_t *opts )
+
+ if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
+ /* filter -e option */
+- if ( opt_filter(cl, 'e') ) return NULL;
+- while (cl && *cl){
+- if ( strstr(*cl, "--rsh" ) ){
+- fprintf(stderr, "\ninsecure --rsh= not allowed.");
+- log_msg("insecure --rsh option in rsync command line!");
+- return NULL;
+- }
+- cl++;
++ if ( !rsync_e_okay(cl) ){
++ fprintf(stderr, "\ninsecure -e or --rsh option not allowed.");
++ log_msg("insecure -e or --rsh option in rsync command line!");
++ return NULL;
+ }
+ return PATH_RSYNC;
+ }
+--
+tg: (f8b36e2..) fixes/rsync-protocol (depends on: upstream)
diff --git a/rssh.spec b/rssh.spec
index 986a059..135fdf4 100644
--- a/rssh.spec
+++ b/rssh.spec
@@ -1,13 +1,15 @@
Name: rssh
-Version: 2.3.3
-Release: 4%{?dist}
+Version: 2.3.4
+Release: 1%{?dist}
Summary: Restricted shell for use with OpenSSH, allowing only scp and/or sftp
Group: Applications/Internet
License: BSD
URL: http://www.pizzashack.org/rssh/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
-Patch0: rssh-2.3.2-makefile.patch
-Patch1: rssh-2.3.3-rsync-protocol.patch
+Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz.sig
+Patch0: rssh-2.3.4-makefile.patch
+Patch1: rssh-2.3.4-rsync-protocol.patch
+Patch2: rssh-2.3.4-command-line-error.patch
BuildRequires: openssh-server, openssh-clients
BuildRequires: cvs rsync rdist
@@ -15,7 +17,6 @@ Requires: openssh-server
Requires(pre): shadow-utils
%description
-
rssh is a restricted shell for use with OpenSSH, allowing only scp
and/or sftp. For example, if you have a server which you only want
to allow users to copy files off of via scp, without providing shell
@@ -26,6 +27,7 @@ access, you can use rssh to do that. It is a alternative to scponly.
%setup -q
%patch0 -p1 -b .makefile
%patch1 -p1 -b .rsync3
+%patch2 -p1 -b .cmdline-error
chmod 644 conf_convert.sh
chmod 644 mkchroot.sh
@@ -39,6 +41,9 @@ make %{?_smp_mflags}
%install
rm -rf %{buildroot}
make install INSTALL="%{__install} -p" DESTDIR=%{buildroot}
+# since rssh 2.3.4, default config is installed as rssh.conf.default,
+# rename it for packaging in rpm
+mv %{buildroot}/%{_sysconfdir}/rssh.conf{.default,}
%clean
rm -rf %{buildroot}
@@ -59,6 +64,15 @@ exit 0
%changelog
+* Mon Dec 10 2012 Tomas Hoger <thoger at fedoraproject.org> - 2.3.4-1
+- Update to upstream version 2.3.4, which fixes CVE-2012-3478 and CVE-2012-2252
+- Updated rsync-protocol.patch to fix CVE-2012-2251, and to apply on top of the
+ CVE-2012-3478 and CVE-2012-2252 fixes.
+- Updated makefile.patch to preserve RPM CFLAGS.
+- Added command-line-error.patch (from Debian), correcting error message
+ generated when insecure command line option is used (CVE-2012-3478 fix
+ regression).
+
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.3.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
@@ -96,4 +110,3 @@ exit 0
* Tue Jul 22 2008 Rahul Sundaram <sundaram at fedoraproject.org> - 2.3.2-1
- initial spec
-
diff --git a/sources b/sources
index 7bc5e92..75c2b07 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
-b0c147602fcc95737ed50573b92fc468 rssh-2.3.3.tar.gz
+5211f5fe206704f813a3cec61f487042 rssh-2.3.4.tar.gz
+99ee2985b4f2bc53d8c6b074e7c816e0 rssh-2.3.4.tar.gz.sig
More information about the scm-commits
mailing list