Ubuntu
libssh2 package

Probable regression after rssh security update

Bug #1815741 reported by Iyyappa Murugandi
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libssh2 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

version: v1.5 (or above)

Last week rssh package got updated to include security patch (2.3.4-4+deb8u1build0.16.04.1) after which download scenario is broken. This happens only for users that are created with default rssh shell login.

Specifically libssh2_scp_recv()/libssh2_scp_recv2() function either return 0 or LIBSSH2_ERROR_SCP_PROTOCOL even though the file is present with proper content.

For the scp example in libssh2 code base, it is stuck at the _libssh2_recv() function.

(gdb) bt
#0 0x00007ffff7b908f0 in __errno_location@plt () from /home/ching/libssh2/debug/src/libssh2.so.1
#1 0x00007ffff7bae04c in _libssh2_recv (sock=3, buffer=0x608528, length=16384, flags=16384, abstract=0x6082e0) at /home/ching/libssh2/libssh2/src/misc.c:154
#2 0x00007ffff7bc38a4 in _libssh2_transport_read (session=0x6082e0) at /home/ching/libssh2/libssh2/src/transport.c:370
#3 0x00007ffff7b9c143 in _libssh2_channel_read (channel=0x615970, stream_id=0, buf=0x7fffffffe150 "\307\016\340=", buflen=1024) at /home/ching/libssh2/libssh2/src/channel.c:1814
#4 0x00007ffff7b9c525 in libssh2_channel_read_ex (channel=0x615970, stream_id=0, buf=0x7fffffffe150 "\307\016\340=", buflen=1024) at /home/ching/libssh2/libssh2/src/channel.c:1948
#5 0x000000000040143b in main (argc=5, argv=0x7fffffffe658) at /home/ching/libssh2/libssh2/example/scp.c:157

Steps to repro:

1. sudo useradd -s /usr/bin/rssh -r -N -c "test" -G testgroup test
2. sudo passwd test
3. sudo usermod -a -G rsshusers test

4. Build libssh2
5. Run scp example
./example/example-scp 127.0.0.1 test test /tmp/f1.txt

Stuck and fails to read the file.

Libssh2 logs indicate rssh returned following error

insecure scp option not allowed.
This account is restricted by rssh.
Allowed commands: scp sftp

The rssh security patch is targeted for scp comands but not sure why it affects clients using libssh2.
Please could you take a look.

I have also posted the issue in rssh package discussion list.
https://answers.launchpad.net/ubuntu/+source/rssh/+question/678522

Revision history for this message
Iyyappa Murugandi (mitsmiles) wrote :

No, 2.3.4-4+deb8u2ubuntu0.16.04.1 release didn't fix the issue.
2.3.4-4+deb8u2ubuntu0.16.04.1 is mainly targeted for downloading multiple files using '*' based on the issue raised by https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921655.

In our case, we don't use scp commands directly but use libssh2 client library to do scp.
I have attached the example libssh2 code to repro the issue.

Revision history for this message
Iyyappa Murugandi (mitsmiles) wrote :

Sorry ignore the previous comment. It was meant for the rssh mailing list.

Anyways, libssh2 send scp request as "scp -pf <filename>". But rssh has added new validation function which expects the commands to be specified as "-p -f" instead of "-pf". Since it is a regression, I have requested rssh maintainer to fix the issue and provide the patch.

For the future, libssh2 should send those options individually than combined as preferred by rssh.

Revision history for this message
Mike Salvatore (mikesalvatore) wrote :

Please try 2.3.4-4+deb8u2ubuntu0.16.04.2 and see if it resolves your issue.

Mike Salvatore (mikesalvatore)
Changed in libssh2 (Ubuntu):
status: New → Fix Released
Revision history for this message
Iyyappa Murugandi (mitsmiles) wrote :

Thanks, will test it in our end.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.