Ubuntu
scponly package

CVE-2007-6415 - scponly allows remote command execution

Bug #249593 reported by Michael Casadevall on 2008-07-17

258

Affects		Status	Importance	Assigned to	Milestone
	scponly (Ubuntu)	Invalid	Undecided	Michael Casadevall
	Dapper	Fix Released	Undecided	Unassigned
	Feisty	Won't Fix	Undecided	Michael Casadevall
	Gutsy	Won't Fix	Undecided	Unassigned

Bug Description

Binary package hint: scponly

scponly 4.6 and earlier allows remote authenticated users to bypass intended restrictions and execute arbitrary code by invoking scp, as implemented by OpenSSH, with the -F and -o options.

Fixed in hardy, and intrepid.
Fixes coming for gutsy, fiesty, and dapper

CVE References

Michael Casadevall (mcasadevall) on 2008-07-17

Changed in scponly:
assignee:	nobody → sonicmctails
status:	New → In Progress

Revision history for this message

Michael Casadevall (mcasadevall) wrote on 2008-07-17:

#1

scponly was fixed by Debian upstream before gutsy release; relevant changelog:

scponly (4.6-1.1) unstable; urgency=high

  * Non-maintainer upload by the testing-security team
  * Disable unison, rsync and svn usability, because all three could be
    exploited. (Closes: #437148)
   - The maintainer is working on splitting the packages and providing
     a binary package, which enables these features, but warns about
     them and one, which is safe and has them disabled, like this

-- Steffen Joeris <email address hidden> Tue, 25 Sep 2007 10:06:31 +0000

Revision history for this message

Michael Casadevall (mcasadevall) wrote on 2008-07-17:

#2

Feisty security update Edit (1.5 KiB, text/plain)

Attached patch for feisty

Revision history for this message

Michael Casadevall (mcasadevall) wrote on 2008-07-17:

#3

Security patch for dapper Edit (1.5 KiB, text/plain)

Dapper patch.

Revision history for this message

Michael Casadevall (mcasadevall) wrote on 2008-07-17:

#4

http://bugs.gentoo.org/show_bug.cgi?id=203099 - THis was the patch used to close the security hole

Jamie Strandboge (jdstrand) on 2008-07-17

Changed in scponly:
status:	In Progress → Invalid
assignee:	nobody → sonicmctails
status:	New → In Progress
assignee:	nobody → sonicmctails
status:	New → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-07-18:

#5

Actually, guty is affected-- the aforementioned changelog entry is for CVE-2007-6350. CVE-2007-6415 was fixed in Debian in 4.6-1.2.

scponly (4.6-1.2) unstable; urgency=high

* Non-maintainer upload by the Security Team
* scp: -o and -F options are dangerous (CVE-2007-6415).

Changed in scponly:
status:	New → Confirmed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-09-08:

#6

Thanks Michael for looking submitting the debdiffs and sorry for the delay in processing them. I have reviewed them and came across:
http://www.debian.org/security/2008/dsa-1473
https://bugzilla.redhat.com/show_bug.cgi?id=426072

It looks like you applied only part of the patch. Can you confirm? Also, your changelogs mention adding dpatch and the dpatch file, but this is not in the debdiff. Currently Ubuntu does not add patch systems in security uploads, so please just patch in place since scponly does not have one in place. When you have updated and submitted your debdiffs, please mark back as 'In Progress'.

Thanks again!

Changed in scponly:
status:	In Progress → Triaged
status:	In Progress → Triaged

Revision history for this message

Hew (hew) wrote on 2008-12-15:

#7

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in scponly:
status:	Triaged → Won't Fix

Revision history for this message

Sergio Zanchetta (primes2h) wrote on 2009-05-07:

#8

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in scponly (Ubuntu Gutsy):
status:	Confirmed → Won't Fix

Jamie Strandboge (jdstrand) on 2009-10-07

Changed in scponly (Ubuntu Dapper):
status:	Triaged → Fix Committed
assignee:	Michael Casadevall (mcasadevall) → nobody

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-10-08:

#9

scponly (4.6-1etch1build0.6.06.1) dapper-security; urgency=low

* fake sync from Debian

scponly (4.6-1etch1) stable-security; urgency=high

  * Non-maintainer upload by the Security Team
  * Remove rsync, Subversion and Unison support because it was possible
    to gain shell access through them (CVE-2007-6350). Closes: #437148.
  * scp: -o and -F options are dangerous (CVE-2007-6415).

-- Jamie Strandboge < <email address hidden>> Wed, 07 Oct 2009 07:47:50 -0500

Changed in scponly (Ubuntu Dapper):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

gentoo-bugs #203099
[RESOLVED FIXED] Edit
redhat-bugs #426072
[CLOSED ERRATA] Edit

Bug watches keep track of this bug in other bug trackers.