copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2008.0079 -- [UNIX/Linux][Debian] -- New scponly packages fix arbitrary code execution

Date: 22 January 2008

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                   ESB-2008.0079 -- [UNIX/Linux][Debian]
             New scponly packages fix arbitrary code execution
                              22 January 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              scponly
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
                      Debian GNU/Linux 3.1
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-6415 CVE-2007-6350

Original Bulletin:    http://www.debian.org/security/2008/dsa-1473

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Debian. It is recommended that administrators
         running scponly check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1473                    security@debian.org
http://www.debian.org/security/                           Florian Weimer
January 21, 2008                      http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : scponly
Vulnerability  : design flaw
Problem type   : remote
Debian-specific: no
CVE Ids        : CVE-2007-6350, CVE-2007-6415
Debian Bug     : 437148

Joachim Breitner discovered that Subversion support in scponly is
inherently insecure, allowing execution of arbitrary commands.  Further
investigation showed that rsync and Unison support suffer from similar
issues.  This set of issues has been assigned CVE-2007-6350.

In addition, it was discovered that it was possible to invoke with scp
with certain options that may lead to execution of arbitrary commands
(CVE-2007-6415).

This update removes Subversion, rsync and Unison support from the
scponly package, and prevents scp from being invoked with the dangerous
options.

For the stable distribution (etch), these problems have been fixed in
version 4.6-1etch1.

For the old stable distribution (sarge), these problems have been fixed
in version 4.0-1sarge2.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your scponly package.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.1 (oldstable)
- - ----------------------

Source archives:

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0.orig.tar.gz
    Size/MD5 checksum:    85053 1706732945996865ed0cccd440b64fc1
  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2.diff.gz
    Size/MD5 checksum:    27490 380ea78eb602749989c8031a4f916c79
  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2.dsc
    Size/MD5 checksum:      892 f37d3236975bdb6742eba5ac788c40c2

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_alpha.deb
    Size/MD5 checksum:    31322 c4d3637ba9ab71b2a05e1633de4abae4

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_amd64.deb
    Size/MD5 checksum:    30228 05493720ebd6da8ea4b44d7fc98b3337

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_arm.deb
    Size/MD5 checksum:    28806 2e38b46c8da8a2f118da64fb8d099ebd

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_hppa.deb
    Size/MD5 checksum:    30170 44b3383c7f63172f63791b99784e67a8

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_i386.deb
    Size/MD5 checksum:    29322 62413a011d04721bb4b6f9a3d9496e27

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_ia64.deb
    Size/MD5 checksum:    33034 c0673fdff69d062fc32231d3f3221405

m68k architecture (Motorola Mc680x0)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_m68k.deb
    Size/MD5 checksum:    29002 b060925bb242e68612a358860e53db0b

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_mips.deb
    Size/MD5 checksum:    38442 4ae4a933ef2cd0bf527590af79a48065

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_mipsel.deb
    Size/MD5 checksum:    38390 e89fd088bfe33f2af1b2b4ca44c11ba7

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_powerpc.deb
    Size/MD5 checksum:    29704 5a6676d270e93eea5265354d907f7cbe

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_s390.deb
    Size/MD5 checksum:    29958 54f012f9d6b8eb9153458a5b9e2fba34

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.0-1sarge2_sparc.deb
    Size/MD5 checksum:    29270 66aba25ee7275478105d2c586920516a

Debian 4.0 (stable)
- - -------------------

Source archives:

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1.diff.gz
    Size/MD5 checksum:    28528 a588cb9138820d73f16bc81ffc4f8e20
  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1.dsc
    Size/MD5 checksum:      890 c02dfefb7289fcb09e9ac83d7cf78655
  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6.orig.tar.gz
    Size/MD5 checksum:    96578 0425cb868cadd026851238452f1db907

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1_alpha.deb
    Size/MD5 checksum:    35464 acdec90eeea809b0cac14ad16d9914a3

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1_amd64.deb
    Size/MD5 checksum:    34214 2bb425113107e4e471c15685333f1a0a

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1_arm.deb
    Size/MD5 checksum:    32754 68e9b0b7c579679728c403af931a1510

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1_hppa.deb
    Size/MD5 checksum:    34442 2c41c2878777dce6c6b8ad3f1f1cb6a7

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1_i386.deb
    Size/MD5 checksum:    33384 5a05d1d731bf0e53962f117cc0addd12

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1_ia64.deb
    Size/MD5 checksum:    49088 872ff6eaeb1ff894c1b1f50f7091f6e4

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1_mips.deb
    Size/MD5 checksum:    34758 02c6727db7a546147423840d22c47f12

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1_mipsel.deb
    Size/MD5 checksum:    34808 c89ffd2236d752ac270fb5ba62cd8e62

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1_powerpc.deb
    Size/MD5 checksum:    33922 a4d6e0e689699638523de2754075a42e

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1_s390.deb
    Size/MD5 checksum:    34176 5109fa87cfffb72f46e287e88d3b7a55

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/s/scponly/scponly_4.6-1etch1_sparc.deb
    Size/MD5 checksum:    33322 42f50ca1d1d836fa4c80137a57ed66f1


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR5T0E797/wQC1SS+AQIWCQf/YaaafxKBB7pV87V3gKbv46+O9kjWwdO8
OGnE1o2HwsmWkk37uXNuAczsc2JS/K7BMH9iESHCxuHFVLYCSkJo72LlMlPyllbZ
w7E+yGA1GrSTsnXUa56Hm1Vb11+95FDtT/hY1pTejB8kMuogFfEmfhbzOGC44nXO
YnQnNH4iIS8/VRx1I3PeAPFrugGGrDxdM5xOJRt6PfRRi9tqi3B8+OFzx9W7xG9I
BUdMJOnrHWCHGR9JKTcnBj7hK1sWRLTTur76ymMwdbjZQuY1Va/2I6DyEBrM0o5N
4bLh+cdUDfdZ4GzYEFCRaToazQRvKggtUQpF7WNNlxpolhdnVJ5tFw==
=R2l6
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR5Vtlyh9+71yA2DNAQJw2QQAjSAoIiH+G6uDn8H7KvaboDi8igU61M+C
9MCujUcZcpfe/y0i0Fcwr1AiXJItn7d/kMcA00uMax2X+FDZUwHrnX29yODGvZ8i
B4eq0ojvgp5EZDqByOq19t9C5+HpaM50zWRx6JLR/Oj5OoSuukFJxiaOFfGzhPLf
xmvZp89WXgM=
=EiMq
-----END PGP SIGNATURE-----