Date: Wed, 28 Nov 2012 07:17:29 +0100 From: Yves-Alexis Perez <corsac@...ian.org> To: Derek Martin <code@...zashack.org> Cc: oss-security@...ts.openwall.com, secure-testing-team@...ts.alioth.debian.org, Russ Allbery <rra@...ian.org>, temp66@...il.com Subject: Re: rssh: incorrect filtering of command line options On mar., 2012-11-27 at 17:40 -0600, Derek Martin wrote: > On Wed, Nov 28, 2012 at 12:21:03AM +0100, Yves-Alexis Perez wrote: > > CVE-2012-2251 > > Incorrect filtering of command line when using rsync protocol. It was > > for example possible to pass dangerous options after a "--" switch. The rsync > > protocol support has been added in a Debian (and Fedora/Red Hat) specific > > patch, so this vulnerability doesn't affect upstream. > > > > CVE-2012-2251 > > I believe this one was meant to be CVE-2012-2252... Yes, sorry for that, I reformated the advisory at the last minute and did a wrong copy/paste… > > > Incorrect filtering of the "--rsh" option: the filter preventing usage of the > > "--rsh=" option would not prevent passing "--rsh". This vulnerability affects > > upstream code. > > I've uploaded rssh-2.3.4 to the project's web page, as well as to > sourceforge. This update includes the fix for CVE-2012-2252, and also > rolls up a fix for CVE-2012-3478, for which I had previously only > posted a patch. Additionally there are some mostly trivial updates > for code and build clean-up. > Thank you for your time and help on this, it was a pleasure working with you. Regards, -- Yves-Alexis Perez Debian Security [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ