Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Nov 2012 07:17:29 +0100
From: Yves-Alexis Perez <corsac@...ian.org>
To: Derek Martin <code@...zashack.org>
Cc: oss-security@...ts.openwall.com, 
 secure-testing-team@...ts.alioth.debian.org, Russ Allbery <rra@...ian.org>,
  temp66@...il.com
Subject: Re: rssh: incorrect filtering of command line options

On mar., 2012-11-27 at 17:40 -0600, Derek Martin wrote:
> On Wed, Nov 28, 2012 at 12:21:03AM +0100, Yves-Alexis Perez wrote:
> > CVE-2012-2251
> > 	Incorrect filtering of command line when using rsync protocol. It was
> > 	for example possible to pass dangerous options after a "--" switch. The rsync
> > 	protocol support has been added in a Debian (and Fedora/Red Hat) specific
> > 	patch, so this vulnerability doesn't affect upstream.
> > 
> > CVE-2012-2251
> 
> I believe this one was meant to be CVE-2012-2252...

Yes, sorry for that, I reformated the advisory at the last minute and
did a wrong copy/pasteā€¦
> 
> > 	Incorrect filtering of the "--rsh" option: the filter preventing usage of the
> > 	"--rsh=" option would not prevent passing "--rsh". This vulnerability affects
> > 	upstream code.
> 
> I've uploaded rssh-2.3.4 to the project's web page, as well as to
> sourceforge.  This update includes the fix for CVE-2012-2252, and also
> rolls up a fix for CVE-2012-3478, for which I had previously only
> posted a patch.  Additionally there are some mostly trivial updates
> for code and build clean-up.
> 
Thank you for your time and help on this, it was a pleasure working with
you.

Regards,
-- 
Yves-Alexis Perez
 Debian Security

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ