Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 120147 - CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files
Summary: CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Whiteboard: impact=low,public=20000901
Depends On:
TreeView+ depends on / blocked
Reported: 2004-04-06 12:28 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-05-18 13:48:31 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:106 normal SHIPPED_LIVE Low: openssh security update 2005-05-18 04:00:00 UTC

Description Mark J. Cox 2004-04-06 12:28:10 UTC
Back in 2000 it was reported that a malicious ssh server could cause
scp to write to arbitrary files outside of the current directory. 

This is a valid behaviour of the rcp protocol.

The issue was rediscovered in Mar 2004 and discussed amongst OSS
vendors, with Markus Friedl from OpenBSD writing a proposed patch for
this issue but warned that it needed a lot of testing:

Comment 1 Mark J. Cox 2004-04-06 12:30:05 UTC
We are currently evaluating this issue; in the meantime concerned
users can use sftp as an alternative way to copy files, or be careful
not to scp files from untrusted hosts.

Comment 2 Barry K. Nathan 2004-09-07 23:56:21 UTC
Is Red Hat still "evaluating this issue"? (I think Apple released a
patch to fix this vuln on Mac OS X earlier today, for what that's worth.)

Comment 6 Tim Powers 2005-05-18 13:48:31 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 7 Barry K. Nathan 2005-05-19 06:18:12 UTC
Will there be errata packages to fix this for RHEL 2.1?

Comment 8 Josh Bressers 2005-05-26 20:27:17 UTC
The fix for RHEL2.1 is now being tracked by bug 158915

Note You need to log in before you can comment on or make changes to this bug.