diff --git a/.gitignore b/.gitignore index a111713..6e6aef4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ rssh-2.3.2.tar.gz /rssh-2.3.3.tar.gz +/rssh-2.3.4.tar.gz +/rssh-2.3.4.tar.gz.sig diff --git a/rssh-2.3.2-makefile.patch b/rssh-2.3.2-makefile.patch deleted file mode 100644 index c28167e..0000000 --- a/rssh-2.3.2-makefile.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- rssh-2.3.2/Makefile.in.old 2008-07-21 19:52:51.000000000 -0400 -+++ rssh-2.3.2/Makefile.in 2008-07-21 19:52:54.000000000 -0400 -@@ -728,7 +728,7 @@ - $(CC) -c $(DEFS) $(ourdefs) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $< - - install-exec-hook: -- chmod u+s $(libexecdir)/rssh_chroot_helper -+ chmod u+s $(DESTDIR)$(libexecdir)/rssh_chroot_helper - - rpm: dist - rpmbuild -ta --sign $(base).tar.gz diff --git a/rssh-2.3.3-rsync-protocol.patch b/rssh-2.3.3-rsync-protocol.patch deleted file mode 100644 index f4ea113..0000000 --- a/rssh-2.3.3-rsync-protocol.patch +++ /dev/null @@ -1,65 +0,0 @@ -As of rsync 3, rsync reused the -e option to pass protocol information -from the client to the server. We therefore cannot reject all -e -options to rsync, only ones not sent with --server or containing -something other than protocol information as an argument. - -Based on work by Robert Hardy. - -Debian Bug#471803 - ---- rssh.orig/util.c -+++ rssh/util.c -@@ -56,6 +56,7 @@ - #ifdef HAVE_LIBGEN_H - #include - #endif /* HAVE_LIBGEN_H */ -+#include - - /* LOCAL INCLUDES */ - #include "pathnames.h" -@@ -187,6 +188,33 @@ - } - - /* -+ * check_rsync_e() - take the command line passed to rssh and look for a -e -+ * option. If one is found, make sure --server is provided -+ * and the option contains only the protocol information. -+ * Returns 1 if the command line is safe; 0 otherwise. -+ */ -+static int check_rsync_e( char *cl ) -+{ -+ int status; -+ regex_t re; -+ -+ /* -+ * This is more complicated than it looks because we don't want to -+ * trigger on the e in --server, but we do want to catch the common -+ * case of -ltpre.iL (which contains -e.). -+ */ -+ static const char pattern[] = "[ \t\v\f]-([^-][^ ]*)?e[^.0-9]"; -+ -+ if ( strstr(cl, "--server") == NULL ) return 0; -+ if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){ -+ return 0; -+ } -+ status = regexec(&re, cl, 0, NULL, 0); -+ regfree(&re); -+ return (status == 0) ? 0 : 1; -+} -+ -+/* - * check_command_line() - take the command line passed to rssh, and verify - * that the specified command is one the user is - * allowed to run. Return the path of the command -@@ -230,9 +258,9 @@ - - if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){ - /* filter -e option */ -- if ( opt_exist(cl, 'e') ){ -+ if ( opt_exist(cl, 'e') && !check_rsync_e(cl) ){ - fprintf(stderr, "\ninsecure -e option not allowed."); -- log_msg("insecure -e option in rdist command line!"); -+ log_msg("insecure -e option in rsync command line!"); - return NULL; - } - diff --git a/rssh-2.3.4-command-line-error.patch b/rssh-2.3.4-command-line-error.patch new file mode 100644 index 0000000..cec059c --- /dev/null +++ b/rssh-2.3.4-command-line-error.patch @@ -0,0 +1,26 @@ +From: Russ Allbery +Subject: [PATCH] Fix error message from invalid options + +Don't refer to all invalid options as invalid scp options. + +Signed-off-by: Russ Allbery + +--- + util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util.c b/util.c +index 443dcba..774bdbe 100644 +--- a/util.c ++++ b/util.c +@@ -152,7 +152,7 @@ bool opt_filter(char **vec, const char opt) + while (vec && *vec){ + if (opt_exist(*vec, opt)){ + fprintf(stderr, "\nillegal insecure %c option", opt); +- log_msg("insecure %c option in scp command line!", opt); ++ log_msg("insecure %c option in command line!", opt); + return TRUE; + } + vec++; +-- +tg: (05e48f5..) fixes/command-line-error (depends on: fixes/command-line-checking) diff --git a/rssh-2.3.4-makefile.patch b/rssh-2.3.4-makefile.patch new file mode 100644 index 0000000..2296fea --- /dev/null +++ b/rssh-2.3.4-makefile.patch @@ -0,0 +1,16 @@ +diff -pruN rssh-2.3.4.orig/Makefile.in rssh-2.3.4/Makefile.in +--- rssh-2.3.4.orig/Makefile.in 2012-11-27 01:19:34.000000000 +0100 ++++ rssh-2.3.4/Makefile.in 2012-11-28 18:21:03.154903684 +0100 +@@ -727,10 +727,10 @@ uninstall-man: uninstall-man1 uninstall- + + + .c.o: +- $(CC) -c $(DEFS) $(ourdefs) $(AM_CFLAGS) $(CPPFLAGS) $(LDFLAGS) $< ++ $(CC) -c $(DEFS) $(ourdefs) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $< + + install-exec-hook: +- chmod u+s $(libexecdir)/rssh_chroot_helper ++ chmod u+s $(DESTDIR)$(libexecdir)/rssh_chroot_helper + + rpm: dist + rpmbuild -ta --sign $(base).tar.gz diff --git a/rssh-2.3.4-rsync-protocol.patch b/rssh-2.3.4-rsync-protocol.patch new file mode 100644 index 0000000..e1694ee --- /dev/null +++ b/rssh-2.3.4-rsync-protocol.patch @@ -0,0 +1,130 @@ +From: Russ Allbery +Subject: [PATCH] Handle the rsync v3 -e option for protocol information + +As of rsync 3, rsync reused the -e option to pass protocol information +from the client to the server. We therefore cannot reject all -e +options to rsync, only ones not sent with --server or containing +something other than protocol information as an argument. + +Also scan the rsync command line for any --rsh option and reject it as +well. This replaces and improves the upstream strategy for rejecting +that command-line option, taking advantage of the parsing added to +check the -e option. + +Based on work by Robert Hardy. + +Debian Bug#471803 + +Signed-off-by: Russ Allbery + +--- + util.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 72 insertions(+), 8 deletions(-) + +diff --git a/util.c b/util.c +index f98d2bc..a257b06 100644 +--- a/util.c ++++ b/util.c +@@ -56,6 +56,7 @@ + #ifdef HAVE_LIBGEN_H + #include + #endif /* HAVE_LIBGEN_H */ ++#include + + /* LOCAL INCLUDES */ + #include "pathnames.h" +@@ -198,6 +199,73 @@ bool check_command( char *cl, ShellOptions_t *opts, char *cmd, int cmdflag ) + + + /* ++ * rsync_e_okay() - take the command line passed to rssh and look for an -e ++ * option. If one is found, make sure --server is provided ++ * and the option contains only the protocol information. ++ * Also check for and reject any --rsh option. Returns FALSE ++ * if the command line should not be allowed, TRUE if it is ++ * okay. ++ */ ++static int rsync_e_okay( char **vec ) ++{ ++ regex_t re; ++ int server = FALSE; ++ int e_found = FALSE; ++ ++ /* ++ * rsync will send -e, followed by either just "." (meaning no special ++ * protocol) or "N.N" (meaning a pre-release protocol version), ++ * followed by some number of alphabetic flags indicating various ++ * supported options. There may be other options between - and the e, ++ * but -e will always be the last option in the string. A typical ++ * option passed by the client is "-ltpre.iL". ++ * ++ * Note that if --server is given, this should never be parsed as a ++ * shell, but we'll tightly verify it anyway, just in case. ++ * ++ * This regex matches the acceptable flags containing -e, so if it ++ * does not match, the command line should be rejected. ++ */ ++ static const char pattern[] ++ = "^-[a-df-zA-Z]*e[0-9]*\\.[0-9]*[a-zA-Z]*$"; ++ ++ /* ++ * Only recognize --server if it's the first option. rsync itself ++ * always passes it that way, and if it's not the first argument, it ++ * could be hidden from the server as an argument to some other ++ * option. ++ */ ++ if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){ ++ server = TRUE; ++ } ++ ++ /* Check the remaining options for -e or --rsh. */ ++ if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){ ++ return FALSE; ++ } ++ while (vec && *vec){ ++ if ( strcmp(*vec, "--") == 0 ) break; ++ if ( strcmp(*vec, "--rsh") == 0 ++ || strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){ ++ regfree(&re); ++ return FALSE; ++ } ++ if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){ ++ e_found = TRUE; ++ if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){ ++ regfree(&re); ++ return FALSE; ++ } ++ } ++ vec++; ++ } ++ regfree(&re); ++ if ( e_found && !server ) return FALSE; ++ return TRUE; ++} ++ ++ ++/* + * check_command_line() - take the command line passed to rssh, and verify + * that the specified command is one the user is + * allowed to run and validate the arguments. Return the +@@ -230,14 +298,10 @@ char *check_command_line( char **cl, ShellOptions_t *opts ) + + if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){ + /* filter -e option */ +- if ( opt_filter(cl, 'e') ) return NULL; +- while (cl && *cl){ +- if ( strstr(*cl, "--rsh" ) ){ +- fprintf(stderr, "\ninsecure --rsh= not allowed."); +- log_msg("insecure --rsh option in rsync command line!"); +- return NULL; +- } +- cl++; ++ if ( !rsync_e_okay(cl) ){ ++ fprintf(stderr, "\ninsecure -e or --rsh option not allowed."); ++ log_msg("insecure -e or --rsh option in rsync command line!"); ++ return NULL; + } + return PATH_RSYNC; + } +-- +tg: (f8b36e2..) fixes/rsync-protocol (depends on: upstream) diff --git a/rssh.spec b/rssh.spec index 986a059..135fdf4 100644 --- a/rssh.spec +++ b/rssh.spec @@ -1,13 +1,15 @@ Name: rssh -Version: 2.3.3 -Release: 4%{?dist} +Version: 2.3.4 +Release: 1%{?dist} Summary: Restricted shell for use with OpenSSH, allowing only scp and/or sftp Group: Applications/Internet License: BSD URL: http://www.pizzashack.org/rssh/ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz -Patch0: rssh-2.3.2-makefile.patch -Patch1: rssh-2.3.3-rsync-protocol.patch +Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz.sig +Patch0: rssh-2.3.4-makefile.patch +Patch1: rssh-2.3.4-rsync-protocol.patch +Patch2: rssh-2.3.4-command-line-error.patch BuildRequires: openssh-server, openssh-clients BuildRequires: cvs rsync rdist @@ -15,7 +17,6 @@ Requires: openssh-server Requires(pre): shadow-utils %description - rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell @@ -26,6 +27,7 @@ access, you can use rssh to do that. It is a alternative to scponly. %setup -q %patch0 -p1 -b .makefile %patch1 -p1 -b .rsync3 +%patch2 -p1 -b .cmdline-error chmod 644 conf_convert.sh chmod 644 mkchroot.sh @@ -39,6 +41,9 @@ make %{?_smp_mflags} %install rm -rf %{buildroot} make install INSTALL="%{__install} -p" DESTDIR=%{buildroot} +# since rssh 2.3.4, default config is installed as rssh.conf.default, +# rename it for packaging in rpm +mv %{buildroot}/%{_sysconfdir}/rssh.conf{.default,} %clean rm -rf %{buildroot} @@ -59,6 +64,15 @@ exit 0 %changelog +* Mon Dec 10 2012 Tomas Hoger - 2.3.4-1 +- Update to upstream version 2.3.4, which fixes CVE-2012-3478 and CVE-2012-2252 +- Updated rsync-protocol.patch to fix CVE-2012-2251, and to apply on top of the + CVE-2012-3478 and CVE-2012-2252 fixes. +- Updated makefile.patch to preserve RPM CFLAGS. +- Added command-line-error.patch (from Debian), correcting error message + generated when insecure command line option is used (CVE-2012-3478 fix + regression). + * Sat Jul 21 2012 Fedora Release Engineering - 2.3.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild @@ -96,4 +110,3 @@ exit 0 * Tue Jul 22 2008 Rahul Sundaram - 2.3.2-1 - initial spec - diff --git a/sources b/sources index 7bc5e92..75c2b07 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -b0c147602fcc95737ed50573b92fc468 rssh-2.3.3.tar.gz +5211f5fe206704f813a3cec61f487042 rssh-2.3.4.tar.gz +99ee2985b4f2bc53d8c6b074e7c816e0 rssh-2.3.4.tar.gz.sig