blob: fa0d13a483dad75a4beabe414a157f7e87f27323 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200512-17">
<title>scponly: Multiple privilege escalation issues</title>
Local users can exploit an scponly flaw to gain root privileges, and
scponly restricted users can use another vulnerability to evade shell
<product type="ebuild">scponly</product>
<announced>December 29, 2005</announced>
<revised>May 22, 2006: 02</revised>
<access>local and remote</access>
<package name="net-misc/scponly" auto="yes" arch="*">
<unaffected range="ge">4.2</unaffected>
<vulnerable range="lt">4.2</vulnerable>
scponly is a restricted shell, allowing only a few predefined commands.
It is often used as a complement to OpenSSH to provide access to remote
users without providing any remote execution privileges.
Max Vozeler discovered that the scponlyc command allows users to chroot
into arbitrary directories. Furthermore, Pekka Pessi reported that
scponly insufficiently validates command-line parameters to a scp or
rsync command.
<impact type="high">
A local attacker could gain root privileges by chrooting into arbitrary
directories containing hardlinks to setuid programs. A remote scponly
user could also send malicious parameters to a scp or rsync command
that would allow to escape the shell restrictions and execute arbitrary
There is no known workaround at this time.
All scponly users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-misc/scponly-4.2&quot;</code>
<uri link="">scponly release notes</uri>
<uri link="">CVE-2005-4532</uri>
<uri link="">CVE-2005-4533</uri>
<metadata tag="submitter" timestamp="Tue, 27 Dec 2005 09:38:39 +0000">
<metadata tag="bugReady" timestamp="Thu, 29 Dec 2005 10:10:38 +0000">