Bug 3200

Summary: Will future versions of openssh fix CVE-2020-15778?
Product: Portable OpenSSH Reporter: kircher <kircherlike>
Component: scpAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: security CC: djm
Priority: P5    
Version: 8.3p1   
Hardware: ARM64   
OS: Linux   

Description kircher 2020-08-08 14:22:17 AEST 
Although separating the scp function from the ssh is a difficult task, it is inappropriate to run commands in the scp that transfers files. Will OpenSSH be able to restore the CVE? 

https://github.com/cpandya2909/CVE-2020-15778
Comment 1 Damien Miller 2020-08-28 13:14:24 AEST 
this CVE stems from a misunderstanding of how scp works. It is an old program that *deliberately* invokes the remote shell for glob pattern expansion.

We're not going to "fix" scp, but we might replace it entirely. There are significant backwards-compatibility concerns to work through however.
Comment 2 kircher 2021-04-12 19:22:42 AEST 
Maybe we can prevent this by configuring the mandatory command.
A simple example is:

ForceCommand if [[ -z $SSH_ORIGINAL_COMMAND ]];then exec /bin/bash -il;elif [[ -z "$(echo $SSH_ORIGINAL_COMMAND | grep scp | grep '`')" ]];then exec /bin/bash -c "$SSH_ORIGINAL_COMMAND";else echo backquote not allow in scp;fi
Comment 3 Damien Miller 2023-02-10 14:47:07 AEDT 
OpenSSH now uses sftp by default in the scp command
Comment 4 Damien Miller 2023-03-17 13:37:03 AEDT 
OpenSSH 9.3 has been released. Close resolved bugs