Bug 3200 - Will future versions of openssh fix CVE-2020-15778?
Summary: Will future versions of openssh fix CVE-2020-15778?
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: scp (show other bugs)
Version: 8.3p1
Hardware: ARM64 Linux
: P5 security
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-08 14:22 AEST by kircher
Modified: 2023-03-17 13:37 AEDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description kircher 2020-08-08 14:22:17 AEST 
Although separating the scp function from the ssh is a difficult task, it is inappropriate to run commands in the scp that transfers files. Will OpenSSH be able to restore the CVE? 

https://github.com/cpandya2909/CVE-2020-15778
Comment 1 Damien Miller 2020-08-28 13:14:24 AEST 
this CVE stems from a misunderstanding of how scp works. It is an old program that *deliberately* invokes the remote shell for glob pattern expansion.

We're not going to "fix" scp, but we might replace it entirely. There are significant backwards-compatibility concerns to work through however.
Comment 2 kircher 2021-04-12 19:22:42 AEST 
Maybe we can prevent this by configuring the mandatory command.
A simple example is:

ForceCommand if [[ -z $SSH_ORIGINAL_COMMAND ]];then exec /bin/bash -il;elif [[ -z "$(echo $SSH_ORIGINAL_COMMAND | grep scp | grep '`')" ]];then exec /bin/bash -c "$SSH_ORIGINAL_COMMAND";else echo backquote not allow in scp;fi
Comment 3 Damien Miller 2023-02-10 14:47:07 AEDT 
OpenSSH now uses sftp by default in the scp command
Comment 4 Damien Miller 2023-03-17 13:37:03 AEDT 
OpenSSH 9.3 has been released. Close resolved bugs