Re: ssh+svn vs. bash security bug?

From: Stefan Sperling <stsp_at_elego.de>
Date: Wed, 24 Sep 2014 19:28:51 +0300

On Wed, Sep 24, 2014 at 11:06:13AM -0500, Les Mikesell wrote:
> Does the recently announced bash bug:
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> affect the security of the way people generally configure svn+ssh access?
>
> --
> Les Mikesell

From what I understand after reading about the problem briefly:

In an svn+ssh setup svn clients run 'svnserve -t' by default.
But there is no reason this could not be changed to '/bin/bash' by
an attacker.

Note that forcing a command in the authorized_keys file will *not*
work around the problem: http://seclists.org/oss-sec/2014/q3/651

It should be possible to mitigate this attack vector by having
svnserve run in an environment that doesn't have bash available,
either with no bash binary at all on the system, or within a chroot.
Received on 2014-09-24 18:29:24 CEST

This message: [ Message body ]
Next message: Ryan Schmidt: "Re: subversion wonā€™t add new files"
Previous message: jblist_at_icloud.com: "Re: subversion won’t add new files"
In reply to: Les Mikesell: "ssh+svn vs. bash security bug?"
Next in thread: Nico Kadel-Garcia: "Re: ssh+svn vs. bash security bug?"
Reply: Nico Kadel-Garcia: "Re: ssh+svn vs. bash security bug?"
Reply: Vincent Lefevre: "Re: ssh+svn vs. bash security bug?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]