On Wed, Sep 24, 2014 at 12:28 PM, Stefan Sperling <stsp_at_elego.de> wrote:
> On Wed, Sep 24, 2014 at 11:06:13AM -0500, Les Mikesell wrote:
>> Does the recently announced bash bug:
>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>> affect the security of the way people generally configure svn+ssh access?
>>
>> --
>> Les Mikesell
>
> From what I understand after reading about the problem briefly:
>
> In an svn+ssh setup svn clients run 'svnserve -t' by default.
> But there is no reason this could not be changed to '/bin/bash' by
> an attacker.
>
> Note that forcing a command in the authorized_keys file will *not*
> work around the problem: http://seclists.org/oss-sec/2014/q3/651
>
> It should be possible to mitigate this attack vector by having
> svnserve run in an environment that doesn't have bash available,
> either with no bash binary at all on the system, or within a chroot.
Setting up a chroot for Subversion for just this purpose gets...
potentially adventuresome. The maintainers of OpenSSH have generically
refused to support chroot changes, so it's a bit awkward to even set
up. Various folks have published patches or integration kits to
support genuine chroot cages: heck, even I used to publish patches for
OpenSSH to provide them.
But this is a very disturbing bug.....
Received on 2014-09-25 01:31:25 CEST