[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: ssh+svn vs. bash security bug?

From: <jblist_at_icloud.com>
Date: Fri, 26 Sep 2014 16:08:41 -0700

On Sep 26, 2014, at 3:59 PM, Vincent Lefevre <vincent-svn_at_vinc17.net> wrote:

> On 2014-09-24 19:28:51 +0300, Stefan Sperling wrote:
>> From what I understand after reading about the problem briefly:
>>
>> In an svn+ssh setup svn clients run 'svnserve -t' by default.
>> But there is no reason this could not be changed to '/bin/bash' by
>> an attacker.
>>
>> Note that forcing a command in the authorized_keys file will *not*
>> work around the problem: http://seclists.org/oss-sec/2014/q3/651
>
> How can this be possible? Do you mean that OpenSSH starts the command
> with bash instead of some exec* function or /bin/sh (which is dash on
> my machines)?

If the child process is started using exec(), as you point out, then there
shouldn't be a problem. If the process is started using system(), then
there might be a problem if /bin/sh is actually a symlink to bash.

On Mac OS X, 10.9.5:

$ /bin/sh --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
Received on 2014-09-27 01:09:09 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.