subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nico Kadel-Garcia <nka...@gmail.com>
Subject Re: ssh+svn vs. bash security bug?
Date Wed, 24 Sep 2014 23:30:57 GMT
On Wed, Sep 24, 2014 at 12:28 PM, Stefan Sperling <stsp@elego.de> wrote:
> On Wed, Sep 24, 2014 at 11:06:13AM -0500, Les Mikesell wrote:
>> Does the recently announced bash bug:
>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>> affect the security of the way people generally configure svn+ssh access?
>>
>> --
>>    Les Mikesell
>
> From what I understand after reading about the problem briefly:
>
> In an svn+ssh setup svn clients run 'svnserve -t' by default.
> But there is no reason this could not be changed to '/bin/bash' by
> an attacker.
>
> Note that forcing a command in the authorized_keys file will *not*
> work around the problem: http://seclists.org/oss-sec/2014/q3/651
>
> It should be possible to mitigate this attack vector by having
> svnserve run in an environment that doesn't have bash available,
> either with no bash binary at all on the system, or within a chroot.

Setting up a chroot for Subversion for just this purpose gets...
potentially adventuresome. The maintainers of OpenSSH have generically
refused to support chroot changes, so it's a bit awkward to even set
up. Various folks have published patches or integration kits to
support genuine chroot cages: heck, even I used to publish patches for
OpenSSH to provide them.

But this is a very disturbing bug.....

Mime
View raw message