openssh bugs - Aug 2020 - [Bug 3200] New: Will future versions of openssh fix CVE-2020-15778?

https://bugzilla.mindrot.org/show_bug.cgi?id=3200

            Bug ID: 3200
           Summary: Will future versions of openssh fix CVE-2020-15778?
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: ARM64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: scp
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kircherlike at outlook.com

Although separating the scp function from the ssh is a difficult task,
it is inappropriate to run commands in the scp that transfers files.
Will OpenSSH be able to restore the CVE? 

https://github.com/cpandya2909/CVE-2020-15778

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3200

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
this CVE stems from a misunderstanding of how scp works. It is an old
program that *deliberately* invokes the remote shell for glob pattern
expansion.

We're not going to "fix" scp, but we might replace it entirely.
There
are significant backwards-compatibility concerns to work through
however.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3200

--- Comment #2 from kircher <kircherlike at outlook.com> ---
Maybe we can prevent this by configuring the mandatory command.
A simple example is?

ForceCommand if [[ -z $SSH_ORIGINAL_COMMAND ]];then exec /bin/bash
-il;elif [[ -z "$(echo $SSH_ORIGINAL_COMMAND | grep scp | grep
'`')"
]];then exec /bin/bash -c "$SSH_ORIGINAL_COMMAND";else echo backquote
not allow in scp;fi

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3200

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
OpenSSH now uses sftp by default in the scp command

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3200

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
OpenSSH 9.3 has been released. Close resolved bugs

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.