rssh: Privilege escalation — GLSA 200512-15

Local users could gain root privileges by chrooting into arbitrary directories.

Affected Packages

app-shells/rssh on all architectures
Affected versions < 2.3.0
Unaffected versions >= 2.3.0

Background

rssh is a restricted shell, allowing only a few commands like scp or sftp. It is often used as a complement to OpenSSH to provide limited access to users.

Description

Max Vozeler discovered that the rssh_chroot_helper command allows local users to chroot into arbitrary directories.

Impact

A local attacker could exploit this vulnerability to gain root privileges by chrooting into arbitrary directories.

Workaround

There is no known workaround at this time.

Resolution

All rssh users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-shells/rssh-2.3.0"

References

Release Date
December 27, 2005

Latest Revision
December 27, 2005: 01

Severity
high

Exploitable
local

Bugzilla entries