CVE-2019-7283 in Ubuntu

CVE-2019-7283

Priority

Description

An issue was discovered in rcp in NetKit through 0.17. For an rcp
operation, the server chooses which files/directories are sent to the
client. However, the rcp client only performs cursory validation of the
object name returned. A malicious rsh server (or Man-in-The-Middle
attacker) can overwrite arbitrary files in a directory on the rcp client
machine. This is similar to CVE-2019-6111.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7283
https://bugs.debian.org/920486
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920486

Notes

Package

Source: netkit-rsh (LP Ubuntu Debian)

Upstream:	released (0.17-20)
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	not-affected (0.17-21)
Ubuntu 21.10:	not-affected (0.17-21)
Ubuntu 22.04 LTS:	not-affected (0.17-21)
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Other:

https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=920486;filename=fix-CVE-2018-20685-and-CVE-2019-6111.patch;msg=10

More Information

Updated: 2022-04-25 00:44:23 UTC (commit ecc1009cb19540b950de59270950018900f37f15)