PublicDateAtUSN: 2019-01-10
Candidate: CVE-2018-20685
PublicDate: 2019-01-10 21:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685
 https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
 https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037459.html
 https://ubuntu.com/security/notices/USN-3885-1
Description:
 In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass
 intended access restrictions via the filename of . or an empty filename.
 The impact is modifying the permissions of the target directory on the
 client side.
Ubuntu-Description:
Notes:
 seth-arnold> openssh-ssh1 is provided for compatibility with old devices that
  cannot be upgraded to modern protocols. Thus we may not provide security
  support for this package if doing so would prevent access to equipment.
 mdeslaur>
 mdeslaur> The recommended workaround for this issue is to switch to using
 mdeslaur> sftp instead of scp.
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919101
Priority: medium
Discovered-by: Harry Sintonen
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N [5.3 MEDIUM]

Patches_openssh:
 upstream: https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2
 upstream: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.197&r2=1.198&f=h
upstream_openssh: released (1:7.9p1-5)
precise/esm_openssh: ignored (end of ESM support, was needed)
trusty_openssh: released (1:6.6p1-2ubuntu2.12)
trusty/esm_openssh: released (1:6.6p1-2ubuntu2.12)
xenial_openssh: released (1:7.2p2-4ubuntu2.7)
esm-infra/xenial_openssh: released (1:7.2p2-4ubuntu2.7)
fips/xenial_openssh: not-affected (1:7.2p2-4ubuntu2.7)
fips-updates/xenial_openssh: not-affected (1:7.2p2-4ubuntu2.7)
bionic_openssh: released (1:7.6p1-4ubuntu0.2)
fips/bionic_openssh: not-affected (1:7.9p1-5)
fips-updates/bionic_openssh: not-affected (1:7.9p1-5)
cosmic_openssh: released (1:7.7p1-4ubuntu0.2)
disco_openssh: released (1:7.9p1-5)
eoan_openssh: released (1:7.9p1-5)
focal_openssh: released (1:7.9p1-5)
fips/focal_openssh: not-affected (1:7.9p1-5)
fips-updates/focal_openssh: not-affected (1:7.9p1-5)
groovy_openssh: released (1:7.9p1-5)
hirsute_openssh: released (1:7.9p1-5)
impish_openssh: released (1:7.9p1-5)
jammy_openssh: released (1:7.9p1-5)
devel_openssh: released (1:7.9p1-5)

Patches_openssh-ssh1:
upstream_openssh-ssh1: ignored (frozen on openssh 7.5p)
precise/esm_openssh-ssh1: DNE
trusty_openssh-ssh1: DNE
trusty/esm_openssh-ssh1: DNE
xenial_openssh-ssh1: DNE
bionic_openssh-ssh1: needs-triage
cosmic_openssh-ssh1: ignored (reached end-of-life)
disco_openssh-ssh1: ignored (reached end-of-life)
eoan_openssh-ssh1: ignored (reached end-of-life)
focal_openssh-ssh1: needs-triage
groovy_openssh-ssh1: ignored (reached end-of-life)
hirsute_openssh-ssh1: ignored (reached end-of-life)
impish_openssh-ssh1: needs-triage
jammy_openssh-ssh1: needs-triage
devel_openssh-ssh1: needs-triage