Submitted by itefix on Mon, 08/06/2020 - 00:13
Copssh version 7.3.0 installers come with OpenSSH 8.3p and LibreSSL 3.1.2. (Due to version bump-up from LibreSSL 3.0.2 at our side, you may also be interested in release notes for 3.1.1 and 3.1.0 as well).
* scp(1): when receiving files, scp(1) could be become desynchronised
if a utimes(2) system call failed. This could allow file contents
to be interpreted as file metadata and thereby permit an adversary
to craft a file system that, when copied with scp(1) in a
configuration that caused utimes(2) to fail (e.g. under a SELinux
policy or syscall sandbox), transferred different file names and
contents to the actual file system layout.
Exploitation of this is not likely as utimes(2) does not fail under
normal circumstances. Successful exploitation is not silent - the
output of scp(1) would show transfer errors followed by the actual
file(s) that were received.
Finally, filenames returned from the peer are (since openssh-8.0)
matched against the user's requested destination, thereby
disallowing a successful exploit from writing files outside the
user's selected target glob (or directory, in the case of a
recursive transfer). This ensures that this attack can achieve no
more than a hostile peer is already able to achieve within the scp