Karol Babioch

An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious rcp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rcp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized keys file). This issue is similar to CVE-2019-6111 and CVE-2019-7283 (CVE-2019-25017). In the rcp client in MIT krb5-appl through 1.0.3 malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side (CVE-2019-25018).

An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious rcp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rcp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized keys file). This issue is similar to CVE-2019-6111 and CVE-2019-7283 (CVE-2019-25017). In the rcp client in MIT krb5-appl through 1.0.3 malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side (CVE-2019-25018).

**Name of the Vulnerable Software and Affected Versions** btrfsmaintenance versions through 0.4.1 **Description** An issue in the evaluate auto mountpoint function in btrfsmaintenance-functions allows code execution as root via a specially crafted filesystem label. This can occur when btrfs-{scrub,balance,trim} are set to auto in /etc/sysconfig/btrfsmaintenance, which is not the default configuration. **Recommendations** For versions through 0.4.1, consider disabling the auto setting for btrfs-{scrub,balance,trim} in /etc/sysconfig/btrfsmaintenance to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.