| Name | CVE-2020-12062 |
| Description | The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| openssh (PTS) | jessie, jessie (lts) | 1:6.7p1-5+deb8u10 | vulnerable |
| stretch (security) | 1:7.4p1-10+deb9u6 | vulnerable |
| stretch (lts), stretch | 1:7.4p1-10+deb9u9 | vulnerable |
| buster | 1:7.9p1-10+deb10u2 | vulnerable |
| buster (security) | 1:7.9p1-10+deb10u4 | vulnerable |
| bullseye (security), bullseye | 1:8.4p1-5+deb11u3 | fixed |
| bookworm (security), bookworm | 1:9.2p1-2+deb12u2 | fixed |
| trixie | 1:9.6p1-4 | fixed |
| sid | 1:9.7p1-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| openssh | source | (unstable) | 1:8.3p1-1 | unimportant | | |
Notes
https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1
https://github.com/openssh/openssh-portable/commit/aad87b88fc2536b1ea023213729aaf4eaabe1894
https://www.openwall.com/lists/oss-security/2020/05/27/1
Negligible security impact, a malicious peer can achieve no more than already
able o achieve within the scp protocol.