Max Vozeler reports:
If ALL the following conditions are true, administrators using
scponly-4.1 or older may be at risk of a local privilege
escalation exploit:
- the chrooted setuid scponlyc binary is installed
- regular non-scponly users have interactive shell access
to the box
- a user executable dynamically linked setuid binary
(such as ping) exists on the same file system mount
as the user's home directory
- the operating system supports an LD_PRELOAD style
mechanism to overload dynamic library loading
Pekka Pessi also reports:
If ANY the following conditions are true, administrators
using scponly-4.1 or older may be at risk of a local privilege
escalation exploit:
- scp compatibility is enabled
- rsync compatibility is enabled