sanitise characters destined for xauth(1) (#1316529)
Upstream:
9d47b8d3f5
This commit is contained in:
Jakub Jelen
parent
08f0c1b883
commit
47f126ca0a
|
|
@ -0,0 +1,72 @@
|
|||
commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56
|
||||
Author: Damien Miller <djm@mindrot.org>
|
||||
Date: Thu Mar 10 05:03:39 2016 +1100
|
||||
|
||||
sanitise characters destined for xauth(1)
|
||||
|
||||
reported by github.com/tintinweb
|
||||
|
||||
diff --git a/session.c b/session.c
|
||||
index 7a02500..87fddfc 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -46,6 +46,7 @@
|
||||
|
||||
#include <arpa/inet.h>
|
||||
|
||||
+#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <grp.h>
|
||||
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt)
|
||||
do_cleanup(authctxt);
|
||||
}
|
||||
|
||||
+/* Check untrusted xauth strings for metacharacters */
|
||||
+static int
|
||||
+xauth_valid_string(const char *s)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; s[i] != '\0'; i++) {
|
||||
+ if (!isalnum((u_char)s[i]) &&
|
||||
+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
|
||||
+ s[i] != '-' && s[i] != '_')
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Prepares for an interactive session. This is called after the user has
|
||||
* been successfully authenticated. During this message exchange, pseudo
|
||||
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt)
|
||||
s->screen = 0;
|
||||
}
|
||||
packet_check_eom();
|
||||
- success = session_setup_x11fwd(s);
|
||||
+ if (xauth_valid_string(s->auth_proto) &&
|
||||
+ xauth_valid_string(s->auth_data))
|
||||
+ success = session_setup_x11fwd(s);
|
||||
+ else {
|
||||
+ success = 0;
|
||||
+ error("Invalid X11 forwarding data");
|
||||
+ }
|
||||
if (!success) {
|
||||
free(s->auth_proto);
|
||||
free(s->auth_data);
|
||||
@@ -2178,7 +2200,13 @@ session_x11_req(Session *s)
|
||||
s->screen = packet_get_int();
|
||||
packet_check_eom();
|
||||
|
||||
- success = session_setup_x11fwd(s);
|
||||
+ if (xauth_valid_string(s->auth_proto) &&
|
||||
+ xauth_valid_string(s->auth_data))
|
||||
+ success = session_setup_x11fwd(s);
|
||||
+ else {
|
||||
+ success = 0;
|
||||
+ error("Invalid X11 forwarding data");
|
||||
+ }
|
||||
if (!success) {
|
||||
free(s->auth_proto);
|
||||
free(s->auth_data);
|
||||
|
|
@ -240,6 +240,8 @@ Patch934: openssh-6.9p1-gssKexAlgorithms.patch
|
|||
# CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature
|
||||
# Fix an out of-bound read access in the packet handling code
|
||||
Patch935: openssh-6.9p1-security-7.1.patch
|
||||
# Fix for security issue (openssh-7.2p2): sanitise characters destined for xauth(1)
|
||||
Patch936: openssh-6.9p1-xauth.patch
|
||||
|
||||
|
||||
License: BSD
|
||||
|
|
@ -468,6 +470,7 @@ popd
|
|||
%patch933 -p1 -b .fingerprint
|
||||
%patch934 -p1 -b .gsskexalg
|
||||
%patch935 -p1 -b .security71
|
||||
%patch936 -p1 -b .xauth
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch700 -p1 -b .fips
|
||||
|
|
|
|||
Loading…
Reference in New Issue