sanitise characters destined for xauth(1) (#1316529)
Upstream:
9d47b8d3f5
This commit is contained in:
parent
08f0c1b883
commit
47f126ca0a
|
@ -0,0 +1,72 @@
|
||||||
|
commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56
|
||||||
|
Author: Damien Miller <djm@mindrot.org>
|
||||||
|
Date: Thu Mar 10 05:03:39 2016 +1100
|
||||||
|
|
||||||
|
sanitise characters destined for xauth(1)
|
||||||
|
|
||||||
|
reported by github.com/tintinweb
|
||||||
|
|
||||||
|
diff --git a/session.c b/session.c
|
||||||
|
index 7a02500..87fddfc 100644
|
||||||
|
--- a/session.c
|
||||||
|
+++ b/session.c
|
||||||
|
@@ -46,6 +46,7 @@
|
||||||
|
|
||||||
|
#include <arpa/inet.h>
|
||||||
|
|
||||||
|
+#include <ctype.h>
|
||||||
|
#include <errno.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <grp.h>
|
||||||
|
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt)
|
||||||
|
do_cleanup(authctxt);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Check untrusted xauth strings for metacharacters */
|
||||||
|
+static int
|
||||||
|
+xauth_valid_string(const char *s)
|
||||||
|
+{
|
||||||
|
+ size_t i;
|
||||||
|
+
|
||||||
|
+ for (i = 0; s[i] != '\0'; i++) {
|
||||||
|
+ if (!isalnum((u_char)s[i]) &&
|
||||||
|
+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
|
||||||
|
+ s[i] != '-' && s[i] != '_')
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Prepares for an interactive session. This is called after the user has
|
||||||
|
* been successfully authenticated. During this message exchange, pseudo
|
||||||
|
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt)
|
||||||
|
s->screen = 0;
|
||||||
|
}
|
||||||
|
packet_check_eom();
|
||||||
|
- success = session_setup_x11fwd(s);
|
||||||
|
+ if (xauth_valid_string(s->auth_proto) &&
|
||||||
|
+ xauth_valid_string(s->auth_data))
|
||||||
|
+ success = session_setup_x11fwd(s);
|
||||||
|
+ else {
|
||||||
|
+ success = 0;
|
||||||
|
+ error("Invalid X11 forwarding data");
|
||||||
|
+ }
|
||||||
|
if (!success) {
|
||||||
|
free(s->auth_proto);
|
||||||
|
free(s->auth_data);
|
||||||
|
@@ -2178,7 +2200,13 @@ session_x11_req(Session *s)
|
||||||
|
s->screen = packet_get_int();
|
||||||
|
packet_check_eom();
|
||||||
|
|
||||||
|
- success = session_setup_x11fwd(s);
|
||||||
|
+ if (xauth_valid_string(s->auth_proto) &&
|
||||||
|
+ xauth_valid_string(s->auth_data))
|
||||||
|
+ success = session_setup_x11fwd(s);
|
||||||
|
+ else {
|
||||||
|
+ success = 0;
|
||||||
|
+ error("Invalid X11 forwarding data");
|
||||||
|
+ }
|
||||||
|
if (!success) {
|
||||||
|
free(s->auth_proto);
|
||||||
|
free(s->auth_data);
|
|
@ -240,6 +240,8 @@ Patch934: openssh-6.9p1-gssKexAlgorithms.patch
|
||||||
# CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature
|
# CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature
|
||||||
# Fix an out of-bound read access in the packet handling code
|
# Fix an out of-bound read access in the packet handling code
|
||||||
Patch935: openssh-6.9p1-security-7.1.patch
|
Patch935: openssh-6.9p1-security-7.1.patch
|
||||||
|
# Fix for security issue (openssh-7.2p2): sanitise characters destined for xauth(1)
|
||||||
|
Patch936: openssh-6.9p1-xauth.patch
|
||||||
|
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
|
@ -468,6 +470,7 @@ popd
|
||||||
%patch933 -p1 -b .fingerprint
|
%patch933 -p1 -b .fingerprint
|
||||||
%patch934 -p1 -b .gsskexalg
|
%patch934 -p1 -b .gsskexalg
|
||||||
%patch935 -p1 -b .security71
|
%patch935 -p1 -b .security71
|
||||||
|
%patch936 -p1 -b .xauth
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch700 -p1 -b .fips
|
%patch700 -p1 -b .fips
|
||||||
|
|
Loading…
Reference in New Issue