From 4feb6a973f59dea47bb7cf49eb04b6426258c08b Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 10 May 2019 14:34:35 +0200 Subject: [PATCH] Verify SCP vulnerabilities are fixed in the package testsuite --- openssh-8.0p1-scp-tests.patch | 61 +++++++++++++++++++++++++++++++++++ openssh.spec | 4 +++ 2 files changed, 65 insertions(+) create mode 100644 openssh-8.0p1-scp-tests.patch diff --git a/openssh-8.0p1-scp-tests.patch b/openssh-8.0p1-scp-tests.patch new file mode 100644 index 0000000..e0a63c4 --- /dev/null +++ b/openssh-8.0p1-scp-tests.patch @@ -0,0 +1,61 @@ +diff --git a/regress/scp-ssh-wrapper.sh b/regress/scp-ssh-wrapper.sh +index 59f1ff63..dd48a482 100644 +--- a/regress/scp-ssh-wrapper.sh ++++ b/regress/scp-ssh-wrapper.sh +@@ -51,6 +51,18 @@ badserver_4) + echo "C755 2 file" + echo "X" + ;; ++badserver_5) ++ echo "D0555 0 " ++ echo "X" ++ ;; ++badserver_6) ++ echo "D0555 0 ." ++ echo "X" ++ ;; ++badserver_7) ++ echo "C0755 2 extrafile" ++ echo "X" ++ ;; + *) + set -- $arg + shift +diff --git a/regress/scp.sh b/regress/scp.sh +index 57cc7706..104c89e1 100644 +--- a/regress/scp.sh ++++ b/regress/scp.sh +@@ -25,6 +25,7 @@ export SCP # used in scp-ssh-wrapper.scp + scpclean() { + rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2} + mkdir ${DIR} ${DIR2} ++ chmod 755 ${DIR} ${DIR2} + } + + verbose "$tid: simple copy local file to local file" +@@ -101,7 +102,7 @@ if [ ! -z "$SUDO" ]; then + $SUDO rm ${DIR2}/copy + fi + +-for i in 0 1 2 3 4; do ++for i in 0 1 2 3 4 5 6 7; do + verbose "$tid: disallow bad server #$i" + SCPTESTMODE=badserver_$i + export DIR SCPTESTMODE +@@ -113,6 +114,15 @@ for i in 0 1 2 3 4; do + scpclean + $SCP -r $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null + [ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir" ++ ++ scpclean ++ $SCP -pr $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null ++ [ ! -w ${DIR2} ] && fail "allows target root attribute change" ++ ++ scpclean ++ $SCP $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null ++ [ -e ${DIR2}/extrafile ] && fail "allows extranous object creation" ++ rm -f ${DIR2}/extrafile + done + + verbose "$tid: detect non-directory target" + diff --git a/openssh.spec b/openssh.spec index 8e90591..1d3fda7 100644 --- a/openssh.spec +++ b/openssh.spec @@ -207,6 +207,9 @@ Patch953: openssh-7.8p1-scp-ipv6.patch Patch958: openssh-7.9p1-ssh-copy-id.patch # Update cached passwd structure after PAM authentication (#1674541) Patch960: openssh-7.9p1-updated-cached-pw.patch +# Verify the SCP vulnerabilities are fixed in the package testsuite +# https://bugzilla.mindrot.org/show_bug.cgi?id=3007 +Patch961: openssh-8.0p1-scp-tests.patch License: BSD Requires: /sbin/nologin @@ -410,6 +413,7 @@ popd %patch953 -p1 -b .scp-ipv6 %patch958 -p1 -b .ssh-copy-id %patch960 -p1 -b .update-pw +%patch961 -p1 -b .scp-tests %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race