ignore environment variables with embedded '=' or '\0' characters (#1077843)

CVE-2014-2532
This commit is contained in:
Petr Lautrbach 2014-05-15 09:55:25 +02:00
parent dea4ec84f7
commit 8e4734d190
2 changed files with 40 additions and 0 deletions

View File

@ -0,0 +1,37 @@
diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog
--- openssh-6.4p1/ChangeLog.bad-env-var 2014-03-19 21:37:36.270509907 +0100
+++ openssh-6.4p1/ChangeLog 2014-03-19 21:37:36.276509878 +0100
@@ -0,0 +1,7 @@
+20140304
+ - OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2014/03/03 22:22:30
+ [session.c]
+ ignore enviornment variables with embedded '=' or '\0' characters;
+ spotted by Jann Horn; ok deraadt@
+
diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c
--- openssh-6.4p1/session.c.bad-env-var 2014-03-19 21:37:36.233510090 +0100
+++ openssh-6.4p1/session.c 2014-03-19 21:37:36.277509873 +0100
@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi
u_int envsize;
u_int i, namelen;
+ if (strchr(name, '=') != NULL) {
+ error("Invalid environment variable \"%.100s\"", name);
+ return;
+ }
+
/*
* If we're passed an uninitialized list, allocate a single null
* entry before continuing.
@@ -2255,8 +2260,8 @@ session_env_req(Session *s)
char *name, *val;
u_int name_len, val_len, i;
- name = packet_get_string(&name_len);
- val = packet_get_string(&val_len);
+ name = packet_get_cstring(&name_len);
+ val = packet_get_cstring(&val_len);
packet_check_eom();
/* Don't set too many environment variables */

View File

@ -196,6 +196,8 @@ Patch912: openssh-6.2p2-fromto-remote.patch
# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
# dialog by offering only certificate keys. (#1081338)
Patch913: openssh-6.2p2-CVE-2014-2653.patch
# ignore environment variables with embedded '=' or '\0' characters (#1077843)
Patch914: openssh-6.2p2-ignore-bad-env-var.patch
License: BSD
@ -422,6 +424,7 @@ popd
%patch911 -p1 -b .legacy-ssh-copy-id
%patch912 -p1 -b .fromto-remote
%patch913 -p1 -b .CVE-2014-2653
%patch914 -p1 -b .bad-env-var
%if 0
# Nothing here yet