openssh: Security Fix CVE-2016-3115
opehssh <= 7.2 (From OE-Core rev: 7d6abd0b7b89f28343741c2188da22c6d1c6c8ea) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
3f75a6478b
commit
3c6ead9129
|
@ -0,0 +1,84 @@
|
|||
From 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Thu, 10 Mar 2016 11:47:57 +0000
|
||||
Subject: [PATCH] upstream commit
|
||||
|
||||
sanitise characters destined for xauth reported by
|
||||
github.com/tintinweb feedback and ok deraadt and markus
|
||||
|
||||
Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2016-3115
|
||||
https://anongit.mindrot.org/openssh.git/commit/?id=4b4bfb01cd40b9ddb948e6026ddd287cc303d871
|
||||
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
---
|
||||
session.c | 34 +++++++++++++++++++++++++++++++---
|
||||
1 file changed, 31 insertions(+), 3 deletions(-)
|
||||
|
||||
Index: openssh-7.1p2/session.c
|
||||
===================================================================
|
||||
--- openssh-7.1p2.orig/session.c
|
||||
+++ openssh-7.1p2/session.c
|
||||
@@ -46,6 +46,7 @@
|
||||
|
||||
#include <arpa/inet.h>
|
||||
|
||||
+#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <grp.h>
|
||||
@@ -273,6 +274,21 @@ do_authenticated(Authctxt *authctxt)
|
||||
do_cleanup(authctxt);
|
||||
}
|
||||
|
||||
+/* Check untrusted xauth strings for metacharacters */
|
||||
+static int
|
||||
+xauth_valid_string(const char *s)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; s[i] != '\0'; i++) {
|
||||
+ if (!isalnum((u_char)s[i]) &&
|
||||
+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
|
||||
+ s[i] != '-' && s[i] != '_')
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Prepares for an interactive session. This is called after the user has
|
||||
* been successfully authenticated. During this message exchange, pseudo
|
||||
@@ -346,7 +362,13 @@ do_authenticated1(Authctxt *authctxt)
|
||||
s->screen = 0;
|
||||
}
|
||||
packet_check_eom();
|
||||
- success = session_setup_x11fwd(s);
|
||||
+ if (xauth_valid_string(s->auth_proto) &&
|
||||
+ xauth_valid_string(s->auth_data))
|
||||
+ success = session_setup_x11fwd(s);
|
||||
+ else {
|
||||
+ success = 0;
|
||||
+ error("Invalid X11 forwarding data");
|
||||
+ }
|
||||
if (!success) {
|
||||
free(s->auth_proto);
|
||||
free(s->auth_data);
|
||||
@@ -2181,7 +2203,13 @@ session_x11_req(Session *s)
|
||||
s->screen = packet_get_int();
|
||||
packet_check_eom();
|
||||
|
||||
- success = session_setup_x11fwd(s);
|
||||
+ if (xauth_valid_string(s->auth_proto) &&
|
||||
+ xauth_valid_string(s->auth_data))
|
||||
+ success = session_setup_x11fwd(s);
|
||||
+ else {
|
||||
+ success = 0;
|
||||
+ error("Invalid X11 forwarding data");
|
||||
+ }
|
||||
if (!success) {
|
||||
free(s->auth_proto);
|
||||
free(s->auth_data);
|
|
@ -23,7 +23,9 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
|
|||
file://run-ptest \
|
||||
file://CVE-2016-1907_upstream_commit.patch \
|
||||
file://CVE-2016-1907_2.patch \
|
||||
file://CVE-2016-1907_3.patch "
|
||||
file://CVE-2016-1907_3.patch \
|
||||
file://CVE-2016-3115.patch \
|
||||
"
|
||||
|
||||
PAM_SRC_URI = "file://sshd"
|
||||
|
||||
|
|
Loading…
Reference in New Issue