Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
openssh.11961
openssh-6.6p1-sanitise_xauth_input.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssh-6.6p1-sanitise_xauth_input.patch of Package openssh.11961
Sanitise strings passed to xauth to prevent possibly unwanted actions by authenticated users. CVE-2016-3115 bsc#970632 Backport of upstream: commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56 Author: Damien Miller <djm@mindrot.org> Date: Thu Mar 10 05:03:39 2016 +1100 sanitise characters destined for xauth(1) reported by github.com/tintinweb diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c --- a/openssh-6.6p1/session.c +++ b/openssh-6.6p1/session.c @@ -41,16 +41,17 @@ # include <sys/stat.h> #endif #include <sys/socket.h> #include <sys/un.h> #include <sys/wait.h> #include <arpa/inet.h> +#include <ctype.h> #include <errno.h> #include <fcntl.h> #include <grp.h> #ifdef HAVE_PATHS_H #include <paths.h> #endif #include <pwd.h> #include <signal.h> @@ -286,16 +287,31 @@ do_authenticated(Authctxt *authctxt) if (compat20) do_authenticated2(authctxt); else do_authenticated1(authctxt); do_cleanup(authctxt); } +/* Check untrusted xauth strings for metacharacters */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum((u_char)s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_') + return 0; + } + return 1; +} + /* * Prepares for an interactive session. This is called after the user has * been successfully authenticated. During this message exchange, pseudo * terminals are allocated, X11, TCP/IP, and authentication agent forwardings * are requested, etc. */ static void do_authenticated1(Authctxt *authctxt) @@ -359,17 +375,23 @@ do_authenticated1(Authctxt *authctxt) if (!screen_flag) debug2("Buggy client: " "X11 screen flag missing"); s->screen = packet_get_int(); } else { s->screen = 0; } packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); s->auth_proto = NULL; s->auth_data = NULL; } break; @@ -2294,17 +2316,23 @@ session_x11_req(Session *s) return 0; } s->single_connection = packet_get_char(); s->auth_proto = packet_get_string(NULL); s->auth_data = packet_get_string(NULL); s->screen = packet_get_int(); packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); s->auth_proto = NULL; s->auth_data = NULL; } return success; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor