openssh

Dag-Erling Smørgrav Sat, 12 Mar 2016 15:50:39 -0800

Author: des
Date: Sat Mar 12 23:50:19 2016
New Revision: 296780
URL: https://svnweb.freebsd.org/changeset/base/296780


Log:
  Apply patch from 7.2p2 for xauth command injection bug.
  
  Security:     CVE-2016-3115

Modified:
  stable/9/crypto/openssh/session.c

Modified: stable/9/crypto/openssh/session.c
==============================================================================
--- stable/9/crypto/openssh/session.c   Sat Mar 12 23:25:05 2016        
(r296779)
+++ stable/9/crypto/openssh/session.c   Sat Mar 12 23:50:19 2016        
(r296780)
@@ -48,6 +48,7 @@ __RCSID("$FreeBSD$");
 
 #include <arpa/inet.h>
 
+#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
@@ -294,6 +295,21 @@ do_authenticated(Authctxt *authctxt)
        do_cleanup(authctxt);
 }
 
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+       size_t i;
+
+       for (i = 0; s[i] != '\0'; i++) {
+               if (!isalnum((u_char)s[i]) &&
+                   s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+                   s[i] != '-' && s[i] != '_')
+               return 0;
+       }
+       return 1;
+}
+
 /*
  * Prepares for an interactive session.  This is called after the user has
  * been successfully authenticated.  During this message exchange, pseudo
@@ -367,7 +383,13 @@ do_authenticated1(Authctxt *authctxt)
                                s->screen = 0;
                        }
                        packet_check_eom();
-                       success = session_setup_x11fwd(s);
+                       if (xauth_valid_string(s->auth_proto) &&
+                           xauth_valid_string(s->auth_data))
+                               success = session_setup_x11fwd(s);
+                       else {
+                               success = 0;
+                               error("Invalid X11 forwarding data");
+                       }
                        if (!success) {
                                free(s->auth_proto);
                                free(s->auth_data);
@@ -2199,7 +2221,13 @@ session_x11_req(Session *s)
        s->screen = packet_get_int();
        packet_check_eom();
 
-       success = session_setup_x11fwd(s);
+       if (xauth_valid_string(s->auth_proto) &&
+           xauth_valid_string(s->auth_data))
+               success = session_setup_x11fwd(s);
+       else {
+               success = 0;
+               error("Invalid X11 forwarding data");
+       }
        if (!success) {
                free(s->auth_proto);
                free(s->auth_data);
_______________________________________________
svn-src-stable-9@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-9
To unsubscribe, send any mail to "svn-src-stable-9-unsubscr...@freebsd.org"

svn commit: r296780 - stable/9/crypto/openssh

Reply via email to