diff options
| author |   Armin Kuster <akuster@mvista.com> | 2016-04-27 17:47:20 -0700 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-04-29 07:36:30 +0100 |
| commit | 7d6abd0b7b89f28343741c2188da22c6d1c6c8ea (patch) | |
| tree | 443ec18235286f5bd2f991ca4551b4a66dd895c4 /meta/recipes-connectivity/openssh/openssh | |
| parent | b7a38a45bf404b8f9b419bf7c054102d68cf2673 (diff) | |
| download | openembedded-core-contrib-7d6abd0b7b89f28343741c2188da22c6d1c6c8ea.tar.gz | |
openssh: Security Fix CVE-2016-3115
opehssh <= 7.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh')
| -rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch new file mode 100644 index 0000000000..9a9ad776ce --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch @@ -0,0 +1,84 @@ +From 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 10 Mar 2016 11:47:57 +0000 +Subject: [PATCH] upstream commit + +sanitise characters destined for xauth reported by + github.com/tintinweb feedback and ok deraadt and markus + +Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261 + +Upstream-Status: Backport +CVE: CVE-2016-3115 +https://anongit.mindrot.org/openssh.git/commit/?id=4b4bfb01cd40b9ddb948e6026ddd287cc303d871 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + session.c | 34 +++++++++++++++++++++++++++++++--- + 1 file changed, 31 insertions(+), 3 deletions(-) + +Index: openssh-7.1p2/session.c +=================================================================== +--- openssh-7.1p2.orig/session.c ++++ openssh-7.1p2/session.c +@@ -46,6 +46,7 @@ + + #include <arpa/inet.h> + ++#include <ctype.h> + #include <errno.h> + #include <fcntl.h> + #include <grp.h> +@@ -273,6 +274,21 @@ do_authenticated(Authctxt *authctxt) + do_cleanup(authctxt); + } + ++/* Check untrusted xauth strings for metacharacters */ ++static int ++xauth_valid_string(const char *s) ++{ ++ size_t i; ++ ++ for (i = 0; s[i] != '\0'; i++) { ++ if (!isalnum((u_char)s[i]) && ++ s[i] != '.' && s[i] != ':' && s[i] != '/' && ++ s[i] != '-' && s[i] != '_') ++ return 0; ++ } ++ return 1; ++} ++ + /* + * Prepares for an interactive session. This is called after the user has + * been successfully authenticated. During this message exchange, pseudo +@@ -346,7 +362,13 @@ do_authenticated1(Authctxt *authctxt) + s->screen = 0; + } + packet_check_eom(); +- success = session_setup_x11fwd(s); ++ if (xauth_valid_string(s->auth_proto) && ++ xauth_valid_string(s->auth_data)) ++ success = session_setup_x11fwd(s); ++ else { ++ success = 0; ++ error("Invalid X11 forwarding data"); ++ } + if (!success) { + free(s->auth_proto); + free(s->auth_data); +@@ -2181,7 +2203,13 @@ session_x11_req(Session *s) + s->screen = packet_get_int(); + packet_check_eom(); + +- success = session_setup_x11fwd(s); ++ if (xauth_valid_string(s->auth_proto) && ++ xauth_valid_string(s->auth_data)) ++ success = session_setup_x11fwd(s); ++ else { ++ success = 0; ++ error("Invalid X11 forwarding data"); ++ } + if (!success) { + free(s->auth_proto); + free(s->auth_data); |