summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-04-27 17:47:20 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-04-29 07:36:30 +0100
commit7d6abd0b7b89f28343741c2188da22c6d1c6c8ea (patch)
tree443ec18235286f5bd2f991ca4551b4a66dd895c4 /meta/recipes-connectivity
parentb7a38a45bf404b8f9b419bf7c054102d68cf2673 (diff)
downloadopenembedded-core-7d6abd0b7b89f28343741c2188da22c6d1c6c8ea.tar.gz
openembedded-core-7d6abd0b7b89f28343741c2188da22c6d1c6c8ea.tar.bz2
openembedded-core-7d6abd0b7b89f28343741c2188da22c6d1c6c8ea.zip
openssh: Security Fix CVE-2016-3115
opehssh <= 7.2 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch84
-rw-r--r--meta/recipes-connectivity/openssh/openssh_7.1p2.bb4
2 files changed, 87 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch
new file mode 100644
index 0000000000..9a9ad776ce
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch
@@ -0,0 +1,84 @@
+From 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 10 Mar 2016 11:47:57 +0000
+Subject: [PATCH] upstream commit
+
+sanitise characters destined for xauth reported by
+ github.com/tintinweb feedback and ok deraadt and markus
+
+Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
+
+Upstream-Status: Backport
+CVE: CVE-2016-3115
+https://anongit.mindrot.org/openssh.git/commit/?id=4b4bfb01cd40b9ddb948e6026ddd287cc303d871
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ session.c | 34 +++++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+Index: openssh-7.1p2/session.c
+===================================================================
+--- openssh-7.1p2.orig/session.c
++++ openssh-7.1p2/session.c
+@@ -46,6 +46,7 @@
+
+ #include <arpa/inet.h>
+
++#include <ctype.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
+@@ -273,6 +274,21 @@ do_authenticated(Authctxt *authctxt)
+ do_cleanup(authctxt);
+ }
+
++/* Check untrusted xauth strings for metacharacters */
++static int
++xauth_valid_string(const char *s)
++{
++ size_t i;
++
++ for (i = 0; s[i] != '\0'; i++) {
++ if (!isalnum((u_char)s[i]) &&
++ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
++ s[i] != '-' && s[i] != '_')
++ return 0;
++ }
++ return 1;
++}
++
+ /*
+ * Prepares for an interactive session. This is called after the user has
+ * been successfully authenticated. During this message exchange, pseudo
+@@ -346,7 +362,13 @@ do_authenticated1(Authctxt *authctxt)
+ s->screen = 0;
+ }
+ packet_check_eom();
+- success = session_setup_x11fwd(s);
++ if (xauth_valid_string(s->auth_proto) &&
++ xauth_valid_string(s->auth_data))
++ success = session_setup_x11fwd(s);
++ else {
++ success = 0;
++ error("Invalid X11 forwarding data");
++ }
+ if (!success) {
+ free(s->auth_proto);
+ free(s->auth_data);
+@@ -2181,7 +2203,13 @@ session_x11_req(Session *s)
+ s->screen = packet_get_int();
+ packet_check_eom();
+
+- success = session_setup_x11fwd(s);
++ if (xauth_valid_string(s->auth_proto) &&
++ xauth_valid_string(s->auth_data))
++ success = session_setup_x11fwd(s);
++ else {
++ success = 0;
++ error("Invalid X11 forwarding data");
++ }
+ if (!success) {
+ free(s->auth_proto);
+ free(s->auth_data);
diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
index 3b5e28a1d7..c1b0fb28a0 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
@@ -23,7 +23,9 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
file://run-ptest \
file://CVE-2016-1907_upstream_commit.patch \
file://CVE-2016-1907_2.patch \
- file://CVE-2016-1907_3.patch "
+ file://CVE-2016-1907_3.patch \
+ file://CVE-2016-3115.patch \
+ "
PAM_SRC_URI = "file://sshd"