From 7d6abd0b7b89f28343741c2188da22c6d1c6c8ea Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Wed, 27 Apr 2016 17:47:20 -0700 Subject: openssh: Security Fix CVE-2016-3115 opehssh <= 7.2 Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../openssh/openssh/CVE-2016-3115.patch | 84 ++++++++++++++++++++++ meta/recipes-connectivity/openssh/openssh_7.1p2.bb | 4 +- 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch (limited to 'meta/recipes-connectivity') diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch new file mode 100644 index 0000000000..9a9ad776ce --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch @@ -0,0 +1,84 @@ +From 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 10 Mar 2016 11:47:57 +0000 +Subject: [PATCH] upstream commit + +sanitise characters destined for xauth reported by + github.com/tintinweb feedback and ok deraadt and markus + +Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261 + +Upstream-Status: Backport +CVE: CVE-2016-3115 +https://anongit.mindrot.org/openssh.git/commit/?id=4b4bfb01cd40b9ddb948e6026ddd287cc303d871 + +Signed-off-by: Armin Kuster + +--- + session.c | 34 +++++++++++++++++++++++++++++++--- + 1 file changed, 31 insertions(+), 3 deletions(-) + +Index: openssh-7.1p2/session.c +=================================================================== +--- openssh-7.1p2.orig/session.c ++++ openssh-7.1p2/session.c +@@ -46,6 +46,7 @@ + + #include + ++#include + #include + #include + #include +@@ -273,6 +274,21 @@ do_authenticated(Authctxt *authctxt) + do_cleanup(authctxt); + } + ++/* Check untrusted xauth strings for metacharacters */ ++static int ++xauth_valid_string(const char *s) ++{ ++ size_t i; ++ ++ for (i = 0; s[i] != '\0'; i++) { ++ if (!isalnum((u_char)s[i]) && ++ s[i] != '.' && s[i] != ':' && s[i] != '/' && ++ s[i] != '-' && s[i] != '_') ++ return 0; ++ } ++ return 1; ++} ++ + /* + * Prepares for an interactive session. This is called after the user has + * been successfully authenticated. During this message exchange, pseudo +@@ -346,7 +362,13 @@ do_authenticated1(Authctxt *authctxt) + s->screen = 0; + } + packet_check_eom(); +- success = session_setup_x11fwd(s); ++ if (xauth_valid_string(s->auth_proto) && ++ xauth_valid_string(s->auth_data)) ++ success = session_setup_x11fwd(s); ++ else { ++ success = 0; ++ error("Invalid X11 forwarding data"); ++ } + if (!success) { + free(s->auth_proto); + free(s->auth_data); +@@ -2181,7 +2203,13 @@ session_x11_req(Session *s) + s->screen = packet_get_int(); + packet_check_eom(); + +- success = session_setup_x11fwd(s); ++ if (xauth_valid_string(s->auth_proto) && ++ xauth_valid_string(s->auth_data)) ++ success = session_setup_x11fwd(s); ++ else { ++ success = 0; ++ error("Invalid X11 forwarding data"); ++ } + if (!success) { + free(s->auth_proto); + free(s->auth_data); diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb index 3b5e28a1d7..c1b0fb28a0 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb @@ -23,7 +23,9 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. file://run-ptest \ file://CVE-2016-1907_upstream_commit.patch \ file://CVE-2016-1907_2.patch \ - file://CVE-2016-1907_3.patch " + file://CVE-2016-1907_3.patch \ + file://CVE-2016-3115.patch \ + " PAM_SRC_URI = "file://sshd" -- cgit 1.2.3-korg