diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch new file mode 100644 index 0000000000..9a9ad776ce --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch @@ -0,0 +1,84 @@ +From 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 10 Mar 2016 11:47:57 +0000 +Subject: [PATCH] upstream commit + +sanitise characters destined for xauth reported by + github.com/tintinweb feedback and ok deraadt and markus + +Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261 + +Upstream-Status: Backport +CVE: CVE-2016-3115 +https://anongit.mindrot.org/openssh.git/commit/?id=4b4bfb01cd40b9ddb948e6026ddd287cc303d871 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + session.c | 34 +++++++++++++++++++++++++++++++--- + 1 file changed, 31 insertions(+), 3 deletions(-) + +Index: openssh-7.1p2/session.c +=================================================================== +--- openssh-7.1p2.orig/session.c ++++ openssh-7.1p2/session.c +@@ -46,6 +46,7 @@ + + #include <arpa/inet.h> + ++#include <ctype.h> + #include <errno.h> + #include <fcntl.h> + #include <grp.h> +@@ -273,6 +274,21 @@ do_authenticated(Authctxt *authctxt) + do_cleanup(authctxt); + } + ++/* Check untrusted xauth strings for metacharacters */ ++static int ++xauth_valid_string(const char *s) ++{ ++ size_t i; ++ ++ for (i = 0; s[i] != '\0'; i++) { ++ if (!isalnum((u_char)s[i]) && ++ s[i] != '.' && s[i] != ':' && s[i] != '/' && ++ s[i] != '-' && s[i] != '_') ++ return 0; ++ } ++ return 1; ++} ++ + /* + * Prepares for an interactive session. This is called after the user has + * been successfully authenticated. During this message exchange, pseudo +@@ -346,7 +362,13 @@ do_authenticated1(Authctxt *authctxt) + s->screen = 0; + } + packet_check_eom(); +- success = session_setup_x11fwd(s); ++ if (xauth_valid_string(s->auth_proto) && ++ xauth_valid_string(s->auth_data)) ++ success = session_setup_x11fwd(s); ++ else { ++ success = 0; ++ error("Invalid X11 forwarding data"); ++ } + if (!success) { + free(s->auth_proto); + free(s->auth_data); +@@ -2181,7 +2203,13 @@ session_x11_req(Session *s) + s->screen = packet_get_int(); + packet_check_eom(); + +- success = session_setup_x11fwd(s); ++ if (xauth_valid_string(s->auth_proto) && ++ xauth_valid_string(s->auth_data)) ++ success = session_setup_x11fwd(s); ++ else { ++ success = 0; ++ error("Invalid X11 forwarding data"); ++ } + if (!success) { + free(s->auth_proto); + free(s->auth_data); |