openssh: Fix CVE-2023-51385

OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. This patch fixes the above issue Link: http://archive.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_8.2p1-4ubuntu0.11.debian.tar.xz Link: https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a (From OE-Core rev: a0561ca36bd3be8f44d11908caaf8c9ce5f69032) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> 2024-01-18 13:04:08 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-01-31 03:51:10 -1000
commit: 3adc98348b16d8cde41e2dbe05a614039b82e7e7 (patch)
tree: 7653b82e84f0579430b4f8aeac631a68f688f583
parent: 8f7ce1acf793adf985d52849ba160912eed78982 (diff)
download: poky-3adc98348b16d8cde41e2dbe05a614039b82e7e7.tar.gz
2 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
new file mode 100644
index 0000000000..0ba8c312d0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
@@ -0,0 +1,95 @@
+From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:47:44 +0000
+Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
+This makes ssh(1) refuse user or host names provided on the
+commandline that contain most shell metacharacters.
+Some programs that invoke ssh(1) using untrusted data do not filter
+metacharacters in arguments they supply. This could create
+interactions with user-specified ProxyCommand and other directives
+that allow shell injection attacks to occur.
+It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+but getting this stuff right can be tricky, so this should prevent
+most obvious ways of creating risky situations. It however is not
+and cannot be perfect: ssh(1) has no practical way of interpreting
+what shell quoting rules are in use and how they interact with the
+user's specified ProxyCommand.
+To allow configurations that use strange user or hostnames to
+continue to work, this strictness is applied only to names coming
+from the commandline. Names specified using User or Hostname
+directives in ssh_config(5) are not affected.
+feedback/ok millert@ markus@ dtucker@ deraadt@
+OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+CVE: CVE-2023-51385
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: Hunks refreshed to apply cleanly
+---
+ ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+diff --git a/ssh.c b/ssh.c
+index 35c48e62d18..48d93ddf2a9 100644
+--- a/ssh.c
+++ b/ssh.c
+@@ -583,6 +583,41 @@ set_addrinfo_port(struct addrinfo *addrs
+        }
+ }
+ 
+static int
+valid_hostname(const char *s)
+{
+       size_t i;
+
+       if (*s == '-')
+               return 0;
+       for (i = 0; s[i] != 0; i++) {
+               if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
+                   isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
+                       return 0;
+       }
+       return 1;
+}
+
+static int
+valid_ruser(const char *s)
+{
+       size_t i;
+
+       if (*s == '-')
+               return 0;
+       for (i = 0; s[i] != 0; i++) {
+               if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+                       return 0;
+               /* Disallow '-' after whitespace */
+               if (isspace((u_char)s[i]) && s[i + 1] == '-')
+                       return 0;
+               /* Disallow \ in last position */
+               if (s[i] == '\\' && s[i + 1] == '\0')
+                       return 0;
+       }
+       return 1;
+}
+
+ /*
+  * Main program for the ssh client.
+  */
+@@ -1069,6 +1104,10 @@ main(int ac, char **av)
+        if (!host)
+                usage();
+ 
+       if (!valid_hostname(host))
+               fatal("hostname contains invalid characters");
+       if (options.user != NULL && !valid_ruser(options.user))
+               fatal("remote username contains invalid characters");
+        host_arg = xstrdup(host);
+ 
+        /* Initialize the command to execute on remote host. */
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index eb3089cd8a..9d6cf7da6c 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://CVE-2023-38408-11.patch \
           file://CVE-2023-38408-12.patch \
           file://CVE-2023-48795.patch \
+           file://CVE-2023-51385.patch \
           "
 SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
 SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
author	Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>	2024-01-18 13:04:08 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-01-31 03:51:10 -1000
commit	3adc98348b16d8cde41e2dbe05a614039b82e7e7 (patch)
tree	7653b82e84f0579430b4f8aeac631a68f688f583
parent	8f7ce1acf793adf985d52849ba160912eed78982 (diff)
download	poky-3adc98348b16d8cde41e2dbe05a614039b82e7e7.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch new file mode 100644 index 0000000000..0ba8c312d0 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
@@ -0,0 +1,95 @@
		1	From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Mon, 18 Dec 2023 14:47:44 +0000
		4	Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
		5
		6	This makes ssh(1) refuse user or host names provided on the
		7	commandline that contain most shell metacharacters.
		8
		9	Some programs that invoke ssh(1) using untrusted data do not filter
		10	metacharacters in arguments they supply. This could create
		11	interactions with user-specified ProxyCommand and other directives
		12	that allow shell injection attacks to occur.
		13
		14	It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
		15	but getting this stuff right can be tricky, so this should prevent
		16	most obvious ways of creating risky situations. It however is not
		17	and cannot be perfect: ssh(1) has no practical way of interpreting
		18	what shell quoting rules are in use and how they interact with the
		19	user's specified ProxyCommand.
		20
		21	To allow configurations that use strange user or hostnames to
		22	continue to work, this strictness is applied only to names coming
		23	from the commandline. Names specified using User or Hostname
		24	directives in ssh_config(5) are not affected.
		25
		26	feedback/ok millert@ markus@ dtucker@ deraadt@
		27
		28	OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
		29
		30	CVE: CVE-2023-51385
		31	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]
		32	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		33	Comment: Hunks refreshed to apply cleanly
		34
		35	---
		36	ssh.c \| 41 ++++++++++++++++++++++++++++++++++++++++-
		37	1 file changed, 40 insertions(+), 1 deletion(-)
		38
		39	diff --git a/ssh.c b/ssh.c
		40	index 35c48e62d18..48d93ddf2a9 100644
		41	--- a/ssh.c
		42	+++ b/ssh.c
		43	@@ -583,6 +583,41 @@ set_addrinfo_port(struct addrinfo *addrs
		44	}
		45	}
		46
		47	+static int
		48	+valid_hostname(const char *s)
		49	+{
		50	+ size_t i;
		51	+
		52	+ if (*s == '-')
		53	+ return 0;
		54	+ for (i = 0; s[i] != 0; i++) {
		55	+ if (strchr("'`\"$\\;&<>\|(){}", s[i]) != NULL \|\|
		56	+ isspace((u_char)s[i]) \|\| iscntrl((u_char)s[i]))
		57	+ return 0;
		58	+ }
		59	+ return 1;
		60	+}
		61	+
		62	+static int
		63	+valid_ruser(const char *s)
		64	+{
		65	+ size_t i;
		66	+
		67	+ if (*s == '-')
		68	+ return 0;
		69	+ for (i = 0; s[i] != 0; i++) {
		70	+ if (strchr("'`\";&<>\|(){}", s[i]) != NULL)
		71	+ return 0;
		72	+ /* Disallow '-' after whitespace */
		73	+ if (isspace((u_char)s[i]) && s[i + 1] == '-')
		74	+ return 0;
		75	+ /* Disallow \ in last position */
		76	+ if (s[i] == '\\' && s[i + 1] == '\0')
		77	+ return 0;
		78	+ }
		79	+ return 1;
		80	+}
		81	+
		82	/*
		83	* Main program for the ssh client.
		84	*/
		85	@@ -1069,6 +1104,10 @@ main(int ac, char **av)
		86	if (!host)
		87	usage();
		88
		89	+ if (!valid_hostname(host))
		90	+ fatal("hostname contains invalid characters");
		91	+ if (options.user != NULL && !valid_ruser(options.user))
		92	+ fatal("remote username contains invalid characters");
		93	host_arg = xstrdup(host);
		94
		95	/* Initialize the command to execute on remote host. */


diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index eb3089cd8a..9d6cf7da6c 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
40	file://CVE-2023-38408-11.patch \	40	file://CVE-2023-38408-11.patch \
41	file://CVE-2023-38408-12.patch \	41	file://CVE-2023-38408-12.patch \
42	file://CVE-2023-48795.patch \	42	file://CVE-2023-48795.patch \
		43	file://CVE-2023-51385.patch \
43	"	44	"
44	SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"	45	SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
45	SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"	46	SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"