summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch84
-rw-r--r--meta/recipes-connectivity/openssh/openssh_7.1p2.bb4
2 files changed, 87 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch
new file mode 100644
index 0000000000..9a9ad776ce
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch
@@ -0,0 +1,84 @@
1From 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Thu, 10 Mar 2016 11:47:57 +0000
4Subject: [PATCH] upstream commit
5
6sanitise characters destined for xauth reported by
7 github.com/tintinweb feedback and ok deraadt and markus
8
9Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
10
11Upstream-Status: Backport
12CVE: CVE-2016-3115
13https://anongit.mindrot.org/openssh.git/commit/?id=4b4bfb01cd40b9ddb948e6026ddd287cc303d871
14
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 session.c | 34 +++++++++++++++++++++++++++++++---
19 1 file changed, 31 insertions(+), 3 deletions(-)
20
21Index: openssh-7.1p2/session.c
22===================================================================
23--- openssh-7.1p2.orig/session.c
24+++ openssh-7.1p2/session.c
25@@ -46,6 +46,7 @@
26
27 #include <arpa/inet.h>
28
29+#include <ctype.h>
30 #include <errno.h>
31 #include <fcntl.h>
32 #include <grp.h>
33@@ -273,6 +274,21 @@ do_authenticated(Authctxt *authctxt)
34 do_cleanup(authctxt);
35 }
36
37+/* Check untrusted xauth strings for metacharacters */
38+static int
39+xauth_valid_string(const char *s)
40+{
41+ size_t i;
42+
43+ for (i = 0; s[i] != '\0'; i++) {
44+ if (!isalnum((u_char)s[i]) &&
45+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
46+ s[i] != '-' && s[i] != '_')
47+ return 0;
48+ }
49+ return 1;
50+}
51+
52 /*
53 * Prepares for an interactive session. This is called after the user has
54 * been successfully authenticated. During this message exchange, pseudo
55@@ -346,7 +362,13 @@ do_authenticated1(Authctxt *authctxt)
56 s->screen = 0;
57 }
58 packet_check_eom();
59- success = session_setup_x11fwd(s);
60+ if (xauth_valid_string(s->auth_proto) &&
61+ xauth_valid_string(s->auth_data))
62+ success = session_setup_x11fwd(s);
63+ else {
64+ success = 0;
65+ error("Invalid X11 forwarding data");
66+ }
67 if (!success) {
68 free(s->auth_proto);
69 free(s->auth_data);
70@@ -2181,7 +2203,13 @@ session_x11_req(Session *s)
71 s->screen = packet_get_int();
72 packet_check_eom();
73
74- success = session_setup_x11fwd(s);
75+ if (xauth_valid_string(s->auth_proto) &&
76+ xauth_valid_string(s->auth_data))
77+ success = session_setup_x11fwd(s);
78+ else {
79+ success = 0;
80+ error("Invalid X11 forwarding data");
81+ }
82 if (!success) {
83 free(s->auth_proto);
84 free(s->auth_data);
diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
index 714c3917ce..56a1c8329a 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
@@ -23,7 +23,9 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
23 file://run-ptest \ 23 file://run-ptest \
24 file://CVE-2016-1907_upstream_commit.patch \ 24 file://CVE-2016-1907_upstream_commit.patch \
25 file://CVE-2016-1907_2.patch \ 25 file://CVE-2016-1907_2.patch \
26 file://CVE-2016-1907_3.patch " 26 file://CVE-2016-1907_3.patch \
27 file://CVE-2016-3115.patch \
28 "
27 29
28PAM_SRC_URI = "file://sshd" 30PAM_SRC_URI = "file://sshd"
29 31