diff options
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch | 84 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh_7.1p2.bb | 4 |
2 files changed, 87 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch new file mode 100644 index 0000000000..9a9ad776ce --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | From 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Thu, 10 Mar 2016 11:47:57 +0000 | ||
4 | Subject: [PATCH] upstream commit | ||
5 | |||
6 | sanitise characters destined for xauth reported by | ||
7 | github.com/tintinweb feedback and ok deraadt and markus | ||
8 | |||
9 | Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261 | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | CVE: CVE-2016-3115 | ||
13 | https://anongit.mindrot.org/openssh.git/commit/?id=4b4bfb01cd40b9ddb948e6026ddd287cc303d871 | ||
14 | |||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | session.c | 34 +++++++++++++++++++++++++++++++--- | ||
19 | 1 file changed, 31 insertions(+), 3 deletions(-) | ||
20 | |||
21 | Index: openssh-7.1p2/session.c | ||
22 | =================================================================== | ||
23 | --- openssh-7.1p2.orig/session.c | ||
24 | +++ openssh-7.1p2/session.c | ||
25 | @@ -46,6 +46,7 @@ | ||
26 | |||
27 | #include <arpa/inet.h> | ||
28 | |||
29 | +#include <ctype.h> | ||
30 | #include <errno.h> | ||
31 | #include <fcntl.h> | ||
32 | #include <grp.h> | ||
33 | @@ -273,6 +274,21 @@ do_authenticated(Authctxt *authctxt) | ||
34 | do_cleanup(authctxt); | ||
35 | } | ||
36 | |||
37 | +/* Check untrusted xauth strings for metacharacters */ | ||
38 | +static int | ||
39 | +xauth_valid_string(const char *s) | ||
40 | +{ | ||
41 | + size_t i; | ||
42 | + | ||
43 | + for (i = 0; s[i] != '\0'; i++) { | ||
44 | + if (!isalnum((u_char)s[i]) && | ||
45 | + s[i] != '.' && s[i] != ':' && s[i] != '/' && | ||
46 | + s[i] != '-' && s[i] != '_') | ||
47 | + return 0; | ||
48 | + } | ||
49 | + return 1; | ||
50 | +} | ||
51 | + | ||
52 | /* | ||
53 | * Prepares for an interactive session. This is called after the user has | ||
54 | * been successfully authenticated. During this message exchange, pseudo | ||
55 | @@ -346,7 +362,13 @@ do_authenticated1(Authctxt *authctxt) | ||
56 | s->screen = 0; | ||
57 | } | ||
58 | packet_check_eom(); | ||
59 | - success = session_setup_x11fwd(s); | ||
60 | + if (xauth_valid_string(s->auth_proto) && | ||
61 | + xauth_valid_string(s->auth_data)) | ||
62 | + success = session_setup_x11fwd(s); | ||
63 | + else { | ||
64 | + success = 0; | ||
65 | + error("Invalid X11 forwarding data"); | ||
66 | + } | ||
67 | if (!success) { | ||
68 | free(s->auth_proto); | ||
69 | free(s->auth_data); | ||
70 | @@ -2181,7 +2203,13 @@ session_x11_req(Session *s) | ||
71 | s->screen = packet_get_int(); | ||
72 | packet_check_eom(); | ||
73 | |||
74 | - success = session_setup_x11fwd(s); | ||
75 | + if (xauth_valid_string(s->auth_proto) && | ||
76 | + xauth_valid_string(s->auth_data)) | ||
77 | + success = session_setup_x11fwd(s); | ||
78 | + else { | ||
79 | + success = 0; | ||
80 | + error("Invalid X11 forwarding data"); | ||
81 | + } | ||
82 | if (!success) { | ||
83 | free(s->auth_proto); | ||
84 | free(s->auth_data); | ||
diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb index 3b5e28a1d7..c1b0fb28a0 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb | |||
@@ -23,7 +23,9 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. | |||
23 | file://run-ptest \ | 23 | file://run-ptest \ |
24 | file://CVE-2016-1907_upstream_commit.patch \ | 24 | file://CVE-2016-1907_upstream_commit.patch \ |
25 | file://CVE-2016-1907_2.patch \ | 25 | file://CVE-2016-1907_2.patch \ |
26 | file://CVE-2016-1907_3.patch " | 26 | file://CVE-2016-1907_3.patch \ |
27 | file://CVE-2016-3115.patch \ | ||
28 | " | ||
27 | 29 | ||
28 | PAM_SRC_URI = "file://sshd" | 30 | PAM_SRC_URI = "file://sshd" |
29 | 31 | ||