Compare commits
3 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
a5973cde65 | ||
|
|
fa14c2c8be | ||
|
|
757c14ddb9 |
10 changed files with 14463 additions and 2605 deletions
|
|
@ -24,7 +24,7 @@
|
|||
%global libedit 1
|
||||
|
||||
%global openssh_ver 9.3p1
|
||||
%global openssh_rel 4
|
||||
%global openssh_rel 6
|
||||
|
||||
Summary: An implementation of the SSH protocol with GSI authentication
|
||||
Name: gsi-openssh
|
||||
|
|
@ -46,6 +46,7 @@ Source13: gsisshd-keygen
|
|||
Source15: gsisshd-keygen.target
|
||||
Source19: %{name}-server-systemd-sysusers.conf
|
||||
Source20: gsissh-host-keys-migration.sh
|
||||
Source21: gsissh-host-keys-migration.service
|
||||
Source99: README.sshd-and-gsisshd
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
||||
|
|
@ -179,6 +180,12 @@ Patch1014: openssh-8.7p1-nohostsha1proof.patch
|
|||
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
|
||||
# upstream b7afd8a4ecaca8afd3179b55e9db79c0ff210237
|
||||
Patch1016: openssh-9.3p1-openssl-compat.patch
|
||||
Patch1017: openssh-9.6p1-CVE-2023-51385.patch
|
||||
Patch1018: openssh-9.6p1-CVE-2023-48795.patch
|
||||
Patch1019: openssh-9.6p1-CVE-2023-51384.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2294879
|
||||
# Merged in OpenSSH 9.8
|
||||
Patch1020: openssh-9.6p1-cve-2024-6387.patch
|
||||
|
||||
# Fix issue with read-only ssh buffer during gssapi key exchange (#1938224)
|
||||
# https://github.com/openssh-gsskex/openssh-gsskex/pull/19
|
||||
|
|
@ -188,8 +195,8 @@ Patch97: openssh-8.0p1-sshbuf-readonly.patch
|
|||
Patch98: openssh-9.3p1-gsissh.patch
|
||||
|
||||
# This is the HPN patch
|
||||
# Based on https://sourceforge.net/projects/hpnssh/files/Patches/HPN-SSH%2015v2%208.5p1/
|
||||
Patch99: openssh-9.3p1-hpn-15.2-modified.patch
|
||||
# Based on https://github.com/rapier1/hpn-ssh/ tag: hpn-9_3_P1 (hpn17v13)
|
||||
Patch99: openssh-9.3p1-hpn-17.13.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
|
|
@ -247,6 +254,8 @@ Requires(pre): /usr/sbin/useradd
|
|||
Requires: pam >= 1.0.1-3
|
||||
Requires: crypto-policies >= 20220824-1
|
||||
%{?systemd_requires}
|
||||
Requires(pre): policycoreutils-python-utils
|
||||
Requires(postun): policycoreutils-python-utils
|
||||
|
||||
%description
|
||||
SSH (Secure SHell) is a program for logging into and executing
|
||||
|
|
@ -342,6 +351,10 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
|
|||
%patch -P 1014 -p1 -b .nosha1hostproof
|
||||
%patch -P 1015 -p1 -b .cve-2023-38408
|
||||
%patch -P 1016 -p1 -b .ossl-version
|
||||
%patch -P 1017 -p1 -b .cve-2023-51385
|
||||
%patch -P 1018 -p1 -b .cve-2023-48795
|
||||
%patch -P 1019 -p1 -b .cve-2023-51384
|
||||
%patch -P 1020 -p1 -b .cve-2024-6387
|
||||
|
||||
%patch -P 100 -p1 -b .coverity
|
||||
|
||||
|
|
@ -393,8 +406,8 @@ fi
|
|||
--sysconfdir=%{_sysconfdir}/gsissh \
|
||||
--libexecdir=%{_libexecdir}/gsissh \
|
||||
--datadir=%{_datadir}/gsissh \
|
||||
--with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
|
||||
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
|
||||
--with-default-path=%{_libexecdir}/gsissh/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
|
||||
--with-superuser-path=%{_libexecdir}/gsissh/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
|
||||
--with-privsep-path=%{_datadir}/empty.sshd \
|
||||
--disable-strip \
|
||||
--without-zlib-version-check \
|
||||
|
|
@ -454,21 +467,23 @@ install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/gsisshd-keygen.target
|
|||
install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/gsissh/sshd-keygen
|
||||
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
|
||||
install -p -D -m 0644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysusersdir}/%{name}-server.conf
|
||||
# Migration script for Fedora 38 change to remove group ownership for standard host keys
|
||||
# Migration service/script for Fedora 38 change to remove group ownership for standard host keys
|
||||
# See https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
|
||||
install -m744 %{SOURCE20} $RPM_BUILD_ROOT/%{_libexecdir}/gsissh/ssh-host-keys-migration.sh
|
||||
# Pulled-in via a `Wants=` in `gsisshd.service` & `gsisshd@.service`
|
||||
install -m644 %{SOURCE21} $RPM_BUILD_ROOT/%{_unitdir}/gsissh-host-keys-migration.service
|
||||
install -d $RPM_BUILD_ROOT/%{_localstatedir}/lib
|
||||
touch $RPM_BUILD_ROOT/%{_localstatedir}/lib/.gsissh-host-keys-migration
|
||||
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/ssh-add
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/ssh-agent
|
||||
rm $RPM_BUILD_ROOT%{_bindir}/ssh-keyscan
|
||||
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-keycat
|
||||
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-pkcs11-helper
|
||||
rm $RPM_BUILD_ROOT%{_libexecdir}/gsissh/ssh-sk-helper
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/ssh-add.1*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/ssh-agent.1*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man1/ssh-keyscan.1*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||
rm $RPM_BUILD_ROOT%{_mandir}/man8/ssh-sk-helper.8*
|
||||
|
||||
for f in $RPM_BUILD_ROOT%{_bindir}/* \
|
||||
$RPM_BUILD_ROOT%{_sbindir}/* \
|
||||
|
|
@ -476,16 +491,27 @@ for f in $RPM_BUILD_ROOT%{_bindir}/* \
|
|||
mv $f `dirname $f`/gsi`basename $f`
|
||||
done
|
||||
|
||||
# Add scp and hpnscp symlinks in gsisshd's path
|
||||
mkdir $RPM_BUILD_ROOT%{_libexecdir}/gsissh/bin
|
||||
ln -nrs $RPM_BUILD_ROOT%{_bindir}/gsiscp \
|
||||
$RPM_BUILD_ROOT%{_libexecdir}/gsissh/bin/scp
|
||||
ln -nrs $RPM_BUILD_ROOT%{_bindir}/gsiscp \
|
||||
$RPM_BUILD_ROOT%{_libexecdir}/gsissh/bin/hpnscp
|
||||
|
||||
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
|
||||
|
||||
%pre server
|
||||
%sysusers_create_compat %{SOURCE19}
|
||||
semanage port -a -t ssh_port_t -p tcp 2222 2>/dev/null || :
|
||||
|
||||
%post server
|
||||
if [ $1 -gt 1 ]; then
|
||||
# In the case of an upgrade run the migration
|
||||
# In the case of an upgrade (never true on OSTree systems) run the migration
|
||||
# script for Fedora 38 to remove group ownership for host keys.
|
||||
%{_libexecdir}/gsissh/ssh-host-keys-migration.sh
|
||||
# Prevent the systemd unit that performs the same service (useful for
|
||||
# OSTree systems) from running.
|
||||
touch /var/lib/.gsissh-host-keys-migration
|
||||
fi
|
||||
%systemd_post gsisshd.service gsisshd.socket
|
||||
|
||||
|
|
@ -494,6 +520,9 @@ fi
|
|||
|
||||
%postun server
|
||||
%systemd_postun_with_restart gsisshd.service
|
||||
if [ $1 -eq 0 ]; then
|
||||
semanage port -d -t ssh_port_t -p tcp 2222 2>/dev/null || :
|
||||
fi
|
||||
|
||||
%files
|
||||
%license LICENCE
|
||||
|
|
@ -503,7 +532,7 @@ fi
|
|||
%attr(0755,root,root) %{_bindir}/gsissh-keygen
|
||||
%attr(0644,root,root) %{_mandir}/man1/gsissh-keygen.1*
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/gsissh
|
||||
%attr(4755,root,root) %{_libexecdir}/gsissh/ssh-keysign
|
||||
%attr(4555,root,root) %{_libexecdir}/gsissh/ssh-keysign
|
||||
%attr(0644,root,root) %{_mandir}/man8/gsissh-keysign.8*
|
||||
|
||||
%files clients
|
||||
|
|
@ -516,7 +545,12 @@ fi
|
|||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/gsissh/ssh_config.d/50-redhat.conf
|
||||
%attr(0644,root,root) %{_mandir}/man5/gsissh_config.5*
|
||||
%attr(0755,root,root) %{_bindir}/gsisftp
|
||||
%attr(0755,root,root) %{_libexecdir}/gsissh/ssh-sk-helper
|
||||
%attr(0644,root,root) %{_mandir}/man1/gsisftp.1*
|
||||
%attr(0644,root,root) %{_mandir}/man8/gsissh-sk-helper.8*
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/gsissh/bin
|
||||
%{_libexecdir}/gsissh/bin/scp
|
||||
%{_libexecdir}/gsissh/bin/hpnscp
|
||||
|
||||
%files server
|
||||
%dir %attr(0711,root,root) %{_datadir}/empty.sshd
|
||||
|
|
@ -539,9 +573,17 @@ fi
|
|||
%attr(0644,root,root) %{_unitdir}/gsisshd-keygen@.service
|
||||
%attr(0644,root,root) %{_unitdir}/gsisshd-keygen.target
|
||||
%attr(0644,root,root) %{_sysusersdir}/%{name}-server.conf
|
||||
%attr(0644,root,root) %{_unitdir}/gsissh-host-keys-migration.service
|
||||
%attr(0744,root,root) %{_libexecdir}/gsissh/ssh-host-keys-migration.sh
|
||||
%ghost %attr(0644,root,root) %{_localstatedir}/lib/.gsissh-host-keys-migration
|
||||
|
||||
%changelog
|
||||
* Fri Jul 12 2024 Mattias Ellert <mattias.ellert@physics.uu.se> - 9.3p1-6
|
||||
- Add scp and hpnscp symlinks in gsisshd's path
|
||||
|
||||
* Mon Jul 08 2024 Mattias Ellert <mattias.ellert@physics.uu.se> - 9.3p1-5
|
||||
- Based on openssh-9.3p1-11.fc39
|
||||
|
||||
* Tue Oct 17 2023 Mattias Ellert <mattias.ellert@physics.uu.se> - 9.3p1-4
|
||||
- Based on openssh-9.3p1-9.fc39
|
||||
|
||||
|
|
|
|||
15
gsissh-host-keys-migration.service
Normal file
15
gsissh-host-keys-migration.service
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
[Unit]
|
||||
Description=Update gsissh host key permissions
|
||||
Documentation=https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
|
||||
Before=gsisshd.service
|
||||
After=gsissh-keygen.target
|
||||
ConditionPathExists=!/var/lib/.gsissh-host-keys-migration
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=-/usr/libexec/gsissh/ssh-host-keys-migration.sh
|
||||
ExecStart=touch /var/lib/.gsissh-host-keys-migration
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=gsisshd.service
|
||||
|
|
@ -3,6 +3,9 @@ Description=gsissh server daemon
|
|||
Documentation=man:gsisshd(8) man:gsisshd_config(5)
|
||||
After=network.target gsisshd-keygen.target
|
||||
Wants=gsisshd-keygen.target
|
||||
# Migration for Fedora 38 change to remove group ownership for standard host keys
|
||||
# See https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
|
||||
Wants=gsissh-host-keys-migration.service
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
|
|
|
|||
|
|
@ -3,6 +3,9 @@ Description=gsissh per-connection server daemon
|
|||
Documentation=man:gsisshd(8) man:gsisshd_config(5)
|
||||
Wants=gsisshd-keygen.target
|
||||
After=gsisshd-keygen.target
|
||||
# Migration for Fedora 38 change to remove group ownership for standard host keys
|
||||
# See https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
|
||||
Wants=gsissh-host-keys-migration.service
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/etc/sysconfig/gsisshd
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
13723
openssh-9.3p1-hpn-17.13.patch
Normal file
13723
openssh-9.3p1-hpn-17.13.patch
Normal file
File diff suppressed because it is too large
Load diff
443
openssh-9.6p1-CVE-2023-48795.patch
Normal file
443
openssh-9.6p1-CVE-2023-48795.patch
Normal file
|
|
@ -0,0 +1,443 @@
|
|||
diff --git a/PROTOCOL b/PROTOCOL
|
||||
index d453c779..ded935eb 100644
|
||||
--- a/PROTOCOL
|
||||
+++ b/PROTOCOL
|
||||
@@ -137,6 +137,32 @@ than as a named global or channel request to allow pings with very
|
||||
|
||||
This is identical to curve25519-sha256 as later published in RFC8731.
|
||||
|
||||
+1.9 transport: strict key exchange extension
|
||||
+
|
||||
+OpenSSH supports a number of transport-layer hardening measures under
|
||||
+a "strict KEX" feature. This feature is signalled similarly to the
|
||||
+RFC8308 ext-info feature: by including a additional algorithm in the
|
||||
+initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
|
||||
+"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
|
||||
+may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
|
||||
+are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
|
||||
+if they are present in subsequent SSH2_MSG_KEXINIT packets.
|
||||
+
|
||||
+When an endpoint that supports this extension observes this algorithm
|
||||
+name in a peer's KEXINIT packet, it MUST make the following changes to
|
||||
+the the protocol:
|
||||
+
|
||||
+a) During initial KEX, terminate the connection if any unexpected or
|
||||
+ out-of-sequence packet is received. This includes terminating the
|
||||
+ connection if the first packet received is not SSH2_MSG_KEXINIT.
|
||||
+ Unexpected packets for the purpose of strict KEX include messages
|
||||
+ that are otherwise valid at any time during the connection such as
|
||||
+ SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
|
||||
+b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
|
||||
+ packet sequence number to zero. This behaviour persists for the
|
||||
+ duration of the connection (i.e. not just the first
|
||||
+ SSH2_MSG_NEWKEYS).
|
||||
+
|
||||
2. Connection protocol changes
|
||||
|
||||
2.1. connection: Channel write close extension "eow@openssh.com"
|
||||
diff --git a/kex.c b/kex.c
|
||||
index aa5e792d..d478ff6e 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -65,7 +65,7 @@
|
||||
#endif
|
||||
|
||||
/* prototype */
|
||||
-static int kex_choose_conf(struct ssh *);
|
||||
+static int kex_choose_conf(struct ssh *, uint32_t seq);
|
||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||
|
||||
static const char * const proposal_names[PROPOSAL_MAX] = {
|
||||
@@ -177,6 +177,18 @@ kex_names_valid(const char *names)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+/* returns non-zero if proposal contains any algorithm from algs */
|
||||
+static int
|
||||
+has_any_alg(const char *proposal, const char *algs)
|
||||
+{
|
||||
+ char *cp;
|
||||
+
|
||||
+ if ((cp = match_list(proposal, algs, NULL)) == NULL)
|
||||
+ return 0;
|
||||
+ free(cp);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Concatenate algorithm names, avoiding duplicates in the process.
|
||||
* Caller must free returned string.
|
||||
@@ -184,7 +196,7 @@ kex_names_valid(const char *names)
|
||||
char *
|
||||
kex_names_cat(const char *a, const char *b)
|
||||
{
|
||||
- char *ret = NULL, *tmp = NULL, *cp, *p, *m;
|
||||
+ char *ret = NULL, *tmp = NULL, *cp, *p;
|
||||
size_t len;
|
||||
|
||||
if (a == NULL || *a == '\0')
|
||||
@@ -201,10 +213,8 @@ kex_names_cat(const char *a, const char *b)
|
||||
}
|
||||
strlcpy(ret, a, len);
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
|
||||
- if ((m = match_list(ret, p, NULL)) != NULL) {
|
||||
- free(m);
|
||||
+ if (has_any_alg(ret, p))
|
||||
continue; /* Algorithm already present */
|
||||
- }
|
||||
if (strlcat(ret, ",", len) >= len ||
|
||||
strlcat(ret, p, len) >= len) {
|
||||
free(tmp);
|
||||
@@ -334,15 +344,23 @@ kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX],
|
||||
const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT };
|
||||
const char **defprop = ssh->kex->server ? defpropserver : defpropclient;
|
||||
u_int i;
|
||||
+ char *cp;
|
||||
|
||||
if (prop == NULL)
|
||||
fatal_f("proposal missing");
|
||||
|
||||
+ /* Append EXT_INFO signalling to KexAlgorithms */
|
||||
+ if (kexalgos == NULL)
|
||||
+ kexalgos = defprop[PROPOSAL_KEX_ALGS];
|
||||
+ if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
|
||||
+ "kex-strict-s-v00@openssh.com" :
|
||||
+ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
|
||||
+ fatal_f("kex_names_cat");
|
||||
+
|
||||
for (i = 0; i < PROPOSAL_MAX; i++) {
|
||||
switch(i) {
|
||||
case PROPOSAL_KEX_ALGS:
|
||||
- prop[i] = compat_kex_proposal(ssh,
|
||||
- kexalgos ? kexalgos : defprop[i]);
|
||||
+ prop[i] = compat_kex_proposal(ssh, cp);
|
||||
break;
|
||||
case PROPOSAL_ENC_ALGS_CTOS:
|
||||
case PROPOSAL_ENC_ALGS_STOC:
|
||||
@@ -363,6 +381,7 @@ kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX],
|
||||
prop[i] = xstrdup(defprop[i]);
|
||||
}
|
||||
}
|
||||
+ free(cp);
|
||||
}
|
||||
|
||||
void
|
||||
@@ -466,7 +485,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
|
||||
{
|
||||
int r;
|
||||
|
||||
- error("kex protocol error: type %d seq %u", type, seq);
|
||||
+ /* If in strict mode, any unexpected message is an error */
|
||||
+ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) {
|
||||
+ ssh_packet_disconnect(ssh, "strict KEX violation: "
|
||||
+ "unexpected packet type %u (seqnr %u)", type, seq);
|
||||
+ }
|
||||
+ error_f("type %u seq %u", type, seq);
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
|
||||
(r = sshpkt_put_u32(ssh, seq)) != 0 ||
|
||||
(r = sshpkt_send(ssh)) != 0)
|
||||
@@ -563,7 +587,7 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
|
||||
if (ninfo >= 1024) {
|
||||
error("SSH2_MSG_EXT_INFO with too many entries, expected "
|
||||
"<=1024, received %u", ninfo);
|
||||
- return SSH_ERR_INVALID_FORMAT;
|
||||
+ return dispatch_protocol_error(type, seq, ssh);
|
||||
}
|
||||
for (i = 0; i < ninfo; i++) {
|
||||
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
|
||||
@@ -681,7 +705,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
|
||||
error_f("no kex");
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
}
|
||||
- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
|
||||
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
|
||||
ptr = sshpkt_ptr(ssh, &dlen);
|
||||
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
|
||||
return r;
|
||||
@@ -717,7 +741,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
|
||||
if (!(kex->flags & KEX_INIT_SENT))
|
||||
if ((r = kex_send_kexinit(ssh)) != 0)
|
||||
return r;
|
||||
- if ((r = kex_choose_conf(ssh)) != 0)
|
||||
+ if ((r = kex_choose_conf(ssh, seq)) != 0)
|
||||
return r;
|
||||
|
||||
if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
|
||||
@@ -981,20 +1005,14 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
|
||||
return (1);
|
||||
}
|
||||
|
||||
-/* returns non-zero if proposal contains any algorithm from algs */
|
||||
static int
|
||||
-has_any_alg(const char *proposal, const char *algs)
|
||||
+kexalgs_contains(char **peer, const char *ext)
|
||||
{
|
||||
- char *cp;
|
||||
-
|
||||
- if ((cp = match_list(proposal, algs, NULL)) == NULL)
|
||||
- return 0;
|
||||
- free(cp);
|
||||
- return 1;
|
||||
+ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
|
||||
}
|
||||
|
||||
static int
|
||||
-kex_choose_conf(struct ssh *ssh)
|
||||
+kex_choose_conf(struct ssh *ssh, uint32_t seq)
|
||||
{
|
||||
struct kex *kex = ssh->kex;
|
||||
struct newkeys *newkeys;
|
||||
@@ -1019,13 +1037,23 @@ kex_choose_conf(struct ssh *ssh)
|
||||
sprop=peer;
|
||||
}
|
||||
|
||||
- /* Check whether client supports ext_info_c */
|
||||
- if (kex->server && (kex->flags & KEX_INITIAL)) {
|
||||
- char *ext;
|
||||
-
|
||||
- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
|
||||
- kex->ext_info_c = (ext != NULL);
|
||||
- free(ext);
|
||||
+ /* Check whether peer supports ext_info/kex_strict */
|
||||
+ if ((kex->flags & KEX_INITIAL) != 0) {
|
||||
+ if (kex->server) {
|
||||
+ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c");
|
||||
+ kex->kex_strict = kexalgs_contains(peer,
|
||||
+ "kex-strict-c-v00@openssh.com");
|
||||
+ } else {
|
||||
+ kex->kex_strict = kexalgs_contains(peer,
|
||||
+ "kex-strict-s-v00@openssh.com");
|
||||
+ }
|
||||
+ if (kex->kex_strict) {
|
||||
+ debug3_f("will use strict KEX ordering");
|
||||
+ if (seq != 0)
|
||||
+ ssh_packet_disconnect(ssh,
|
||||
+ "strict KEX violation: "
|
||||
+ "KEXINIT was not the first packet");
|
||||
+ }
|
||||
}
|
||||
|
||||
/* Check whether client supports rsa-sha2 algorithms */
|
||||
diff --git a/kex.h b/kex.h
|
||||
index 5f7ef784..272ebb43 100644
|
||||
--- a/kex.h
|
||||
+++ b/kex.h
|
||||
@@ -149,6 +149,7 @@ struct kex {
|
||||
u_int kex_type;
|
||||
char *server_sig_algs;
|
||||
int ext_info_c;
|
||||
+ int kex_strict;
|
||||
struct sshbuf *my;
|
||||
struct sshbuf *peer;
|
||||
struct sshbuf *client_version;
|
||||
diff --git a/packet.c b/packet.c
|
||||
index 52017def..beb214f9 100644
|
||||
--- a/packet.c
|
||||
+++ b/packet.c
|
||||
@@ -1207,8 +1207,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
|
||||
sshbuf_dump(state->output, stderr);
|
||||
#endif
|
||||
/* increment sequence number for outgoing packets */
|
||||
- if (++state->p_send.seqnr == 0)
|
||||
+ if (++state->p_send.seqnr == 0) {
|
||||
+ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
|
||||
+ ssh_packet_disconnect(ssh, "outgoing sequence number "
|
||||
+ "wrapped during initial key exchange");
|
||||
+ }
|
||||
logit("outgoing seqnr wraps around");
|
||||
+ }
|
||||
if (++state->p_send.packets == 0)
|
||||
if (!(ssh->compat & SSH_BUG_NOREKEY))
|
||||
return SSH_ERR_NEED_REKEY;
|
||||
@@ -1216,6 +1221,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
|
||||
state->p_send.bytes += len;
|
||||
sshbuf_reset(state->outgoing_packet);
|
||||
|
||||
+ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
|
||||
+ debug_f("resetting send seqnr %u", state->p_send.seqnr);
|
||||
+ state->p_send.seqnr = 0;
|
||||
+ }
|
||||
+
|
||||
if (type == SSH2_MSG_NEWKEYS)
|
||||
r = ssh_set_newkeys(ssh, MODE_OUT);
|
||||
else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
|
||||
@@ -1344,8 +1354,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
/* Stay in the loop until we have received a complete packet. */
|
||||
for (;;) {
|
||||
/* Try to read a packet from the buffer. */
|
||||
- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
|
||||
- if (r != 0)
|
||||
+ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
|
||||
break;
|
||||
/* If we got a packet, return it. */
|
||||
if (*typep != SSH_MSG_NONE)
|
||||
@@ -1629,10 +1615,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
|
||||
goto out;
|
||||
}
|
||||
+
|
||||
if (seqnr_p != NULL)
|
||||
*seqnr_p = state->p_read.seqnr;
|
||||
- if (++state->p_read.seqnr == 0)
|
||||
+ if (++state->p_read.seqnr == 0) {
|
||||
+ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
|
||||
+ ssh_packet_disconnect(ssh, "incoming sequence number "
|
||||
+ "wrapped during initial key exchange");
|
||||
+ }
|
||||
logit("incoming seqnr wraps around");
|
||||
+ }
|
||||
if (++state->p_read.packets == 0)
|
||||
if (!(ssh->compat & SSH_BUG_NOREKEY))
|
||||
return SSH_ERR_NEED_REKEY;
|
||||
@@ -1698,6 +1690,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
#endif
|
||||
/* reset for next packet */
|
||||
state->packlen = 0;
|
||||
+ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
|
||||
+ debug_f("resetting read seqnr %u", state->p_read.seqnr);
|
||||
+ state->p_read.seqnr = 0;
|
||||
+ }
|
||||
|
||||
if ((r = ssh_packet_check_rekey(ssh)) != 0)
|
||||
return r;
|
||||
@@ -1720,10 +1716,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
|
||||
if (r != 0)
|
||||
return r;
|
||||
- if (*typep) {
|
||||
- state->keep_alive_timeouts = 0;
|
||||
- DBG(debug("received packet type %d", *typep));
|
||||
+ if (*typep == 0) {
|
||||
+ /* no message ready */
|
||||
+ return 0;
|
||||
}
|
||||
+ state->keep_alive_timeouts = 0;
|
||||
+ DBG(debug("received packet type %d", *typep));
|
||||
+
|
||||
+ /* Always process disconnect messages */
|
||||
+ if (*typep == SSH2_MSG_DISCONNECT) {
|
||||
+ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
|
||||
+ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
|
||||
+ return r;
|
||||
+ /* Ignore normal client exit notifications */
|
||||
+ do_log2(ssh->state->server_side &&
|
||||
+ reason == SSH2_DISCONNECT_BY_APPLICATION ?
|
||||
+ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
|
||||
+ "Received disconnect from %s port %d:"
|
||||
+ "%u: %.400s", ssh_remote_ipaddr(ssh),
|
||||
+ ssh_remote_port(ssh), reason, msg);
|
||||
+ free(msg);
|
||||
+ return SSH_ERR_DISCONNECTED;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Do not implicitly handle any messages here during initial
|
||||
+ * KEX when in strict mode. They will be need to be allowed
|
||||
+ * explicitly by the KEX dispatch table or they will generate
|
||||
+ * protocol errors.
|
||||
+ */
|
||||
+ if (ssh->kex != NULL &&
|
||||
+ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
|
||||
+ return 0;
|
||||
+ /* Implicitly handle transport-level messages */
|
||||
switch (*typep) {
|
||||
case SSH2_MSG_IGNORE:
|
||||
debug3("Received SSH2_MSG_IGNORE");
|
||||
@@ -1738,19 +1763,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
debug("Remote: %.900s", msg);
|
||||
free(msg);
|
||||
break;
|
||||
- case SSH2_MSG_DISCONNECT:
|
||||
- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
|
||||
- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
|
||||
- return r;
|
||||
- /* Ignore normal client exit notifications */
|
||||
- do_log2(ssh->state->server_side &&
|
||||
- reason == SSH2_DISCONNECT_BY_APPLICATION ?
|
||||
- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
|
||||
- "Received disconnect from %s port %d:"
|
||||
- "%u: %.400s", ssh_remote_ipaddr(ssh),
|
||||
- ssh_remote_port(ssh), reason, msg);
|
||||
- free(msg);
|
||||
- return SSH_ERR_DISCONNECTED;
|
||||
case SSH2_MSG_UNIMPLEMENTED:
|
||||
if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
|
||||
return r;
|
||||
@@ -2242,6 +2254,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex)
|
||||
(r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
|
||||
(r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
|
||||
(r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
|
||||
+ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
|
||||
(r = sshbuf_put_stringb(m, kex->my)) != 0 ||
|
||||
(r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
|
||||
(r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
|
||||
@@ -2404,6 +2417,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp)
|
||||
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
|
||||
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
|
||||
(r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
|
||||
+ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
|
||||
(r = sshbuf_get_stringb(m, kex->my)) != 0 ||
|
||||
(r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
|
||||
(r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
|
||||
@@ -2732,6 +2746,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
|
||||
vsnprintf(buf, sizeof(buf), fmt, args);
|
||||
va_end(args);
|
||||
|
||||
+ debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf);
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
|
||||
(r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
|
||||
(r = sshpkt_put_cstring(ssh, buf)) != 0 ||
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index df6caf81..0cccbcc4 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -358,7 +358,6 @@ struct cauthmethod {
|
||||
};
|
||||
|
||||
static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
|
||||
-static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
|
||||
static int input_userauth_success(int, u_int32_t, struct ssh *);
|
||||
static int input_userauth_failure(int, u_int32_t, struct ssh *);
|
||||
static int input_userauth_banner(int, u_int32_t, struct ssh *);
|
||||
@@ -472,7 +471,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
|
||||
|
||||
ssh->authctxt = &authctxt;
|
||||
ssh_dispatch_init(ssh, &input_userauth_error);
|
||||
- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
|
||||
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
|
||||
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
|
||||
pubkey_cleanup(ssh);
|
||||
@@ -531,12 +530,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
|
||||
return r;
|
||||
}
|
||||
|
||||
-static int
|
||||
-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
|
||||
-{
|
||||
- return kex_input_ext_info(type, seqnr, ssh);
|
||||
-}
|
||||
-
|
||||
void
|
||||
userauth(struct ssh *ssh, char *authlist)
|
||||
{
|
||||
@@ -615,6 +608,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh)
|
||||
free(authctxt->methoddata);
|
||||
authctxt->methoddata = NULL;
|
||||
authctxt->success = 1; /* break out */
|
||||
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff -up openssh-8.7p1/sshd.c.kexstrict openssh-8.7p1/sshd.c
|
||||
--- openssh-8.7p1/sshd.c.kexstrict 2023-11-27 13:19:18.855433602 +0100
|
||||
+++ openssh-8.7p1/sshd.c 2023-11-27 13:28:10.441325314 +0100
|
||||
@@ -2586,7 +2586,7 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
if (gss && orig)
|
||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||
else if (gss)
|
||||
- newstr = gss;
|
||||
+ xasprintf(&newstr, "%s,%s", gss, "kex-strict-s-v00@openssh.com");
|
||||
else if (orig)
|
||||
newstr = orig;
|
||||
|
||||
149
openssh-9.6p1-CVE-2023-51384.patch
Normal file
149
openssh-9.6p1-CVE-2023-51384.patch
Normal file
|
|
@ -0,0 +1,149 @@
|
|||
diff --git a/ssh-agent.c b/ssh-agent.c
|
||||
index f528611635e..1d4c321eb0b 100644
|
||||
--- a/ssh-agent.c
|
||||
+++ b/ssh-agent.c
|
||||
@@ -247,6 +247,91 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs)
|
||||
free(dcs);
|
||||
}
|
||||
|
||||
+static void
|
||||
+dup_dest_constraint_hop(const struct dest_constraint_hop *dch,
|
||||
+ struct dest_constraint_hop *out)
|
||||
+{
|
||||
+ u_int i;
|
||||
+ int r;
|
||||
+
|
||||
+ out->user = dch->user == NULL ? NULL : xstrdup(dch->user);
|
||||
+ out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname);
|
||||
+ out->is_ca = dch->is_ca;
|
||||
+ out->nkeys = dch->nkeys;
|
||||
+ out->keys = out->nkeys == 0 ? NULL :
|
||||
+ xcalloc(out->nkeys, sizeof(*out->keys));
|
||||
+ out->key_is_ca = out->nkeys == 0 ? NULL :
|
||||
+ xcalloc(out->nkeys, sizeof(*out->key_is_ca));
|
||||
+ for (i = 0; i < dch->nkeys; i++) {
|
||||
+ if (dch->keys[i] != NULL &&
|
||||
+ (r = sshkey_from_private(dch->keys[i],
|
||||
+ &(out->keys[i]))) != 0)
|
||||
+ fatal_fr(r, "copy key");
|
||||
+ out->key_is_ca[i] = dch->key_is_ca[i];
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static struct dest_constraint *
|
||||
+dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs)
|
||||
+{
|
||||
+ size_t i;
|
||||
+ struct dest_constraint *ret;
|
||||
+
|
||||
+ if (ndcs == 0)
|
||||
+ return NULL;
|
||||
+ ret = xcalloc(ndcs, sizeof(*ret));
|
||||
+ for (i = 0; i < ndcs; i++) {
|
||||
+ dup_dest_constraint_hop(&dcs[i].from, &ret[i].from);
|
||||
+ dup_dest_constraint_hop(&dcs[i].to, &ret[i].to);
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+#ifdef DEBUG_CONSTRAINTS
|
||||
+static void
|
||||
+dump_dest_constraint_hop(const struct dest_constraint_hop *dch)
|
||||
+{
|
||||
+ u_int i;
|
||||
+ char *fp;
|
||||
+
|
||||
+ debug_f("user %s hostname %s is_ca %d nkeys %u",
|
||||
+ dch->user == NULL ? "(null)" : dch->user,
|
||||
+ dch->hostname == NULL ? "(null)" : dch->hostname,
|
||||
+ dch->is_ca, dch->nkeys);
|
||||
+ for (i = 0; i < dch->nkeys; i++) {
|
||||
+ fp = NULL;
|
||||
+ if (dch->keys[i] != NULL &&
|
||||
+ (fp = sshkey_fingerprint(dch->keys[i],
|
||||
+ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
|
||||
+ fatal_f("fingerprint failed");
|
||||
+ debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys,
|
||||
+ dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]),
|
||||
+ dch->keys[i] == NULL ? "" : " ",
|
||||
+ dch->keys[i] == NULL ? "none" : fp,
|
||||
+ dch->key_is_ca[i]);
|
||||
+ free(fp);
|
||||
+ }
|
||||
+}
|
||||
+#endif /* DEBUG_CONSTRAINTS */
|
||||
+
|
||||
+static void
|
||||
+dump_dest_constraints(const char *context,
|
||||
+ const struct dest_constraint *dcs, size_t ndcs)
|
||||
+{
|
||||
+#ifdef DEBUG_CONSTRAINTS
|
||||
+ size_t i;
|
||||
+
|
||||
+ debug_f("%s: %zu constraints", context, ndcs);
|
||||
+ for (i = 0; i < ndcs; i++) {
|
||||
+ debug_f("constraint %zu / %zu: from: ", i, ndcs);
|
||||
+ dump_dest_constraint_hop(&dcs[i].from);
|
||||
+ debug_f("constraint %zu / %zu: to: ", i, ndcs);
|
||||
+ dump_dest_constraint_hop(&dcs[i].to);
|
||||
+ }
|
||||
+ debug_f("done for %s", context);
|
||||
+#endif /* DEBUG_CONSTRAINTS */
|
||||
+}
|
||||
+
|
||||
static void
|
||||
free_identity(Identity *id)
|
||||
{
|
||||
@@ -518,13 +603,22 @@ process_request_identities(SocketEntry *e)
|
||||
Identity *id;
|
||||
struct sshbuf *msg, *keys;
|
||||
int r;
|
||||
- u_int nentries = 0;
|
||||
+ u_int i = 0, nentries = 0;
|
||||
+ char *fp;
|
||||
|
||||
debug2_f("entering");
|
||||
|
||||
if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL)
|
||||
fatal_f("sshbuf_new failed");
|
||||
TAILQ_FOREACH(id, &idtab->idlist, next) {
|
||||
+ if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT,
|
||||
+ SSH_FP_DEFAULT)) == NULL)
|
||||
+ fatal_f("fingerprint failed");
|
||||
+ debug_f("key %u / %u: %s %s", i++, idtab->nentries,
|
||||
+ sshkey_ssh_name(id->key), fp);
|
||||
+ dump_dest_constraints(__func__,
|
||||
+ id->dest_constraints, id->ndest_constraints);
|
||||
+ free(fp);
|
||||
/* identity not visible, don't include in response */
|
||||
if (identity_permitted(id, e, NULL, NULL, NULL) != 0)
|
||||
continue;
|
||||
@@ -1224,6 +1318,7 @@ process_add_identity(SocketEntry *e)
|
||||
sshbuf_reset(e->request);
|
||||
goto out;
|
||||
}
|
||||
+ dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
|
||||
|
||||
if (sk_provider != NULL) {
|
||||
if (!sshkey_is_sk(k)) {
|
||||
@@ -1403,6 +1498,7 @@ process_add_smartcard_key(SocketEntry *e)
|
||||
error_f("failed to parse constraints");
|
||||
goto send;
|
||||
}
|
||||
+ dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
|
||||
|
||||
sane_uri = sanitize_pkcs11_provider(e, provider);
|
||||
if (sane_uri == NULL)
|
||||
@@ -1438,10 +1534,9 @@ process_add_smartcard_key(SocketEntry *e)
|
||||
}
|
||||
id->death = death;
|
||||
id->confirm = confirm;
|
||||
- id->dest_constraints = dest_constraints;
|
||||
+ id->dest_constraints = dup_dest_constraints(
|
||||
+ dest_constraints, ndest_constraints);
|
||||
id->ndest_constraints = ndest_constraints;
|
||||
- dest_constraints = NULL; /* transferred */
|
||||
- ndest_constraints = 0;
|
||||
TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
|
||||
idtab->nentries++;
|
||||
success = 1;
|
||||
57
openssh-9.6p1-CVE-2023-51385.patch
Normal file
57
openssh-9.6p1-CVE-2023-51385.patch
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
diff --git a/ssh.c b/ssh.c
|
||||
index 35c48e62..48d93ddf 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
|
||||
free(cinfo);
|
||||
}
|
||||
|
||||
+static int
|
||||
+valid_hostname(const char *s)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ if (*s == '-')
|
||||
+ return 0;
|
||||
+ for (i = 0; s[i] != 0; i++) {
|
||||
+ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
|
||||
+ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+valid_ruser(const char *s)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ if (*s == '-')
|
||||
+ return 0;
|
||||
+ for (i = 0; s[i] != 0; i++) {
|
||||
+ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
|
||||
+ return 0;
|
||||
+ /* Disallow '-' after whitespace */
|
||||
+ if (isspace((u_char)s[i]) && s[i + 1] == '-')
|
||||
+ return 0;
|
||||
+ /* Disallow \ in last position */
|
||||
+ if (s[i] == '\\' && s[i + 1] == '\0')
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Main program for the ssh client.
|
||||
*/
|
||||
@@ -1118,6 +1153,10 @@ main(int ac, char **av)
|
||||
if (!host)
|
||||
usage();
|
||||
|
||||
+ if (!valid_hostname(host))
|
||||
+ fatal("hostname contains invalid characters");
|
||||
+ if (options.user != NULL && !valid_ruser(options.user))
|
||||
+ fatal("remote username contains invalid characters");
|
||||
options.host_arg = xstrdup(host);
|
||||
|
||||
/* Initialize the command to execute on remote host. */
|
||||
18
openssh-9.6p1-cve-2024-6387.patch
Normal file
18
openssh-9.6p1-cve-2024-6387.patch
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
diff --git a/log.c b/log.c
|
||||
index 9fc1a2e2e..191ff4a5a 100644
|
||||
--- a/log.c
|
||||
+++ b/log.c
|
||||
@@ -451,12 +451,14 @@ void
|
||||
sshsigdie(const char *file, const char *func, int line, int showfunc,
|
||||
LogLevel level, const char *suffix, const char *fmt, ...)
|
||||
{
|
||||
+#ifdef SYSLOG_R_SAFE_IN_SIGHAND
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
|
||||
suffix, fmt, args);
|
||||
va_end(args);
|
||||
+#endif
|
||||
_exit(1);
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue