Forbid shell metasymbols in username/hostname

Resolves: CVE-2023-51385
2023-12-20 12:20:37 +01:00 · 2023-12-20 12:20:37 +01:00 · 0521bb1a51
commit 0521bb1a51
parent d18e1c1119
2 changed files with 62 additions and 0 deletions
--- a/openssh-9.6p1-CVE-2023-51385.patch
+++ b/openssh-9.6p1-CVE-2023-51385.patch
@ -0,0 +1,57 @@
+diff --git a/ssh.c b/ssh.c
+index 35c48e62..48d93ddf 100644
+--- a/ssh.c
+++ b/ssh.c
+@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
+ 	free(cinfo);
+ }
+ 
+static int
+valid_hostname(const char *s)
+{
+	size_t i;
+
+	if (*s == '-')
+		return 0;
+	for (i = 0; s[i] != 0; i++) {
+		if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
+		    isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
+			return 0;
+	}
+	return 1;
+}
+
+static int
+valid_ruser(const char *s)
+{
+	size_t i;
+
+	if (*s == '-')
+		return 0;
+	for (i = 0; s[i] != 0; i++) {
+		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+			return 0;
+		/* Disallow '-' after whitespace */
+		if (isspace((u_char)s[i]) && s[i + 1] == '-')
+			return 0;
+		/* Disallow \ in last position */
+		if (s[i] == '\\' && s[i + 1] == '\0')
+			return 0;
+	}
+	return 1;
+}
+
+ /*
+  * Main program for the ssh client.
+  */
+@@ -1118,6 +1153,10 @@ main(int ac, char **av)
+ 	if (!host)
+ 		usage();
+ 
+	if (!valid_hostname(host))
+		fatal("hostname contains invalid characters");
+	if (options.user != NULL && !valid_ruser(options.user))
+		fatal("remote username contains invalid characters");
+ 	host_arg = xstrdup(host);
+ 
+ 	/* Initialize the command to execute on remote host. */
--- a/openssh.spec
+++ b/openssh.spec
@ -286,6 +286,8 @@ Patch1016: openssh-9.3p1-openssl-compat.patch
 Patch1017: openssh-9.4p2-limit-delay.patch
 #upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
 Patch1018: openssh-9.6p1-CVE-2023-48795.patch
+#upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
+Patch1019: openssh-9.6p1-CVE-2023-51385.patch

 License: BSD
 Requires: /sbin/nologin
@ -508,6 +510,7 @@ popd
 %patch1016 -p1 -b .openssl3compat
 %patch1017 -p1 -b .limitdelay
 %patch1018 -p1 -b .cve-2023-48795
+%patch1019 -p1 -b .cve-2023-51385

 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -800,6 +803,8 @@ test -f %{sysconfig_anaconda} && \
  Resolves: CVE-2023-48795
 - Relax OpenSSH build-time checks for OpenSSL version
  Related: RHEL-4734
+- Forbid shell metasymbols in username/hostname
+  Resolves: CVE-2023-51385

 * Mon Oct 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-35
 - Relax OpenSSH checks for OpenSSL version