From 0521bb1a51992af5c040b9d2e7bf7a1d7bd223ef Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 20 Dec 2023 12:20:37 +0100 Subject: [PATCH] Forbid shell metasymbols in username/hostname Resolves: CVE-2023-51385 --- openssh-9.6p1-CVE-2023-51385.patch | 57 ++++++++++++++++++++++++++++++ openssh.spec | 5 +++ 2 files changed, 62 insertions(+) create mode 100644 openssh-9.6p1-CVE-2023-51385.patch diff --git a/openssh-9.6p1-CVE-2023-51385.patch b/openssh-9.6p1-CVE-2023-51385.patch new file mode 100644 index 0000000..3b83b5c --- /dev/null +++ b/openssh-9.6p1-CVE-2023-51385.patch @@ -0,0 +1,57 @@ +diff --git a/ssh.c b/ssh.c +index 35c48e62..48d93ddf 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo) + free(cinfo); + } + ++static int ++valid_hostname(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL || ++ isspace((u_char)s[i]) || iscntrl((u_char)s[i])) ++ return 0; ++ } ++ return 1; ++} ++ ++static int ++valid_ruser(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (strchr("'`\";&<>|(){}", s[i]) != NULL) ++ return 0; ++ /* Disallow '-' after whitespace */ ++ if (isspace((u_char)s[i]) && s[i + 1] == '-') ++ return 0; ++ /* Disallow \ in last position */ ++ if (s[i] == '\\' && s[i + 1] == '\0') ++ return 0; ++ } ++ return 1; ++} ++ + /* + * Main program for the ssh client. + */ +@@ -1118,6 +1153,10 @@ main(int ac, char **av) + if (!host) + usage(); + ++ if (!valid_hostname(host)) ++ fatal("hostname contains invalid characters"); ++ if (options.user != NULL && !valid_ruser(options.user)) ++ fatal("remote username contains invalid characters"); + host_arg = xstrdup(host); + + /* Initialize the command to execute on remote host. */ diff --git a/openssh.spec b/openssh.spec index a43e1cf..d5eaab0 100644 --- a/openssh.spec +++ b/openssh.spec @@ -286,6 +286,8 @@ Patch1016: openssh-9.3p1-openssl-compat.patch Patch1017: openssh-9.4p2-limit-delay.patch #upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Patch1018: openssh-9.6p1-CVE-2023-48795.patch +#upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a +Patch1019: openssh-9.6p1-CVE-2023-51385.patch License: BSD Requires: /sbin/nologin @@ -508,6 +510,7 @@ popd %patch1016 -p1 -b .openssl3compat %patch1017 -p1 -b .limitdelay %patch1018 -p1 -b .cve-2023-48795 +%patch1019 -p1 -b .cve-2023-51385 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -800,6 +803,8 @@ test -f %{sysconfig_anaconda} && \ Resolves: CVE-2023-48795 - Relax OpenSSH build-time checks for OpenSSL version Related: RHEL-4734 +- Forbid shell metasymbols in username/hostname + Resolves: CVE-2023-51385 * Mon Oct 23 2023 Dmitry Belyavskiy - 8.7p1-35 - Relax OpenSSH checks for OpenSSL version