forked from rpms/openssh
Forbid shell metasymbols in username/hostname
Resolves: CVE-2023-51385
This commit is contained in:
parent
d18e1c1119
commit
0521bb1a51
57
openssh-9.6p1-CVE-2023-51385.patch
Normal file
57
openssh-9.6p1-CVE-2023-51385.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
diff --git a/ssh.c b/ssh.c
|
||||||
|
index 35c48e62..48d93ddf 100644
|
||||||
|
--- a/ssh.c
|
||||||
|
+++ b/ssh.c
|
||||||
|
@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
|
||||||
|
free(cinfo);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+valid_hostname(const char *s)
|
||||||
|
+{
|
||||||
|
+ size_t i;
|
||||||
|
+
|
||||||
|
+ if (*s == '-')
|
||||||
|
+ return 0;
|
||||||
|
+ for (i = 0; s[i] != 0; i++) {
|
||||||
|
+ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
|
||||||
|
+ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+valid_ruser(const char *s)
|
||||||
|
+{
|
||||||
|
+ size_t i;
|
||||||
|
+
|
||||||
|
+ if (*s == '-')
|
||||||
|
+ return 0;
|
||||||
|
+ for (i = 0; s[i] != 0; i++) {
|
||||||
|
+ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
|
||||||
|
+ return 0;
|
||||||
|
+ /* Disallow '-' after whitespace */
|
||||||
|
+ if (isspace((u_char)s[i]) && s[i + 1] == '-')
|
||||||
|
+ return 0;
|
||||||
|
+ /* Disallow \ in last position */
|
||||||
|
+ if (s[i] == '\\' && s[i + 1] == '\0')
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Main program for the ssh client.
|
||||||
|
*/
|
||||||
|
@@ -1118,6 +1153,10 @@ main(int ac, char **av)
|
||||||
|
if (!host)
|
||||||
|
usage();
|
||||||
|
|
||||||
|
+ if (!valid_hostname(host))
|
||||||
|
+ fatal("hostname contains invalid characters");
|
||||||
|
+ if (options.user != NULL && !valid_ruser(options.user))
|
||||||
|
+ fatal("remote username contains invalid characters");
|
||||||
|
host_arg = xstrdup(host);
|
||||||
|
|
||||||
|
/* Initialize the command to execute on remote host. */
|
@ -286,6 +286,8 @@ Patch1016: openssh-9.3p1-openssl-compat.patch
|
|||||||
Patch1017: openssh-9.4p2-limit-delay.patch
|
Patch1017: openssh-9.4p2-limit-delay.patch
|
||||||
#upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
|
#upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
|
||||||
Patch1018: openssh-9.6p1-CVE-2023-48795.patch
|
Patch1018: openssh-9.6p1-CVE-2023-48795.patch
|
||||||
|
#upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
|
||||||
|
Patch1019: openssh-9.6p1-CVE-2023-51385.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
@ -508,6 +510,7 @@ popd
|
|||||||
%patch1016 -p1 -b .openssl3compat
|
%patch1016 -p1 -b .openssl3compat
|
||||||
%patch1017 -p1 -b .limitdelay
|
%patch1017 -p1 -b .limitdelay
|
||||||
%patch1018 -p1 -b .cve-2023-48795
|
%patch1018 -p1 -b .cve-2023-48795
|
||||||
|
%patch1019 -p1 -b .cve-2023-51385
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
@ -800,6 +803,8 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
Resolves: CVE-2023-48795
|
Resolves: CVE-2023-48795
|
||||||
- Relax OpenSSH build-time checks for OpenSSL version
|
- Relax OpenSSH build-time checks for OpenSSL version
|
||||||
Related: RHEL-4734
|
Related: RHEL-4734
|
||||||
|
- Forbid shell metasymbols in username/hostname
|
||||||
|
Resolves: CVE-2023-51385
|
||||||
|
|
||||||
* Mon Oct 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-35
|
* Mon Oct 23 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-35
|
||||||
- Relax OpenSSH checks for OpenSSL version
|
- Relax OpenSSH checks for OpenSSL version
|
||||||
|
Loading…
Reference in New Issue
Block a user