forked from rpms/openssh
c9833c96a4
- use libedit in sftp (#203009) - fixed audit log injection problem (CVE-2007-3102)
63 lines
1.6 KiB
Diff
63 lines
1.6 KiB
Diff
--- openssh-4.3p2/loginrec.c.inject-fix 2007-06-20 21:18:00.000000000 +0200
|
|
+++ openssh-4.3p2/loginrec.c 2007-07-13 15:25:35.000000000 +0200
|
|
@@ -1389,11 +1389,44 @@
|
|
#endif /* USE_WTMPX */
|
|
|
|
#ifdef HAVE_LINUX_AUDIT
|
|
+static void
|
|
+_audit_hexscape(const char *what, char *where, unsigned int size)
|
|
+{
|
|
+ const char *ptr = what;
|
|
+ const char *hex = "0123456789ABCDEF";
|
|
+
|
|
+ while (*ptr) {
|
|
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
|
|
+ unsigned int i;
|
|
+ ptr = what;
|
|
+ for (i = 0; *ptr && i+2 < size; i += 2) {
|
|
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
|
|
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
|
|
+ ptr++;
|
|
+ }
|
|
+ where[i] = '\0';
|
|
+ return;
|
|
+ }
|
|
+ ptr++;
|
|
+ }
|
|
+ where[0] = '"';
|
|
+ if ((unsigned)(ptr - what) < size - 3)
|
|
+ {
|
|
+ size = ptr - what + 3;
|
|
+ }
|
|
+ strncpy(where + 1, what, size - 3);
|
|
+ where[size-2] = '"';
|
|
+ where[size-1] = '\0';
|
|
+}
|
|
+
|
|
+#define AUDIT_LOG_SIZE 128
|
|
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
|
|
+
|
|
int
|
|
linux_audit_record_event(int uid, const char *username,
|
|
const char *hostname, const char *ip, const char *ttyn, int success)
|
|
{
|
|
- char buf[64];
|
|
+ char buf[AUDIT_LOG_SIZE];
|
|
int audit_fd, rc;
|
|
|
|
audit_fd = audit_open();
|
|
@@ -1406,8 +1439,11 @@
|
|
}
|
|
if (username == NULL)
|
|
snprintf(buf, sizeof(buf), "uid=%d", uid);
|
|
- else
|
|
- snprintf(buf, sizeof(buf), "acct=%s", username);
|
|
+ else {
|
|
+ char encoded[AUDIT_ACCT_SIZE];
|
|
+ _audit_hexscape(username, encoded, sizeof(encoded));
|
|
+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
|
|
+ }
|
|
rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
|
|
buf, hostname, ip, ttyn, success);
|
|
close(audit_fd);
|