Add a test for CVE-2019-14889
This commit is contained in:
Anderson Toshiyuki Sasaki
parent
d972dc3e47
commit
4820ae9761
125
libssh-0.9.4-add-cve-2019-14889-test.patch
Normal file
125
libssh-0.9.4-add-cve-2019-14889-test.patch
Normal file
@ -0,0 +1,125 @@
|
|||||||
|
From 1694606e12d8950b003ff86248883732ef05e00c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||||
|
Date: Fri, 19 Jun 2020 11:59:33 +0200
|
||||||
|
Subject: [PATCH] tests: Add test for CVE-2019-14889
|
||||||
|
|
||||||
|
The test checks if a command appended to the file path is not executed.
|
||||||
|
|
||||||
|
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
|
---
|
||||||
|
tests/client/torture_scp.c | 84 ++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 84 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/client/torture_scp.c b/tests/client/torture_scp.c
|
||||||
|
index 8f080af3..59a00bae 100644
|
||||||
|
--- a/tests/client/torture_scp.c
|
||||||
|
+++ b/tests/client/torture_scp.c
|
||||||
|
@@ -37,6 +37,7 @@
|
||||||
|
#define BUF_SIZE 1024
|
||||||
|
|
||||||
|
#define TEMPLATE BINARYDIR "/tests/home/alice/temp_dir_XXXXXX"
|
||||||
|
+#define ALICE_HOME BINARYDIR "/tests/home/alice"
|
||||||
|
|
||||||
|
struct scp_st {
|
||||||
|
struct torture_state *s;
|
||||||
|
@@ -540,6 +541,86 @@ static void torture_scp_upload_newline(void **state)
|
||||||
|
fclose(file);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void torture_scp_upload_appended_command(void **state)
|
||||||
|
+{
|
||||||
|
+ struct scp_st *ts = NULL;
|
||||||
|
+ struct torture_state *s = NULL;
|
||||||
|
+
|
||||||
|
+ ssh_session session = NULL;
|
||||||
|
+ ssh_scp scp = NULL;
|
||||||
|
+
|
||||||
|
+ FILE *file = NULL;
|
||||||
|
+
|
||||||
|
+ char buf[1024];
|
||||||
|
+ char *rs = NULL;
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ assert_non_null(state);
|
||||||
|
+ ts = *state;
|
||||||
|
+
|
||||||
|
+ assert_non_null(ts->s);
|
||||||
|
+ s = ts->s;
|
||||||
|
+
|
||||||
|
+ session = s->ssh.session;
|
||||||
|
+ assert_non_null(session);
|
||||||
|
+
|
||||||
|
+ assert_non_null(ts->tmp_dir_basename);
|
||||||
|
+ assert_non_null(ts->tmp_dir);
|
||||||
|
+
|
||||||
|
+ /* Upload a file path with a command appended */
|
||||||
|
+
|
||||||
|
+ /* Append a command to the file path */
|
||||||
|
+ snprintf(buf, BUF_SIZE, "%s"
|
||||||
|
+ "/;touch hack",
|
||||||
|
+ ts->tmp_dir);
|
||||||
|
+
|
||||||
|
+ /* When writing the file_name must be the directory name */
|
||||||
|
+ scp = ssh_scp_new(session, SSH_SCP_WRITE | SSH_SCP_RECURSIVE,
|
||||||
|
+ buf);
|
||||||
|
+ assert_non_null(scp);
|
||||||
|
+
|
||||||
|
+ rc = ssh_scp_init(scp);
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ /* Push directory where the new file will be copied */
|
||||||
|
+ rc = ssh_scp_push_directory(scp, ";touch hack", 0755);
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ /* Try to push file */
|
||||||
|
+ rc = ssh_scp_push_file(scp, "original", 8, 0644);
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ rc = ssh_scp_write(scp, "original", 8);
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ /* Leave the directory */
|
||||||
|
+ rc = ssh_scp_leave_directory(scp);
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ /* Cleanup */
|
||||||
|
+ ssh_scp_close(scp);
|
||||||
|
+ ssh_scp_free(scp);
|
||||||
|
+
|
||||||
|
+ /* Make sure the command was not executed */
|
||||||
|
+ snprintf(buf, BUF_SIZE, ALICE_HOME "/hack");
|
||||||
|
+ file = fopen(buf, "r");
|
||||||
|
+ assert_null(file);
|
||||||
|
+
|
||||||
|
+ /* Open the file and check content */
|
||||||
|
+ snprintf(buf, BUF_SIZE, "%s"
|
||||||
|
+ "/;touch hack/original",
|
||||||
|
+ ts->tmp_dir);
|
||||||
|
+
|
||||||
|
+ file = fopen(buf, "r");
|
||||||
|
+ assert_non_null(file);
|
||||||
|
+
|
||||||
|
+ rs = fgets(buf, 1024, file);
|
||||||
|
+ assert_non_null(rs);
|
||||||
|
+ assert_string_equal(buf, "original");
|
||||||
|
+
|
||||||
|
+ fclose(file);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int torture_run_tests(void)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
@@ -559,6 +640,9 @@ int torture_run_tests(void)
|
||||||
|
cmocka_unit_test_setup_teardown(torture_scp_upload_newline,
|
||||||
|
session_setup,
|
||||||
|
session_teardown),
|
||||||
|
+ cmocka_unit_test_setup_teardown(torture_scp_upload_appended_command,
|
||||||
|
+ session_setup,
|
||||||
|
+ session_teardown),
|
||||||
|
};
|
||||||
|
|
||||||
|
ssh_init();
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
||||||
@ -14,6 +14,7 @@ Source4: libssh_server.config
|
|||||||
Patch0: libssh-0.9.4-enable-sshd-sha1-algorithms.patch
|
Patch0: libssh-0.9.4-enable-sshd-sha1-algorithms.patch
|
||||||
Patch1: libssh-0.9.4-fix-version.patch
|
Patch1: libssh-0.9.4-fix-version.patch
|
||||||
Patch2: libssh-0.9.4-do-not-return-error-server-closed-channel.patch
|
Patch2: libssh-0.9.4-do-not-return-error-server-closed-channel.patch
|
||||||
|
Patch3: libssh-0.9.4-add-cve-2019-14889-test.patch
|
||||||
|
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -140,6 +141,7 @@ popd
|
|||||||
%changelog
|
%changelog
|
||||||
* Mon Jun 22 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-3
|
* Mon Jun 22 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-3
|
||||||
- Do not return error when server properly closed the channel (#1849069)
|
- Do not return error when server properly closed the channel (#1849069)
|
||||||
|
- Add a test for CVE-2019-14889
|
||||||
|
|
||||||
* Wed Apr 15 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
|
* Wed Apr 15 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
|
||||||
- Added patch to fix returned version
|
- Added patch to fix returned version
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user