rpms/libssh
7
0
Fork 0
Code Issues Pull Requests Releases Activity
ec4b113c4d
libssh/escape-brackets-in-proxycommand.patch
Sahana Prasad ec4b113c4d Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP) 
Fix CVE-2023-6918 Missing checks for return values for digests
Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection
of malicious code through hostname
Resolves: RHEL-19310, RHEL-19691, RHEL-17245

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2024-01-10 18:05:37 +01:00

95 lines
4.0 KiB
Diff
Raw Blame History

From bccb8513fa4a836aef0519d65eb33bb212606fe1 Mon Sep 17 00:00:00 2001
From: Thomas Baag <libssh-git@spam.b2ag.de>
Date: Wed, 21 Sep 2022 20:55:27 +0200
Subject: [PATCH] config: Escape brackets in ProxyCommand build from ProxyJump
Missing escaping results in syntax errors in Zsh shell because of square
brackets getting interpreted as being a pattern for globbing.
Signed-off-by: Thomas Baag <libssh-git@spam.b2ag.de>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
src/config.c | 2 +-
tests/unittests/torture_config.c | 14 +++++++-------
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/config.c b/src/config.c
index c048418ec..308928429 100644
--- a/src/config.c
+++ b/src/config.c
@@ -491,7 +491,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
if (hostname != NULL && do_parsing) {
char com[512] = {0};
- rv = snprintf(com, sizeof(com), "ssh%s%s%s%s%s%s -W [%%h]:%%p %s",
+ rv = snprintf(com, sizeof(com), "ssh%s%s%s%s%s%s -W '[%%h]:%%p' %s",
username ? " -l " : "",
username ? username : "",
port ? " -p " : "",
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
index 31dadae37..5ff20c99a 100644
--- a/tests/unittests/torture_config.c
+++ b/tests/unittests/torture_config.c
@@ -649,7 +649,7 @@ static void torture_config_unknown(void **state,
/* test corner cases */
_parse_config(session, file, string, SSH_OK);
assert_string_equal(session->opts.ProxyCommand,
- "ssh -W [%h]:%p many-spaces.com");
+ "ssh -W '[%h]:%p' many-spaces.com");
assert_string_equal(session->opts.host, "equal.sign");
ret = ssh_config_parse_file(session, "/etc/ssh/ssh_config");
@@ -945,28 +945,28 @@ static void torture_config_proxyjump(void **state,
torture_reset_config(session);
ssh_options_set(session, SSH_OPTIONS_HOST, "simple");
_parse_config(session, file, string, SSH_OK);
- assert_string_equal(session->opts.ProxyCommand, "ssh -W [%h]:%p jumpbox");
+ assert_string_equal(session->opts.ProxyCommand, "ssh -W '[%h]:%p' jumpbox");
/* With username */
torture_reset_config(session);
ssh_options_set(session, SSH_OPTIONS_HOST, "user");
_parse_config(session, file, string, SSH_OK);
assert_string_equal(session->opts.ProxyCommand,
- "ssh -l user -W [%h]:%p jumpbox");
+ "ssh -l user -W '[%h]:%p' jumpbox");
/* With port */
torture_reset_config(session);
ssh_options_set(session, SSH_OPTIONS_HOST, "port");
_parse_config(session, file, string, SSH_OK);
assert_string_equal(session->opts.ProxyCommand,
- "ssh -p 2222 -W [%h]:%p jumpbox");
+ "ssh -p 2222 -W '[%h]:%p' jumpbox");
/* Two step jump */
torture_reset_config(session);
ssh_options_set(session, SSH_OPTIONS_HOST, "two-step");
_parse_config(session, file, string, SSH_OK);
assert_string_equal(session->opts.ProxyCommand,
- "ssh -l u1 -p 222 -J u2@second:33 -W [%h]:%p first");
+ "ssh -l u1 -p 222 -J u2@second:33 -W '[%h]:%p' first");
/* none */
torture_reset_config(session);
@@ -985,14 +985,14 @@ static void torture_config_proxyjump(void **state,
ssh_options_set(session, SSH_OPTIONS_HOST, "only-jump");
_parse_config(session, file, string, SSH_OK);
assert_string_equal(session->opts.ProxyCommand,
- "ssh -W [%h]:%p jumpbox");
+ "ssh -W '[%h]:%p' jumpbox");
/* IPv6 address */
torture_reset_config(session);
ssh_options_set(session, SSH_OPTIONS_HOST, "ipv6");
_parse_config(session, file, string, SSH_OK);
assert_string_equal(session->opts.ProxyCommand,
- "ssh -W [%h]:%p 2620:52:0::fed");
+ "ssh -W '[%h]:%p' 2620:52:0::fed");
/* Multiple @ is allowed in second jump */
config = "Host allowed-hostname\n"
--
GitLab
Reference in New Issue View Git Blame Copy Permalink