Verify SCP vulnerabilities are fixed in the package testsuite

This commit is contained in:
Jakub Jelen 2019-05-10 14:34:35 +02:00
parent b33caef080
commit 4feb6a973f
2 changed files with 65 additions and 0 deletions

View File

@ -0,0 +1,61 @@
diff --git a/regress/scp-ssh-wrapper.sh b/regress/scp-ssh-wrapper.sh
index 59f1ff63..dd48a482 100644
--- a/regress/scp-ssh-wrapper.sh
+++ b/regress/scp-ssh-wrapper.sh
@@ -51,6 +51,18 @@ badserver_4)
echo "C755 2 file"
echo "X"
;;
+badserver_5)
+ echo "D0555 0 "
+ echo "X"
+ ;;
+badserver_6)
+ echo "D0555 0 ."
+ echo "X"
+ ;;
+badserver_7)
+ echo "C0755 2 extrafile"
+ echo "X"
+ ;;
*)
set -- $arg
shift
diff --git a/regress/scp.sh b/regress/scp.sh
index 57cc7706..104c89e1 100644
--- a/regress/scp.sh
+++ b/regress/scp.sh
@@ -25,6 +25,7 @@ export SCP # used in scp-ssh-wrapper.scp
scpclean() {
rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2}
mkdir ${DIR} ${DIR2}
+ chmod 755 ${DIR} ${DIR2}
}
verbose "$tid: simple copy local file to local file"
@@ -101,7 +102,7 @@ if [ ! -z "$SUDO" ]; then
$SUDO rm ${DIR2}/copy
fi
-for i in 0 1 2 3 4; do
+for i in 0 1 2 3 4 5 6 7; do
verbose "$tid: disallow bad server #$i"
SCPTESTMODE=badserver_$i
export DIR SCPTESTMODE
@@ -113,6 +114,15 @@ for i in 0 1 2 3 4; do
scpclean
$SCP -r $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
[ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir"
+
+ scpclean
+ $SCP -pr $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
+ [ ! -w ${DIR2} ] && fail "allows target root attribute change"
+
+ scpclean
+ $SCP $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
+ [ -e ${DIR2}/extrafile ] && fail "allows extranous object creation"
+ rm -f ${DIR2}/extrafile
done
verbose "$tid: detect non-directory target"

View File

@ -207,6 +207,9 @@ Patch953: openssh-7.8p1-scp-ipv6.patch
Patch958: openssh-7.9p1-ssh-copy-id.patch Patch958: openssh-7.9p1-ssh-copy-id.patch
# Update cached passwd structure after PAM authentication (#1674541) # Update cached passwd structure after PAM authentication (#1674541)
Patch960: openssh-7.9p1-updated-cached-pw.patch Patch960: openssh-7.9p1-updated-cached-pw.patch
# Verify the SCP vulnerabilities are fixed in the package testsuite
# https://bugzilla.mindrot.org/show_bug.cgi?id=3007
Patch961: openssh-8.0p1-scp-tests.patch
License: BSD License: BSD
Requires: /sbin/nologin Requires: /sbin/nologin
@ -410,6 +413,7 @@ popd
%patch953 -p1 -b .scp-ipv6 %patch953 -p1 -b .scp-ipv6
%patch958 -p1 -b .ssh-copy-id %patch958 -p1 -b .ssh-copy-id
%patch960 -p1 -b .update-pw %patch960 -p1 -b .update-pw
%patch961 -p1 -b .scp-tests
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race