From 61a590faaf5fd20d4dabc60927f7b12798d79fb7 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Wed, 20 Dec 2023 12:20:37 +0100
Subject: [PATCH] Forbid shell metasymbols in username/hostname

Resolves: RHEL-19788
---
 openssh-9.6p1-CVE-2023-51385.patch | 57 ++++++++++++++++++++++++++++++
 openssh.spec                       |  5 +++
 2 files changed, 62 insertions(+)
 create mode 100644 openssh-9.6p1-CVE-2023-51385.patch

diff --git a/openssh-9.6p1-CVE-2023-51385.patch b/openssh-9.6p1-CVE-2023-51385.patch
new file mode 100644
index 0000000..a7e6a32
--- /dev/null
+++ b/openssh-9.6p1-CVE-2023-51385.patch
@@ -0,0 +1,57 @@
+diff --git a/ssh.c b/ssh.c
+index 35c48e62..48d93ddf 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
+ 	}
+ }
+ 
++static int
++valid_hostname(const char *s)
++{
++	size_t i;
++
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
++		    isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++			return 0;
++	}
++	return 1;
++}
++
++static int
++valid_ruser(const char *s)
++{
++	size_t i;
++
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++			return 0;
++		/* Disallow '-' after whitespace */
++		if (isspace((u_char)s[i]) && s[i + 1] == '-')
++			return 0;
++		/* Disallow \ in last position */
++		if (s[i] == '\\' && s[i + 1] == '\0')
++			return 0;
++	}
++	return 1;
++}
++
+ /*
+  * Main program for the ssh client.
+  */
+@@ -1118,6 +1153,10 @@ main(int ac, char **av)
+ 	if (!host)
+ 		usage();
+ 
++	if (!valid_hostname(host))
++		fatal("hostname contains invalid characters");
++	if (options.user != NULL && !valid_ruser(options.user))
++		fatal("remote username contains invalid characters");
+ 	host_arg = xstrdup(host);
+ 
+ 	/* Initialize the command to execute on remote host. */
diff --git a/openssh.spec b/openssh.spec
index 7b4c146..3deccc1 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -288,6 +288,8 @@ Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
 Patch1017: openssh-9.4p2-limit-delay.patch
 #upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
 Patch1018: openssh-9.6p1-CVE-2023-48795.patch
+#upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
+Patch1019: openssh-9.6p1-CVE-2023-51385.patch
 
 License: BSD
 Group: Applications/Internet
@@ -533,6 +535,7 @@ popd
 %patch1015 -p1 -b .cve-2023-38408
 %patch1017 -p1 -b .limitdelay
 %patch1018 -p1 -b .cve-2023-48795
+%patch1019 -p1 -b .cve-2023-51385
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -821,6 +824,8 @@ getent passwd sshd >/dev/null || \
 * Thu Dec 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-22
 - Fix Terrapin attack
   Resolves: RHEL-19308
+- Forbid shell metasymbols in username/hostname
+  Resolves: RHEL-19788
 
 * Tue Nov 07 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-21
 - Using DigestSign/DigestVerify functions for better FIPS compatibility