fix CVE-2023-51385
(cherry picked from commit 6bac1f41016dd6d7257ed0e0135299f87155a4ec)
This commit is contained in:
renmingshuai
openeuler-sync-bot
parent
e287adfc75
commit
17255e7fac
@ -0,0 +1,100 @@
|
||||
From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Mon, 18 Dec 2023 14:47:44 +0000
|
||||
Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
|
||||
|
||||
This makes ssh(1) refuse user or host names provided on the
|
||||
commandline that contain most shell metacharacters.
|
||||
|
||||
Some programs that invoke ssh(1) using untrusted data do not filter
|
||||
metacharacters in arguments they supply. This could create
|
||||
interactions with user-specified ProxyCommand and other directives
|
||||
that allow shell injection attacks to occur.
|
||||
|
||||
It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
|
||||
but getting this stuff right can be tricky, so this should prevent
|
||||
most obvious ways of creating risky situations. It however is not
|
||||
and cannot be perfect: ssh(1) has no practical way of interpreting
|
||||
what shell quoting rules are in use and how they interact with the
|
||||
user's specified ProxyCommand.
|
||||
|
||||
To allow configurations that use strange user or hostnames to
|
||||
continue to work, this strictness is applied only to names coming
|
||||
from the commandline. Names specified using User or Hostname
|
||||
directives in ssh_config(5) are not affected.
|
||||
|
||||
feedback/ok millert@ markus@ dtucker@ deraadt@
|
||||
|
||||
OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
|
||||
|
||||
Reference:https://anongit.mindrot.org/openssh.git/commit?id=7ef3787c84b6b524501211b11a26c742f829af1a
|
||||
---
|
||||
ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 40 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index 35c48e62d..48d93ddf2 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: ssh.c,v 1.519 2020/02/07 03:54:44 dtucker Exp $ */
|
||||
+/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -570,6 +570,41 @@ set_addrinfo_port(struct addrinfo *addrs, int port)
|
||||
}
|
||||
}
|
||||
|
||||
+static int
|
||||
+valid_hostname(const char *s)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ if (*s == '-')
|
||||
+ return 0;
|
||||
+ for (i = 0; s[i] != 0; i++) {
|
||||
+ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
|
||||
+ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+valid_ruser(const char *s)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ if (*s == '-')
|
||||
+ return 0;
|
||||
+ for (i = 0; s[i] != 0; i++) {
|
||||
+ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
|
||||
+ return 0;
|
||||
+ /* Disallow '-' after whitespace */
|
||||
+ if (isspace((u_char)s[i]) && s[i + 1] == '-')
|
||||
+ return 0;
|
||||
+ /* Disallow \ in last position */
|
||||
+ if (s[i] == '\\' && s[i + 1] == '\0')
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Main program for the ssh client.
|
||||
*/
|
||||
@@ -1118,6 +1153,10 @@ main(int ac, char **av)
|
||||
if (!host)
|
||||
usage();
|
||||
|
||||
+ if (!valid_hostname(host))
|
||||
+ fatal("hostname contains invalid characters");
|
||||
+ if (options.user != NULL && !valid_ruser(options.user))
|
||||
+ fatal("remote username contains invalid characters");
|
||||
host_arg = xstrdup(host);
|
||||
|
||||
/* Initialize the command to execute on remote host. */
|
||||
--
|
||||
2.23.0
|
||||
|
||||
10
openssh.spec
10
openssh.spec
@ -6,7 +6,7 @@
|
||||
%{?no_gtk2:%global gtk2 0}
|
||||
|
||||
%global sshd_uid 74
|
||||
%global openssh_release 21
|
||||
%global openssh_release 22
|
||||
|
||||
Name: openssh
|
||||
Version: 8.2p1
|
||||
@ -100,6 +100,7 @@ Patch67: backport-change-types-in-convtime-unit-test-to-int-to-match.patc
|
||||
Patch68: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
|
||||
Patch69: set-ssh-config.patch
|
||||
Patch70: backport-fix-CVE-2023-38408-upstream-terminate-process.patch
|
||||
Patch71: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
|
||||
|
||||
Requires: /sbin/nologin
|
||||
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
|
||||
@ -272,6 +273,7 @@ popd
|
||||
%patch68 -p1
|
||||
%patch69 -p1
|
||||
%patch70 -p1
|
||||
%patch71 -p1
|
||||
|
||||
autoreconf
|
||||
pushd pam_ssh_agent_auth-0.10.3
|
||||
@ -478,6 +480,12 @@ getent passwd sshd >/dev/null || \
|
||||
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
||||
|
||||
%changelog
|
||||
* Mon Dec 25 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-22
|
||||
- Type:CVE
|
||||
- CVE:CVE-2023-51385
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2023-51385
|
||||
|
||||
* Wed Aug 02 2023 wangqia <wangqia@uniontech.com> - 8.2p1-21
|
||||
- CVE:CVE-2023-38408
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user