packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-51385

Browse Source 
(cherry picked from commit 6bac1f41016dd6d7257ed0e0135299f87155a4ec)
This commit is contained in:
renmingshuai 2023-12-25 15:47:33 +08:00 committed by openeuler-sync-bot
parent e287adfc75
commit 17255e7fac
2 changed files with 109 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch Normal file
View File

@ -0,0 +1,100 @@
From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 18 Dec 2023 14:47:44 +0000
Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
This makes ssh(1) refuse user or host names provided on the
commandline that contain most shell metacharacters.
Some programs that invoke ssh(1) using untrusted data do not filter
metacharacters in arguments they supply. This could create
interactions with user-specified ProxyCommand and other directives
that allow shell injection attacks to occur.
It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
but getting this stuff right can be tricky, so this should prevent
most obvious ways of creating risky situations. It however is not
and cannot be perfect: ssh(1) has no practical way of interpreting
what shell quoting rules are in use and how they interact with the
user's specified ProxyCommand.
To allow configurations that use strange user or hostnames to
continue to work, this strictness is applied only to names coming
from the commandline. Names specified using User or Hostname
directives in ssh_config(5) are not affected.
feedback/ok millert@ markus@ dtucker@ deraadt@
OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
Reference:https://anongit.mindrot.org/openssh.git/commit?id=7ef3787c84b6b524501211b11a26c742f829af1a
---
ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/ssh.c b/ssh.c
index 35c48e62d..48d93ddf2 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.519 2020/02/07 03:54:44 dtucker Exp $ */
+/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -570,6 +570,41 @@ set_addrinfo_port(struct addrinfo *addrs, int port)
}
}
+static int
+valid_hostname(const char *s)
+{
+ size_t i;
+
+ if (*s == '-')
+ return 0;
+ for (i = 0; s[i] != 0; i++) {
+ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
+ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
+ return 0;
+ }
+ return 1;
+}
+
+static int
+valid_ruser(const char *s)
+{
+ size_t i;
+
+ if (*s == '-')
+ return 0;
+ for (i = 0; s[i] != 0; i++) {
+ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ return 0;
+ /* Disallow '-' after whitespace */
+ if (isspace((u_char)s[i]) && s[i + 1] == '-')
+ return 0;
+ /* Disallow \ in last position */
+ if (s[i] == '\\' && s[i + 1] == '\0')
+ return 0;
+ }
+ return 1;
+}
+
/*
* Main program for the ssh client.
*/
@@ -1118,6 +1153,10 @@ main(int ac, char **av)
if (!host)
usage();
+ if (!valid_hostname(host))
+ fatal("hostname contains invalid characters");
+ if (options.user != NULL && !valid_ruser(options.user))
+ fatal("remote username contains invalid characters");
host_arg = xstrdup(host);
/* Initialize the command to execute on remote host. */
--
2.23.0

10
openssh.spec
View File

@ -6,7 +6,7 @@
%{?no_gtk2:%global gtk2 0} %{?no_gtk2:%global gtk2 0}
%global sshd_uid 74 %global sshd_uid 74
%global openssh_release 21 %global openssh_release 22
Name: openssh Name: openssh
Version: 8.2p1 Version: 8.2p1
@ -100,6 +100,7 @@ Patch67: backport-change-types-in-convtime-unit-test-to-int-to-match.patc
Patch68: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch Patch68: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
Patch69: set-ssh-config.patch Patch69: set-ssh-config.patch
Patch70: backport-fix-CVE-2023-38408-upstream-terminate-process.patch Patch70: backport-fix-CVE-2023-38408-upstream-terminate-process.patch
Patch71: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
Requires: /sbin/nologin Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -272,6 +273,7 @@ popd
%patch68 -p1 %patch68 -p1
%patch69 -p1 %patch69 -p1
%patch70 -p1 %patch70 -p1
%patch71 -p1
autoreconf autoreconf
pushd pam_ssh_agent_auth-0.10.3 pushd pam_ssh_agent_auth-0.10.3
@ -478,6 +480,12 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog %changelog
* Mon Dec 25 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-22
- Type:CVE
- CVE:CVE-2023-51385
- SUG:NA
- DESC:fix CVE-2023-51385
* Wed Aug 02 2023 wangqia <wangqia@uniontech.com> - 8.2p1-21 * Wed Aug 02 2023 wangqia <wangqia@uniontech.com> - 8.2p1-21
- CVE:CVE-2023-38408 - CVE:CVE-2023-38408