From 7f708f8d56a3104eb1976f02e10d78226345ddd7 Mon Sep 17 00:00:00 2001 From: des Date: Sat, 12 Mar 2016 23:50:19 +0000 Subject: [PATCH] Apply patch from 7.2p2 for xauth command injection bug. Security: CVE-2016-3115 git-svn-id: svn://svn.freebsd.org/base/stable/9@296780 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- crypto/openssh/session.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c index 9fe6a1ad2..17397e6f8 100644 --- a/crypto/openssh/session.c +++ b/crypto/openssh/session.c @@ -48,6 +48,7 @@ __RCSID("$FreeBSD$"); #include +#include #include #include #include @@ -294,6 +295,21 @@ do_authenticated(Authctxt *authctxt) do_cleanup(authctxt); } +/* Check untrusted xauth strings for metacharacters */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum((u_char)s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_') + return 0; + } + return 1; +} + /* * Prepares for an interactive session. This is called after the user has * been successfully authenticated. During this message exchange, pseudo @@ -367,7 +383,13 @@ do_authenticated1(Authctxt *authctxt) s->screen = 0; } packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); @@ -2199,7 +2221,13 @@ session_x11_req(Session *s) s->screen = packet_get_int(); packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); -- 2.45.0