[Midnightbsd-cvs] src [7468] stable/0.7: MidnightBSD 0.7.6 RELEASE

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Thu Mar 17 08:36:46 EDT 2016 

Revision: 7468
          http://svnweb.midnightbsd.org/src/?rev=7468
Author:   laffer1
Date:     2016-03-17 08:36:44 -0400 (Thu, 17 Mar 2016)
Log Message:
-----------
        MidnightBSD 0.7.6 RELEASE

        OpenSSH doesn't have the luck of the Irish.

        Fix a security issue with OpenSSH X11 forwarding that can allow an attacker
        run shell commands on the call to xauth.

Modified Paths:
--------------
    stable/0.7/UPDATING
    stable/0.7/crypto/openssh/session.c
    stable/0.7/sys/conf/newvers.sh

Modified: stable/0.7/UPDATING
===================================================================
--- stable/0.7/UPDATING	2016-03-17 12:34:11 UTC (rev 7467)
+++ stable/0.7/UPDATING	2016-03-17 12:36:44 UTC (rev 7468)
@@ -1,5 +1,13 @@
 Updating Information for MidnightBSD users.
 
+20160317:
+	MidnightBSD 0.7.6 RELEASE
+
+	OpenSSH doesn't have the luck of the Irish.
+
+	Fix a security issue with OpenSSH X11 forwarding that can allow an attacker
+	run shell commands on the call to xauth.
+
 20160310:
 	MidnightBSD 0.7.5 RELEASE
 

Modified: stable/0.7/crypto/openssh/session.c
===================================================================
--- stable/0.7/crypto/openssh/session.c	2016-03-17 12:34:11 UTC (rev 7467)
+++ stable/0.7/crypto/openssh/session.c	2016-03-17 12:36:44 UTC (rev 7468)
@@ -46,6 +46,7 @@
 
 #include <arpa/inet.h>
 
+#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
@@ -289,6 +290,21 @@
 	do_cleanup(authctxt);
 }
 
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+	size_t i;
+
+	for (i = 0; s[i] != '\0'; i++) {
+		if (!isalnum((u_char)s[i]) &&
+		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+		    s[i] != '-' && s[i] != '_')
+		return 0;
+	}
+	return 1;
+}
+
 /*
  * Prepares for an interactive session.  This is called after the user has
  * been successfully authenticated.  During this message exchange, pseudo
@@ -362,7 +378,13 @@
 				s->screen = 0;
 			}
 			packet_check_eom();
-			success = session_setup_x11fwd(s);
+			if (xauth_valid_string(s->auth_proto) &&
+			    xauth_valid_string(s->auth_data))
+				success = session_setup_x11fwd(s);
+			else {
+				success = 0;
+				error("Invalid X11 forwarding data");
+			}
 			if (!success) {
 				free(s->auth_proto);
 				free(s->auth_data);
@@ -2183,7 +2205,13 @@
 	s->screen = packet_get_int();
 	packet_check_eom();
 
-	success = session_setup_x11fwd(s);
+	if (xauth_valid_string(s->auth_proto) &&
+	    xauth_valid_string(s->auth_data))
+		success = session_setup_x11fwd(s);
+	else {
+		success = 0;
+		error("Invalid X11 forwarding data");
+	}
 	if (!success) {
 		free(s->auth_proto);
 		free(s->auth_data);

Modified: stable/0.7/sys/conf/newvers.sh
===================================================================
--- stable/0.7/sys/conf/newvers.sh	2016-03-17 12:34:11 UTC (rev 7467)
+++ stable/0.7/sys/conf/newvers.sh	2016-03-17 12:36:44 UTC (rev 7468)
@@ -32,7 +32,7 @@
 # $MidnightBSD$
 
 TYPE="MidnightBSD"
-REVISION="0.7.5"
+REVISION="0.7.6"
 RELEASE="${REVISION}"
 VERSION="${TYPE} ${RELEASE}"
 SYSDIR=$(dirname $0)/..

More information about the Midnightbsd-cvs mailing list