diff options
| author | Gleb Smirnoff <glebius@FreeBSD.org> | 2016-03-16 22:30:03 +0000 |
|---|---|---|
| committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2016-03-16 22:30:03 +0000 |
| commit | 67072943b9d889c15a87cfa09a1b9c76d4ce880d (patch) | |
| tree | 7894346ff466c908905d113e5a6d604b9a6b8325 | |
| parent | 0ee18279162e4d74c3b974cf4882f5b51f0113a7 (diff) | |
Notes
| -rw-r--r-- | UPDATING | 6 | ||||
| -rw-r--r-- | crypto/openssh/session.c | 32 | ||||
| -rw-r--r-- | sys/amd64/amd64/sys_machdep.c | 4 | ||||
| -rw-r--r-- | sys/conf/newvers.sh | 2 |
4 files changed, 39 insertions, 5 deletions
@@ -11,6 +11,12 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20160316 p39 FreeBSD-SA-16:14.openssh-xauth + FreeBSD-SA-16:15.sysarch + + Fix OpenSSH xauth(1) command injection. [SA-16:14] + Fix incorrect argument validation in sysarch(2). [SA-16:15] + 20160310 p38 FreeBSD-SA-16:13.bind FreeBSD-SA-16:12.openssl [revised] diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c index 9fe6a1ad26a6..17397e6f8c72 100644 --- a/crypto/openssh/session.c +++ b/crypto/openssh/session.c @@ -48,6 +48,7 @@ __RCSID("$FreeBSD$"); #include <arpa/inet.h> +#include <ctype.h> #include <errno.h> #include <fcntl.h> #include <grp.h> @@ -294,6 +295,21 @@ do_authenticated(Authctxt *authctxt) do_cleanup(authctxt); } +/* Check untrusted xauth strings for metacharacters */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum((u_char)s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_') + return 0; + } + return 1; +} + /* * Prepares for an interactive session. This is called after the user has * been successfully authenticated. During this message exchange, pseudo @@ -367,7 +383,13 @@ do_authenticated1(Authctxt *authctxt) s->screen = 0; } packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); @@ -2199,7 +2221,13 @@ session_x11_req(Session *s) s->screen = packet_get_int(); packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c index a9e7a895d9a1..cb2b31e8cb34 100644 --- a/sys/amd64/amd64/sys_machdep.c +++ b/sys/amd64/amd64/sys_machdep.c @@ -586,8 +586,8 @@ amd64_set_ldt(td, uap, descs) struct i386_ldt_args *uap; struct user_segment_descriptor *descs; { - int error = 0, i; - int largest_ld; + int error = 0; + unsigned int largest_ld, i; struct mdproc *mdp = &td->td_proc->p_md; struct proc_ldt *pldt; struct user_segment_descriptor *dp; diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 6780b8c1b6de..ece0904319f3 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p38" +BRANCH="RELEASE-p39" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi |