Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7]: src/crypto/external/bsd/openssh/dist Apply the following chan...
details: https://anonhg.NetBSD.org/src/rev/8a7c2ced70c2
branches: netbsd-7
changeset: 799857:8a7c2ced70c2
user: martin <martin%NetBSD.org@localhost>
date: Fri Mar 11 12:22:42 2016 +0000
description:
Apply the following changes, requested by snj in #1138:
- Refuse ForwardX11Trusted=no connections attempted after
ForwardX11Timeout expires. (CVE-2015-5352)
- Fix TTY permissions to not be world-writable. (CVE-2015-6565)
diffstat:
crypto/external/bsd/openssh/dist/channels.c | 20 +++++++++++++++-
crypto/external/bsd/openssh/dist/channels.h | 3 +-
crypto/external/bsd/openssh/dist/clientloop.c | 31 +++++++++++++++++++-------
crypto/external/bsd/openssh/dist/sshpty.c | 6 ++--
4 files changed, 45 insertions(+), 15 deletions(-)
diffs (194 lines):
diff -r d523da979421 -r 8a7c2ced70c2 crypto/external/bsd/openssh/dist/channels.c
--- a/crypto/external/bsd/openssh/dist/channels.c Tue Mar 08 21:32:49 2016 +0000
+++ b/crypto/external/bsd/openssh/dist/channels.c Fri Mar 11 12:22:42 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: channels.c,v 1.11.4.1 2015/04/30 06:07:30 riz Exp $ */
+/* $NetBSD: channels.c,v 1.11.4.2 2016/03/11 12:22:42 martin Exp $ */
/* $OpenBSD: channels.c,v 1.341 2015/02/06 23:21:59 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
@@ -41,7 +41,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: channels.c,v 1.11.4.1 2015/04/30 06:07:30 riz Exp $");
+__RCSID("$NetBSD: channels.c,v 1.11.4.2 2016/03/11 12:22:42 martin Exp $");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/param.h> /* MIN MAX */
@@ -163,6 +163,9 @@
static char *x11_saved_data = NULL;
static u_int x11_saved_data_len = 0;
+/* Deadline after which all X11 connections are refused */
+static u_int x11_refuse_time;
+
/*
* Fake X11 authentication data. This is what the server will be sending us;
* we should replace any occurrences of this by the real data.
@@ -938,6 +941,13 @@
u_char *ucp;
u_int proto_len, data_len;
+ /* Is this being called after the refusal deadline? */
+ if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
+ verbose("Rejected X11 connection after ForwardX11Timeout "
+ "expired");
+ return -1;
+ }
+
/* Check if the fixed size part of the packet is in buffer. */
if (buffer_len(b) < 12)
return 0;
@@ -1509,6 +1519,12 @@
error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
}
+void
+channel_set_x11_refuse_time(u_int refuse_time)
+{
+ x11_refuse_time = refuse_time;
+}
+
/*
* This socket is listening for connections to a forwarded TCP/IP port.
*/
diff -r d523da979421 -r 8a7c2ced70c2 crypto/external/bsd/openssh/dist/channels.h
--- a/crypto/external/bsd/openssh/dist/channels.h Tue Mar 08 21:32:49 2016 +0000
+++ b/crypto/external/bsd/openssh/dist/channels.h Fri Mar 11 12:22:42 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: channels.h,v 1.8.4.1 2015/04/30 06:07:30 riz Exp $ */
+/* $NetBSD: channels.h,v 1.8.4.2 2016/03/11 12:22:42 martin Exp $ */
/* $OpenBSD: channels.h,v 1.116 2015/01/19 20:07:45 markus Exp $ */
/*
@@ -287,6 +287,7 @@
/* x11 forwarding */
+void channel_set_x11_refuse_time(u_int);
int x11_connect_display(void);
int x11_create_display_inet(int, int, int, u_int *, int **);
int x11_input_open(int, u_int32_t, void *);
diff -r d523da979421 -r 8a7c2ced70c2 crypto/external/bsd/openssh/dist/clientloop.c
--- a/crypto/external/bsd/openssh/dist/clientloop.c Tue Mar 08 21:32:49 2016 +0000
+++ b/crypto/external/bsd/openssh/dist/clientloop.c Fri Mar 11 12:22:42 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: clientloop.c,v 1.10.4.1 2015/04/30 06:07:30 riz Exp $ */
+/* $NetBSD: clientloop.c,v 1.10.4.2 2016/03/11 12:22:42 martin Exp $ */
/* $OpenBSD: clientloop.c,v 1.272 2015/02/25 19:54:02 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
@@ -61,7 +61,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: clientloop.c,v 1.10.4.1 2015/04/30 06:07:30 riz Exp $");
+__RCSID("$NetBSD: clientloop.c,v 1.10.4.2 2016/03/11 12:22:42 martin Exp $");
#include <sys/param.h> /* MIN MAX */
#include <sys/types.h>
@@ -159,7 +159,7 @@
static int connection_out; /* Connection to server (output). */
static int need_rekeying; /* Set to non-zero if rekeying is requested. */
static int session_closed; /* In SSH2: login session closed. */
-static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
+static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
static void client_init_dispatch(void);
int session_ident = -1;
@@ -294,7 +294,8 @@
return 1;
}
-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
+#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
+#define X11_TIMEOUT_SLACK 60
void
client_x11_get_proto(const char *display, const char *xauth_path,
u_int trusted, u_int timeout, char **_proto, char **_data)
@@ -307,7 +308,7 @@
int got_data = 0, generated = 0, do_unlink = 0, i;
char *xauthdir, *xauthfile;
struct stat st;
- u_int now;
+ u_int now, x11_timeout_real;
xauthdir = xauthfile = NULL;
*_proto = proto;
@@ -340,6 +341,15 @@
xauthdir = xmalloc(PATH_MAX);
xauthfile = xmalloc(PATH_MAX);
mktemp_proto(xauthdir, PATH_MAX);
+ /*
+ * The authentication cookie should briefly outlive
+ * ssh's willingness to forward X11 connections to
+ * avoid nasty fail-open behaviour in the X server.
+ */
+ if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
+ x11_timeout_real = UINT_MAX;
+ else
+ x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
if (mkdtemp(xauthdir) != NULL) {
do_unlink = 1;
snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
@@ -347,17 +357,20 @@
snprintf(cmd, sizeof(cmd),
"%s -f %s generate %s " SSH_X11_PROTO
" untrusted timeout %u 2>" _PATH_DEVNULL,
- xauth_path, xauthfile, display, timeout);
+ xauth_path, xauthfile, display,
+ x11_timeout_real);
debug2("x11_get_proto: %s", cmd);
- if (system(cmd) == 0)
- generated = 1;
if (x11_refuse_time == 0) {
now = monotime() + 1;
if (UINT_MAX - timeout < now)
x11_refuse_time = UINT_MAX;
else
x11_refuse_time = now + timeout;
+ channel_set_x11_refuse_time(
+ x11_refuse_time);
}
+ if (system(cmd) == 0)
+ generated = 1;
}
}
@@ -1886,7 +1899,7 @@
"malicious server.");
return NULL;
}
- if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
+ if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
verbose("Rejected X11 connection after ForwardX11Timeout "
"expired");
return NULL;
diff -r d523da979421 -r 8a7c2ced70c2 crypto/external/bsd/openssh/dist/sshpty.c
--- a/crypto/external/bsd/openssh/dist/sshpty.c Tue Mar 08 21:32:49 2016 +0000
+++ b/crypto/external/bsd/openssh/dist/sshpty.c Fri Mar 11 12:22:42 2016 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: sshpty.c,v 1.2.26.1 2015/04/30 06:07:31 riz Exp $ */
+/* $NetBSD: sshpty.c,v 1.2.26.2 2016/03/11 12:22:42 martin Exp $ */
/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: sshpty.c,v 1.2.26.1 2015/04/30 06:07:31 riz Exp $");
+__RCSID("$NetBSD: sshpty.c,v 1.2.26.2 2016/03/11 12:22:42 martin Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
@@ -145,7 +145,7 @@
/* Determine the group to make the owner of the tty. */
grp = getgrnam("tty");
gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
- mode = (grp != NULL) ? 0622 : 0600;
+ mode = (grp != NULL) ? 0620 : 0600;
/*
* Change owner and mode of the tty as required.
Home |
Main Index |
Thread Index |
Old Index