diff --git a/openssh-9.6p1-CVE-2023-51385.patch b/openssh-9.6p1-CVE-2023-51385.patch new file mode 100644 index 0000000000000000000000000000000000000000..8a422054f4e82e1f3f39dce1c7facc11500d35a2 --- /dev/null +++ b/openssh-9.6p1-CVE-2023-51385.patch @@ -0,0 +1,89 @@ +From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Mon, 18 Dec 2023 14:47:44 +0000 +Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters + +This makes ssh(1) refuse user or host names provided on the +commandline that contain most shell metacharacters. + +Some programs that invoke ssh(1) using untrusted data do not filter +metacharacters in arguments they supply. This could create +interactions with user-specified ProxyCommand and other directives +that allow shell injection attacks to occur. + +It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, +but getting this stuff right can be tricky, so this should prevent +most obvious ways of creating risky situations. It however is not +and cannot be perfect: ssh(1) has no practical way of interpreting +what shell quoting rules are in use and how they interact with the +user's specified ProxyCommand. + +To allow configurations that use strange user or hostnames to +continue to work, this strictness is applied only to names coming +from the commandline. Names specified using User or Hostname +directives in ssh_config(5) are not affected. + +feedback/ok millert@ markus@ dtucker@ deraadt@ + +OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9 +--- + ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/ssh.c b/ssh.c +index 35c48e62d18..48d93ddf2a9 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo) + free(cinfo); + } + ++static int ++valid_hostname(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL || ++ isspace((u_char)s[i]) || iscntrl((u_char)s[i])) ++ return 0; ++ } ++ return 1; ++} ++ ++static int ++valid_ruser(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (strchr("'`\";&<>|(){}", s[i]) != NULL) ++ return 0; ++ /* Disallow '-' after whitespace */ ++ if (isspace((u_char)s[i]) && s[i + 1] == '-') ++ return 0; ++ /* Disallow \ in last position */ ++ if (s[i] == '\\' && s[i + 1] == '\0') ++ return 0; ++ } ++ return 1; ++} ++ + /* + * Main program for the ssh client. + */ +@@ -1118,6 +1153,10 @@ main(int ac, char **av) + if (!host) + usage(); + ++ if (!valid_hostname(host)) ++ fatal("hostname contains invalid characters"); ++ if (options.user != NULL && !valid_ruser(options.user)) ++ fatal("remote username contains invalid characters"); + host_arg = xstrdup(host); + + /* Initialize the command to execute on remote host. */ diff --git a/openssh.spec b/openssh.spec index 38c0430c6a0d7c4de0fce26ba56138c8418f2b8a..8073763a2799054153589dd734f18d8339a90099 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,4 @@ -%define anolis_release 10 +%define anolis_release 11 %global _hardened_build 1 %global sysconfig_anaconda /etc/sysconfig/sshd-permitrootlogin @@ -89,6 +89,7 @@ Patch348: openssh-6.7p1-coverity.patch Patch349: add-loongarch64-support-for-openssh.patch Patch350: openssh-8.7p1-CVE-2023-25136.patch Patch351: openssh-9.3p1-upstream-cve-2023-38408.patch +Patch352: openssh-9.6p1-CVE-2023-51385.patch BuildRequires: autoconf automake make gcc BuildRequires: perl-interpreter perl-generators perl-podlators @@ -445,6 +446,9 @@ test -f %{sysconfig_anaconda} && \ %doc CREDITS ChangeLog OVERVIEW PROTOCOL* TODO %changelog +* Thu Dec 28 2023 Caspar Zhang - 9.0p1-11 +- Fix CVE-2023-51385 + * Wed Dec 27 2023 mgb01105731 - 9.0p1-10 - rebuild @@ -472,7 +476,7 @@ test -f %{sysconfig_anaconda} && \ * Fri Feb 17 2023 Funda Wang - 9.0p1-2 - Add switch for libfido2 support - + * Thu Feb 02 2023 happy_orange - 9.0p1-1 - update to 9.0p1