svn commit: r296953 - in releng/9.3: . crypto/openssh sys/amd64/amd64 sys/conf
Gleb Smirnoff
glebius at FreeBSD.org
Wed Mar 16 22:30:04 UTC 2016
Author: glebius
Date: Wed Mar 16 22:30:03 2016
New Revision: 296953
URL: https://svnweb.freebsd.org/changeset/base/296953
Log:
o Fix OpenSSH xauth(1) command injection. [SA-16:14]
o Fix incorrect argument validation in sysarch(2). [SA-16:15]
Security: FreeBSD-SA-16:14.openssh-xauth, CVE-2016-3115
Security: FreeBSD-SA-16:15.sysarch, CVE-2016-1885
Approved by: so
Modified:
releng/9.3/UPDATING
releng/9.3/crypto/openssh/session.c
releng/9.3/sys/amd64/amd64/sys_machdep.c
releng/9.3/sys/conf/newvers.sh
Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING Wed Mar 16 19:46:22 2016 (r296952)
+++ releng/9.3/UPDATING Wed Mar 16 22:30:03 2016 (r296953)
@@ -11,6 +11,12 @@ handbook:
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20160316 p39 FreeBSD-SA-16:14.openssh-xauth
+ FreeBSD-SA-16:15.sysarch
+
+ Fix OpenSSH xauth(1) command injection. [SA-16:14]
+ Fix incorrect argument validation in sysarch(2). [SA-16:15]
+
20160310 p38 FreeBSD-SA-16:13.bind
FreeBSD-SA-16:12.openssl [revised]
Modified: releng/9.3/crypto/openssh/session.c
==============================================================================
--- releng/9.3/crypto/openssh/session.c Wed Mar 16 19:46:22 2016 (r296952)
+++ releng/9.3/crypto/openssh/session.c Wed Mar 16 22:30:03 2016 (r296953)
@@ -48,6 +48,7 @@ __RCSID("$FreeBSD$");
#include <arpa/inet.h>
+#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
@@ -294,6 +295,21 @@ do_authenticated(Authctxt *authctxt)
do_cleanup(authctxt);
}
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+ size_t i;
+
+ for (i = 0; s[i] != '\0'; i++) {
+ if (!isalnum((u_char)s[i]) &&
+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+ s[i] != '-' && s[i] != '_')
+ return 0;
+ }
+ return 1;
+}
+
/*
* Prepares for an interactive session. This is called after the user has
* been successfully authenticated. During this message exchange, pseudo
@@ -367,7 +383,13 @@ do_authenticated1(Authctxt *authctxt)
s->screen = 0;
}
packet_check_eom();
- success = session_setup_x11fwd(s);
+ if (xauth_valid_string(s->auth_proto) &&
+ xauth_valid_string(s->auth_data))
+ success = session_setup_x11fwd(s);
+ else {
+ success = 0;
+ error("Invalid X11 forwarding data");
+ }
if (!success) {
free(s->auth_proto);
free(s->auth_data);
@@ -2199,7 +2221,13 @@ session_x11_req(Session *s)
s->screen = packet_get_int();
packet_check_eom();
- success = session_setup_x11fwd(s);
+ if (xauth_valid_string(s->auth_proto) &&
+ xauth_valid_string(s->auth_data))
+ success = session_setup_x11fwd(s);
+ else {
+ success = 0;
+ error("Invalid X11 forwarding data");
+ }
if (!success) {
free(s->auth_proto);
free(s->auth_data);
Modified: releng/9.3/sys/amd64/amd64/sys_machdep.c
==============================================================================
--- releng/9.3/sys/amd64/amd64/sys_machdep.c Wed Mar 16 19:46:22 2016 (r296952)
+++ releng/9.3/sys/amd64/amd64/sys_machdep.c Wed Mar 16 22:30:03 2016 (r296953)
@@ -586,8 +586,8 @@ amd64_set_ldt(td, uap, descs)
struct i386_ldt_args *uap;
struct user_segment_descriptor *descs;
{
- int error = 0, i;
- int largest_ld;
+ int error = 0;
+ unsigned int largest_ld, i;
struct mdproc *mdp = &td->td_proc->p_md;
struct proc_ldt *pldt;
struct user_segment_descriptor *dp;
Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh Wed Mar 16 19:46:22 2016 (r296952)
+++ releng/9.3/sys/conf/newvers.sh Wed Mar 16 22:30:03 2016 (r296953)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.3"
-BRANCH="RELEASE-p38"
+BRANCH="RELEASE-p39"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
More information about the svn-src-releng
mailing list