Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-7-0]: src/crypto/external/bsd/openssh/dist Apply the following ch...



details:   https://anonhg.NetBSD.org/src/rev/a3dc130e8370
branches:  netbsd-7-0
changeset: 801159:a3dc130e8370
user:      martin <martin%NetBSD.org@localhost>
date:      Fri Mar 11 12:23:58 2016 +0000

description:
Apply the following changes, requested by snj in #1138:

- Refuse ForwardX11Trusted=no connections attempted after
  ForwardX11Timeout expires.  (CVE-2015-5352)
- Fix TTY permissions to not be world-writable.  (CVE-2015-6565)

diffstat:

 crypto/external/bsd/openssh/dist/channels.c   |  20 +++++++++++++++-
 crypto/external/bsd/openssh/dist/channels.h   |   3 +-
 crypto/external/bsd/openssh/dist/clientloop.c |  31 +++++++++++++++++++-------
 crypto/external/bsd/openssh/dist/sshpty.c     |   6 ++--
 4 files changed, 45 insertions(+), 15 deletions(-)

diffs (194 lines):

diff -r 631d1d582357 -r a3dc130e8370 crypto/external/bsd/openssh/dist/channels.c
--- a/crypto/external/bsd/openssh/dist/channels.c       Tue Mar 08 21:41:06 2016 +0000
+++ b/crypto/external/bsd/openssh/dist/channels.c       Fri Mar 11 12:23:58 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: channels.c,v 1.11.4.1 2015/04/30 06:07:30 riz Exp $    */
+/*     $NetBSD: channels.c,v 1.11.4.1.2.1 2016/03/11 12:23:58 martin Exp $     */
 /* $OpenBSD: channels.c,v 1.341 2015/02/06 23:21:59 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
@@ -41,7 +41,7 @@
  */
 
 #include "includes.h"
-__RCSID("$NetBSD: channels.c,v 1.11.4.1 2015/04/30 06:07:30 riz Exp $");
+__RCSID("$NetBSD: channels.c,v 1.11.4.1.2.1 2016/03/11 12:23:58 martin Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/param.h> /* MIN MAX */
@@ -163,6 +163,9 @@
 static char *x11_saved_data = NULL;
 static u_int x11_saved_data_len = 0;
 
+/* Deadline after which all X11 connections are refused */
+static u_int x11_refuse_time;
+
 /*
  * Fake X11 authentication data.  This is what the server will be sending us;
  * we should replace any occurrences of this by the real data.
@@ -938,6 +941,13 @@
        u_char *ucp;
        u_int proto_len, data_len;
 
+       /* Is this being called after the refusal deadline? */
+       if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
+               verbose("Rejected X11 connection after ForwardX11Timeout "
+                   "expired");
+               return -1;
+       }
+
        /* Check if the fixed size part of the packet is in buffer. */
        if (buffer_len(b) < 12)
                return 0;
@@ -1509,6 +1519,12 @@
                error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
 }
 
+void
+channel_set_x11_refuse_time(u_int refuse_time)
+{
+       x11_refuse_time = refuse_time;
+}
+
 /*
  * This socket is listening for connections to a forwarded TCP/IP port.
  */
diff -r 631d1d582357 -r a3dc130e8370 crypto/external/bsd/openssh/dist/channels.h
--- a/crypto/external/bsd/openssh/dist/channels.h       Tue Mar 08 21:41:06 2016 +0000
+++ b/crypto/external/bsd/openssh/dist/channels.h       Fri Mar 11 12:23:58 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: channels.h,v 1.8.4.1 2015/04/30 06:07:30 riz Exp $     */
+/*     $NetBSD: channels.h,v 1.8.4.1.2.1 2016/03/11 12:23:58 martin Exp $      */
 /* $OpenBSD: channels.h,v 1.116 2015/01/19 20:07:45 markus Exp $ */
 
 /*
@@ -287,6 +287,7 @@
 
 /* x11 forwarding */
 
+void    channel_set_x11_refuse_time(u_int);
 int     x11_connect_display(void);
 int     x11_create_display_inet(int, int, int, u_int *, int **);
 int      x11_input_open(int, u_int32_t, void *);
diff -r 631d1d582357 -r a3dc130e8370 crypto/external/bsd/openssh/dist/clientloop.c
--- a/crypto/external/bsd/openssh/dist/clientloop.c     Tue Mar 08 21:41:06 2016 +0000
+++ b/crypto/external/bsd/openssh/dist/clientloop.c     Fri Mar 11 12:23:58 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: clientloop.c,v 1.10.4.1 2015/04/30 06:07:30 riz Exp $  */
+/*     $NetBSD: clientloop.c,v 1.10.4.1.2.1 2016/03/11 12:23:58 martin Exp $   */
 /* $OpenBSD: clientloop.c,v 1.272 2015/02/25 19:54:02 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
@@ -61,7 +61,7 @@
  */
 
 #include "includes.h"
-__RCSID("$NetBSD: clientloop.c,v 1.10.4.1 2015/04/30 06:07:30 riz Exp $");
+__RCSID("$NetBSD: clientloop.c,v 1.10.4.1.2.1 2016/03/11 12:23:58 martin Exp $");
 
 #include <sys/param.h> /* MIN MAX */
 #include <sys/types.h>
@@ -159,7 +159,7 @@
 static int connection_out;     /* Connection to server (output). */
 static int need_rekeying;      /* Set to non-zero if rekeying is requested. */
 static int session_closed;     /* In SSH2: login session closed. */
-static int x11_refuse_time;    /* If >0, refuse x11 opens after this time. */
+static u_int x11_refuse_time;  /* If >0, refuse x11 opens after this time. */
 
 static void client_init_dispatch(void);
 int    session_ident = -1;
@@ -294,7 +294,8 @@
        return 1;
 }
 
-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
+#define SSH_X11_PROTO          "MIT-MAGIC-COOKIE-1"
+#define X11_TIMEOUT_SLACK      60
 void
 client_x11_get_proto(const char *display, const char *xauth_path,
     u_int trusted, u_int timeout, char **_proto, char **_data)
@@ -307,7 +308,7 @@
        int got_data = 0, generated = 0, do_unlink = 0, i;
        char *xauthdir, *xauthfile;
        struct stat st;
-       u_int now;
+       u_int now, x11_timeout_real;
 
        xauthdir = xauthfile = NULL;
        *_proto = proto;
@@ -340,6 +341,15 @@
                        xauthdir = xmalloc(PATH_MAX);
                        xauthfile = xmalloc(PATH_MAX);
                        mktemp_proto(xauthdir, PATH_MAX);
+                       /*
+                        * The authentication cookie should briefly outlive
+                        * ssh's willingness to forward X11 connections to
+                        * avoid nasty fail-open behaviour in the X server.
+                        */
+                       if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
+                               x11_timeout_real = UINT_MAX;
+                       else
+                               x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
                        if (mkdtemp(xauthdir) != NULL) {
                                do_unlink = 1;
                                snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
@@ -347,17 +357,20 @@
                                snprintf(cmd, sizeof(cmd),
                                    "%s -f %s generate %s " SSH_X11_PROTO
                                    " untrusted timeout %u 2>" _PATH_DEVNULL,
-                                   xauth_path, xauthfile, display, timeout);
+                                   xauth_path, xauthfile, display,
+                                   x11_timeout_real);
                                debug2("x11_get_proto: %s", cmd);
-                               if (system(cmd) == 0)
-                                       generated = 1;
                                if (x11_refuse_time == 0) {
                                        now = monotime() + 1;
                                        if (UINT_MAX - timeout < now)
                                                x11_refuse_time = UINT_MAX;
                                        else
                                                x11_refuse_time = now + timeout;
+                                       channel_set_x11_refuse_time(
+                                           x11_refuse_time);
                                }
+                               if (system(cmd) == 0)
+                                       generated = 1;
                        }
                }
 
@@ -1886,7 +1899,7 @@
                    "malicious server.");
                return NULL;
        }
-       if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
+       if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
                verbose("Rejected X11 connection after ForwardX11Timeout "
                    "expired");
                return NULL;
diff -r 631d1d582357 -r a3dc130e8370 crypto/external/bsd/openssh/dist/sshpty.c
--- a/crypto/external/bsd/openssh/dist/sshpty.c Tue Mar 08 21:41:06 2016 +0000
+++ b/crypto/external/bsd/openssh/dist/sshpty.c Fri Mar 11 12:23:58 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: sshpty.c,v 1.2.26.1 2015/04/30 06:07:31 riz Exp $      */
+/*     $NetBSD: sshpty.c,v 1.2.26.1.2.1 2016/03/11 12:23:58 martin Exp $       */
 /* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-__RCSID("$NetBSD: sshpty.c,v 1.2.26.1 2015/04/30 06:07:31 riz Exp $");
+__RCSID("$NetBSD: sshpty.c,v 1.2.26.1.2.1 2016/03/11 12:23:58 martin Exp $");
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
@@ -145,7 +145,7 @@
        /* Determine the group to make the owner of the tty. */
        grp = getgrnam("tty");
        gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
-       mode = (grp != NULL) ? 0622 : 0600;
+       mode = (grp != NULL) ? 0620 : 0600;
 
        /*
         * Change owner and mode of the tty as required.



Home | Main Index | Thread Index | Old Index