rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone

Blame SOURCES/openssh-6.6p1-fallback-X11-untrusted.patch

69acbb
From f98a09cacff7baad8748c9aa217afd155a4d493f Mon Sep 17 00:00:00 2001
69acbb
From: "mmcc@openbsd.org" <mmcc@openbsd.org>
69acbb
Date: Tue, 20 Oct 2015 03:36:35 +0000
69acbb
Subject: upstream commit
69acbb
69acbb
Replace a function-local allocation with stack memory.
69acbb
69acbb
ok djm@
69acbb
69acbb
Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e
69acbb
---
69acbb
 clientloop.c | 9 ++-------
69acbb
 1 file changed, 2 insertions(+), 7 deletions(-)
69acbb
69acbb
diff --git a/clientloop.c b/clientloop.c
69acbb
index 87ceb3d..1e05cba 100644
69acbb
--- a/clientloop.c
69acbb
+++ b/clientloop.c
69acbb
@@ -311,11 +311,10 @@ client_x11_get_proto(const char *display, const char *xauth_path,
69acbb
 	static char proto[512], data[512];
69acbb
 	FILE *f;
69acbb
 	int got_data = 0, generated = 0, do_unlink = 0, i;
69acbb
-	char *xauthdir, *xauthfile;
69acbb
+	char xauthdir[MAXPATHLEN] = "", xauthfile[MAXPATHLEN] = "";
69acbb
 	struct stat st;
69acbb
 	u_int now, x11_timeout_real;
69acbb
 
69acbb
-	xauthdir = xauthfile = NULL;
69acbb
 	*_proto = proto;
69acbb
 	*_data = data;
69acbb
 	proto[0] = data[0] = '\0';
69acbb
@@ -343,8 +342,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
69acbb
 			display = xdisplay;
69acbb
 		}
69acbb
 		if (trusted == 0) {
69acbb
-			xauthdir = xmalloc(MAXPATHLEN);
69acbb
-			xauthfile = xmalloc(MAXPATHLEN);
69acbb
 			mktemp_proto(xauthdir, MAXPATHLEN);
69acbb
 			/*
69acbb
 			 * The authentication cookie should briefly outlive
69acbb
@@ -407,8 +404,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
69acbb
 		unlink(xauthfile);
69acbb
 		rmdir(xauthdir);
69acbb
 	}
69acbb
-	free(xauthdir);
69acbb
-	free(xauthfile);
69acbb
 
69acbb
 	/*
69acbb
 	 * If we didn't get authentication data, just make up some
69acbb
-- 
69acbb
cgit v0.11.2
69acbb
69acbb
From ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Mon Sep 17 00:00:00 2001
69acbb
From: "djm@openbsd.org" <djm@openbsd.org>
69acbb
Date: Wed, 13 Jan 2016 23:04:47 +0000
69acbb
Subject: upstream commit
69acbb
69acbb
eliminate fallback from untrusted X11 forwarding to trusted
69acbb
 forwarding when the X server disables the SECURITY extension; Reported by
69acbb
 Thomas Hoger; ok deraadt@
69acbb
69acbb
Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
69acbb
---
69acbb
 clientloop.c | 114 ++++++++++++++++++++++++++++++++++++-----------------------
69acbb
 clientloop.h |   4 +--
69acbb
 mux.c        |  22 ++++++------
69acbb
 ssh.c        |  23 +++++-------
69acbb
 4 files changed, 93 insertions(+), 70 deletions(-)
69acbb
69acbb
diff --git a/clientloop.c b/clientloop.c
69acbb
index f555451..c0386d5 100644
69acbb
--- a/clientloop.c
69acbb
+++ b/clientloop.c
69acbb
@@ -288,6 +288,9 @@ client_x11_display_valid(const char *display)
69acbb
 {
69acbb
 	size_t i, dlen;
69acbb
 
69acbb
+	if (display == NULL)
69acbb
+		return 0;
69acbb
+
69acbb
 	dlen = strlen(display);
69acbb
 	for (i = 0; i < dlen; i++) {
69acbb
 		if (!isalnum((u_char)display[i]) &&
69acbb
@@ -301,34 +304,33 @@ client_x11_display_valid(const char *display)
69acbb
 
69acbb
 #define SSH_X11_PROTO		"MIT-MAGIC-COOKIE-1"
69acbb
 #define X11_TIMEOUT_SLACK	60
69acbb
-void
69acbb
+int
69acbb
 client_x11_get_proto(const char *display, const char *xauth_path,
69acbb
     u_int trusted, u_int timeout, char **_proto, char **_data)
69acbb
 {
69acbb
-	char cmd[1024];
69acbb
-	char line[512];
69acbb
-	char xdisplay[512];
69acbb
+	char cmd[1024], line[512], xdisplay[512];
69acbb
+	char xauthfile[MAXPATHLEN], xauthdir[MAXPATHLEN];
69acbb
 	static char proto[512], data[512];
69acbb
 	FILE *f;
69acbb
-	int got_data = 0, generated = 0, do_unlink = 0, i;
69acbb
-	char xauthdir[MAXPATHLEN] = "", xauthfile[MAXPATHLEN] = "";
69acbb
+	int got_data = 0, generated = 0, do_unlink = 0, i, r;
69acbb
 	struct stat st;
69acbb
 	u_int now, x11_timeout_real;
69acbb
 
69acbb
 	*_proto = proto;
69acbb
 	*_data = data;
69acbb
-	proto[0] = data[0] = '\0';
69acbb
+	proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
69acbb
 
69acbb
-	if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
69acbb
-		debug("No xauth program.");
69acbb
-	} else if (!client_x11_display_valid(display)) {
69acbb
-		logit("DISPLAY '%s' invalid, falling back to fake xauth data",
69acbb
+	if (!client_x11_display_valid(display)) {
69acbb
+		logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
69acbb
 		    display);
69acbb
-	} else {
69acbb
-		if (display == NULL) {
69acbb
-			debug("x11_get_proto: DISPLAY not set");
69acbb
-			return;
69acbb
-		}
69acbb
+		return -1;
69acbb
+	}
69acbb
+	if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
69acbb
+		debug("No xauth program.");
69acbb
+		xauth_path = NULL;
69acbb
+	}
69acbb
+
69acbb
+	if (xauth_path != NULL) {
69acbb
 		/*
69acbb
 		 * Handle FamilyLocal case where $DISPLAY does
69acbb
 		 * not match an authorization entry.  For this we
69acbb
@@ -337,43 +339,60 @@ client_x11_get_proto(const char *display, const char *xauth_path,
69acbb
 		 *      is not perfect.
69acbb
 		 */
69acbb
 		if (strncmp(display, "localhost:", 10) == 0) {
69acbb
-			snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
69acbb
-			    display + 10);
69acbb
+			if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
69acbb
+			    display + 10)) < 0 ||
69acbb
+			    (size_t)r >= sizeof(xdisplay)) {
69acbb
+				error("%s: display name too long", __func__);
69acbb
+				return -1;
69acbb
+			}
69acbb
 			display = xdisplay;
69acbb
 		}
69acbb
 		if (trusted == 0) {
69acbb
-			mktemp_proto(xauthdir, MAXPATHLEN);
69acbb
 			/*
69acbb
+			 * Generate an untrusted X11 auth cookie.
69acbb
+			 *
69acbb
 			 * The authentication cookie should briefly outlive
69acbb
 			 * ssh's willingness to forward X11 connections to
69acbb
 			 * avoid nasty fail-open behaviour in the X server.
69acbb
 			 */
69acbb
+			mktemp_proto(xauthdir, sizeof(xauthdir));
69acbb
+			if (mkdtemp(xauthdir) == NULL) {
69acbb
+				error("%s: mkdtemp: %s",
69acbb
+				    __func__, strerror(errno));
69acbb
+				return -1;
69acbb
+			}
69acbb
+			do_unlink = 1;
69acbb
+			if ((r = snprintf(xauthfile, sizeof(xauthfile),
69acbb
+			    "%s/xauthfile", xauthdir)) < 0 ||
69acbb
+			    (size_t)r >= sizeof(xauthfile)) {
69acbb
+				error("%s: xauthfile path too long", __func__);
69acbb
+				unlink(xauthfile);
69acbb
+				rmdir(xauthdir);
69acbb
+				return -1;
69acbb
+			}
69acbb
+
69acbb
 			if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
69acbb
 				x11_timeout_real = UINT_MAX;
69acbb
 			else
69acbb
 				x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
69acbb
-			if (mkdtemp(xauthdir) != NULL) {
69acbb
-				do_unlink = 1;
69acbb
-				snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
69acbb
-				    xauthdir);
69acbb
-				snprintf(cmd, sizeof(cmd),
69acbb
-				    "%s -f %s generate %s " SSH_X11_PROTO
69acbb
-				    " untrusted timeout %u 2>" _PATH_DEVNULL,
69acbb
-				    xauth_path, xauthfile, display,
69acbb
-				    x11_timeout_real);
69acbb
-				debug2("x11_get_proto: %s", cmd);
69acbb
-				if (x11_refuse_time == 0) {
69acbb
-					now = monotime() + 1;
69acbb
-					if (UINT_MAX - timeout < now)
69acbb
-						x11_refuse_time = UINT_MAX;
69acbb
-					else
69acbb
-						x11_refuse_time = now + timeout;
69acbb
-					channel_set_x11_refuse_time(
69acbb
-					    x11_refuse_time);
69acbb
-				}
69acbb
-				if (system(cmd) == 0)
69acbb
-					generated = 1;
69acbb
+			if ((r = snprintf(cmd, sizeof(cmd),
69acbb
+			    "%s -f %s generate %s " SSH_X11_PROTO
69acbb
+			    " untrusted timeout %u 2>" _PATH_DEVNULL,
69acbb
+			    xauth_path, xauthfile, display,
69acbb
+			    x11_timeout_real)) < 0 ||
69acbb
+			    (size_t)r >= sizeof(cmd))
69acbb
+				fatal("%s: cmd too long", __func__);
69acbb
+			debug2("%s: %s", __func__, cmd);
69acbb
+			if (x11_refuse_time == 0) {
69acbb
+				now = monotime() + 1;
69acbb
+				if (UINT_MAX - timeout < now)
69acbb
+					x11_refuse_time = UINT_MAX;
69acbb
+				else
69acbb
+					x11_refuse_time = now + timeout;
69acbb
+				channel_set_x11_refuse_time(x11_refuse_time);
69acbb
 			}
69acbb
+			if (system(cmd) == 0)
69acbb
+				generated = 1;
69acbb
 		}
69acbb
 
69acbb
 		/*
69acbb
@@ -395,9 +414,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
69acbb
 				got_data = 1;
69acbb
 			if (f)
69acbb
 				pclose(f);
69acbb
-		} else
69acbb
-			error("Warning: untrusted X11 forwarding setup failed: "
69acbb
-			    "xauth key data not generated");
69acbb
+		}
69acbb
 	}
69acbb
 
69acbb
 	if (do_unlink) {
69acbb
@@ -405,6 +422,13 @@ client_x11_get_proto(const char *display, const char *xauth_path,
69acbb
 		rmdir(xauthdir);
69acbb
 	}
69acbb
 
69acbb
+	/* Don't fall back to fake X11 data for untrusted forwarding */
69acbb
+	if (!trusted && !got_data) {
69acbb
+		error("Warning: untrusted X11 forwarding setup failed: "
69acbb
+		    "xauth key data not generated");
69acbb
+		return -1;
69acbb
+	}
69acbb
+
69acbb
 	/*
69acbb
 	 * If we didn't get authentication data, just make up some
69acbb
 	 * data.  The forwarding code will check the validity of the
69acbb
@@ -427,6 +451,8 @@ client_x11_get_proto(const char *display, const char *xauth_path,
69acbb
 			rnd >>= 8;
69acbb
 		}
69acbb
 	}
69acbb
+
69acbb
+	return 0;
69acbb
 }
69acbb
 
69acbb
 /*
69acbb
diff --git a/clientloop.h b/clientloop.h
69acbb
index 338d451..f4d4c69 100644
69acbb
--- a/clientloop.h
69acbb
+++ b/clientloop.h
69acbb
@@ -39,7 +39,7 @@
69acbb
 
69acbb
 /* Client side main loop for the interactive session. */
69acbb
 int	 client_loop(int, int, int);
69acbb
-void	 client_x11_get_proto(const char *, const char *, u_int, u_int,
69acbb
+int	 client_x11_get_proto(const char *, const char *, u_int, u_int,
69acbb
 	    char **, char **);
69acbb
 void	 client_global_request_reply_fwd(int, u_int32_t, void *);
69acbb
 void	 client_session2_setup(int, int, int, const char *, struct termios *,
69acbb
diff --git a/mux.c b/mux.c
69acbb
index f9c3af6..6bf53eb 100644
69acbb
--- a/mux.c
69acbb
+++ b/mux.c
69acbb
@@ -1354,16 +1354,18 @@ mux_session_confirm(int id, int success, void *arg)
69acbb
 		char *proto, *data;
69acbb
 
69acbb
 		/* Get reasonable local authentication information. */
69acbb
-		client_x11_get_proto(display, options.xauth_location,
69acbb
+		if (client_x11_get_proto(display, options.xauth_location,
69acbb
 		    options.forward_x11_trusted, options.forward_x11_timeout,
69acbb
-		    &proto, &data);
69acbb
-		/* Request forwarding with authentication spoofing. */
69acbb
-		debug("Requesting X11 forwarding with authentication "
69acbb
-		    "spoofing.");
69acbb
-		x11_request_forwarding_with_spoofing(id, display, proto,
69acbb
-		    data, 1);
69acbb
-		client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN);
69acbb
-		/* XXX exit_on_forward_failure */
69acbb
+		    &proto, &data) == 0) {
69acbb
+			/* Request forwarding with authentication spoofing. */
69acbb
+			debug("Requesting X11 forwarding with authentication "
69acbb
+			    "spoofing.");
69acbb
+			x11_request_forwarding_with_spoofing(id, display, proto,
69acbb
+			    data, 1);
69acbb
+			/* XXX exit_on_forward_failure */
69acbb
+			client_expect_confirm(id, "X11 forwarding",
69acbb
+			    CONFIRM_WARN);
69acbb
+		}
69acbb
 	}
69acbb
 
69acbb
 	if (cctx->want_agent_fwd && options.forward_agent) {
69acbb
diff --git a/ssh.c b/ssh.c
69acbb
index 81704ab..096c5b5 100644
69acbb
--- a/ssh.c
69acbb
+++ b/ssh.c
69acbb
@@ -1626,6 +1626,7 @@ ssh_session(void)
69acbb
 	struct winsize ws;
69acbb
 	char *cp;
69acbb
 	const char *display;
69acbb
+	char *proto = NULL, *data = NULL;
69acbb
 
69acbb
 	/* Enable compression if requested. */
69acbb
 	if (options.compression) {
69acbb
@@ -1696,13 +1697,9 @@ ssh_session(void)
69acbb
 	}
69acbb
 	/* Request X11 forwarding if enabled and DISPLAY is set. */
69acbb
 	display = getenv("DISPLAY");
69acbb
-	if (options.forward_x11 && display != NULL) {
69acbb
-		char *proto, *data;
69acbb
-		/* Get reasonable local authentication information. */
69acbb
-		client_x11_get_proto(display, options.xauth_location,
69acbb
-		    options.forward_x11_trusted,
69acbb
-		    options.forward_x11_timeout,
69acbb
-		    &proto, &data);
69acbb
+	if (options.forward_x11 && client_x11_get_proto(display,
69acbb
+	    options.xauth_location, options.forward_x11_trusted,
69acbb
+	    options.forward_x11_timeout, &proto, &data) == 0) {
69acbb
 		/* Request forwarding with authentication spoofing. */
69acbb
 		debug("Requesting X11 forwarding with authentication "
69acbb
 		    "spoofing.");
69acbb
@@ -1792,6 +1789,7 @@ ssh_session2_setup(int id, int success, void *arg)
69acbb
 	extern char **environ;
69acbb
 	const char *display;
69acbb
 	int interactive = tty_flag;
69acbb
+	char *proto = NULL, *data = NULL;
69acbb
 
69acbb
 	if (!success)
69acbb
 		return; /* No need for error message, channels code sens one */
69acbb
@@ -1799,12 +1797,9 @@ ssh_session2_setup(int id, int success, void *arg)
69acbb
 		return; /* No need for error message, channels code sens one */
69acbb
 
69acbb
 	display = getenv("DISPLAY");
69acbb
-	if (options.forward_x11 && display != NULL) {
69acbb
-		char *proto, *data;
69acbb
-		/* Get reasonable local authentication information. */
69acbb
-		client_x11_get_proto(display, options.xauth_location,
69acbb
-		    options.forward_x11_trusted,
69acbb
-		    options.forward_x11_timeout, &proto, &data);
69acbb
+	if (options.forward_x11 && client_x11_get_proto(display,
69acbb
+	    options.xauth_location, options.forward_x11_trusted,
69acbb
+	    options.forward_x11_timeout, &proto, &data) == 0) {
69acbb
 		/* Request forwarding with authentication spoofing. */
69acbb
 		debug("Requesting X11 forwarding with authentication "
69acbb
 		    "spoofing.");
69acbb
-- 
69acbb
cgit v0.11.2
69acbb
69acbb
From 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a Mon Sep 17 00:00:00 2001
69acbb
From: "millert@openbsd.org" <millert@openbsd.org>
69acbb
Date: Mon, 1 Feb 2016 21:18:17 +0000
69acbb
Subject: upstream commit
69acbb
69acbb
Avoid ugly "DISPLAY "(null)" invalid; disabling X11
69acbb
 forwarding" message when DISPLAY is not set.  This could also result in a
69acbb
 crash on systems with a printf that doesn't handle NULL.  OK djm@
69acbb
69acbb
Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
69acbb
---
69acbb
 clientloop.c | 7 ++++---
69acbb
 1 file changed, 4 insertions(+), 3 deletions(-)
69acbb
69acbb
diff --git a/clientloop.c b/clientloop.c
69acbb
index f8f9a3f..f0a08f2 100644
69acbb
--- a/clientloop.c
69acbb
+++ b/clientloop.c
69acbb
@@ -318,8 +318,9 @@ client_x11_get_proto(const char *display, const char *xauth_path,
69acbb
 	proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
69acbb
 
69acbb
 	if (!client_x11_display_valid(display)) {
69acbb
-		logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
69acbb
-		    display);
69acbb
+		if (display != NULL)
69acbb
+			logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
69acbb
+			    display);
69acbb
 		return -1;
69acbb
 	}
69acbb
 	if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
69acbb
-- 
69acbb
cgit v0.11.2
69acbb
69acbb