Hi again
I finally found out why I could not use xstrdup so with that fixed I run
the tests again. No crash. My guess is that the crash is some other part of
the code and not the newly introduced functions.
// Ola
On Mon, 11 Mar 2019 at 00:09, Ola Lundqvist <o...@inguza.com> wrote:
> Hi Mike
>
> I have had a look at this. First of all I do not think the CVE is
> completely fixed even with the additional patch. I also do not fully
> understand how 6111-2.patch is supposed to work. More about this below.
> Let us give some example commands.
>
> [1] scp host:/foobar/a* b
> [2] scp host:a* b
> [3] scp -r host /foobar/a* b
> [4] scp -r host a* b
>
> My understanding is that only case 1 is protected by 6111-1.patch
> 6111-2.patch seems to protect against case 2.
>
> But to my understanding we do not protect against 3 and 4. Am I missing
> something?
>
> Anyway I have tried to see if I could reproduce the segfault. I do not
> know fully how you have tested it so I decided to copy the new code to a
> new test.c file and test different patterns.
> The functionality as such seems to be working fine.
>
> I did one change though to make it work. I changed xstrdup to strdup
> because I could not find link against it for some reason. Could that be
> your problem too?
>
> Essentially my test.c file looks like this:
> #include <sys/types.h>
> #include <stdlib.h>
> #include <bsd/stdlib.h>
> #include <string.h>
> #include <publib.h>
> #define fatal sprintf
>
> ... the new functions code here ...
>
> int testpattern(char* pattern) {
> char **patterns = NULL;
> size_t npatterns = 0;
> int i = 0;
> printf("==== Test pattern %s ====\n", pattern);
> brace_expand(pattern, &patterns, &npatterns);
> for (i = 0; i < npatterns; i++) {
> printf("Pattern %d: %s\n", i, patterns[i]);
> }
> }
>
> int main(int argc, char** argv) {
> testpattern("filea");
> testpattern("dira/filea");
> testpattern("dira/file{a,b}");
> testpattern("file{a,b}");
> testpattern("file*");
> testpattern("file{a,b}{c,d}");
> testpattern("file{a,b}*");
> testpattern("dir{a,b}*/d");
> testpattern("dir{a,b}/file*{a,b}*");
> }
>
> I could not reproduce the crash. How did you reproduce it?
>
> Best regards
>
> // Ola
>
>
> On Fri, 8 Mar 2019 at 23:41, Mike Gabriel <sunwea...@debian.org> wrote:
>
>> Hi Colin, hi Debian LTS team,
>>
>> On Fr 01 Mär 2019 13:24:30 CET, Colin Watson wrote:
>>
>> > And yes, it looks OK - I'll upload it to unstable shortly.
>>
>> I have prepared a backport of this newly added patch [1] (see #923486
>> for details) to openssh in Debian jessie LTS, but with that patch
>> backported to openssh in Debian jessie, I get a segmentation fault
>> whenever I copy something using the scp cmdline tool (I have of course
>> backported all other patches regarding CVE-2019-6109 and CVE-2019-6111).
>>
>> I have attached the complete .debdiff between openssh 1:6.7p1-5+deb8u7
>> (in jessie-security) and my (not-yet-)proposal for 1:6.7p1-5+deb8u8.
>>
>> The critical patch is CVE-2019-6111-2.patch. With that patch added I
>> get segfaults with scp. Without that patch scp works, but is
>> susceptible to the earlier mentioned exploit for CVE-2019-6111.
>>
>> I am a bit lost here and would appreciate some ideas about what is
>> going wrong here.
>>
>> I will only be able to continue on this on Monday, but maybe someone
>> else can offer some genuine input over the weekend. Will be much
>> appreciated.
>>
>> Thanks+Greets,
>> Mike
>>
>> [1]
>>
>> https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874
>> --
>>
>> mike gabriel aka sunweaver (Debian Developer)
>> mobile: +49 (1520) 1976 148
>> landline: +49 (4354) 8390 139
>>
>> GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
>> mail: sunwea...@debian.org, http://sunweavers.net
>>
>>
>
> --
> --- Inguza Technology AB --- MSc in Information Technology ----
> | o...@inguza.com o...@debian.org |
> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> ---------------------------------------------------------------
>
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| o...@inguza.com o...@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
