Hi Mike
I have had a look at this. First of all I do not think the CVE is
completely fixed even with the additional patch. I also do not fully
understand how 6111-2.patch is supposed to work. More about this below.
Let us give some example commands.
[1] scp host:/foobar/a* b
[2] scp host:a* b
[3] scp -r host /foobar/a* b
[4] scp -r host a* b
My understanding is that only case 1 is protected by 6111-1.patch
6111-2.patch seems to protect against case 2.
But to my understanding we do not protect against 3 and 4. Am I missing
something?
Anyway I have tried to see if I could reproduce the segfault. I do not know
fully how you have tested it so I decided to copy the new code to a new
test.c file and test different patterns.
The functionality as such seems to be working fine.
I did one change though to make it work. I changed xstrdup to strdup
because I could not find link against it for some reason. Could that be
your problem too?
Essentially my test.c file looks like this:
#include <sys/types.h>
#include <stdlib.h>
#include <bsd/stdlib.h>
#include <string.h>
#include <publib.h>
#define fatal sprintf
... the new functions code here ...
int testpattern(char* pattern) {
char **patterns = NULL;
size_t npatterns = 0;
int i = 0;
printf("==== Test pattern %s ====\n", pattern);
brace_expand(pattern, &patterns, &npatterns);
for (i = 0; i < npatterns; i++) {
printf("Pattern %d: %s\n", i, patterns[i]);
}
}
int main(int argc, char** argv) {
testpattern("filea");
testpattern("dira/filea");
testpattern("dira/file{a,b}");
testpattern("file{a,b}");
testpattern("file*");
testpattern("file{a,b}{c,d}");
testpattern("file{a,b}*");
testpattern("dir{a,b}*/d");
testpattern("dir{a,b}/file*{a,b}*");
}
I could not reproduce the crash. How did you reproduce it?
Best regards
// Ola
On Fri, 8 Mar 2019 at 23:41, Mike Gabriel <[email protected]> wrote:
> Hi Colin, hi Debian LTS team,
>
> On Fr 01 Mär 2019 13:24:30 CET, Colin Watson wrote:
>
> > And yes, it looks OK - I'll upload it to unstable shortly.
>
> I have prepared a backport of this newly added patch [1] (see #923486
> for details) to openssh in Debian jessie LTS, but with that patch
> backported to openssh in Debian jessie, I get a segmentation fault
> whenever I copy something using the scp cmdline tool (I have of course
> backported all other patches regarding CVE-2019-6109 and CVE-2019-6111).
>
> I have attached the complete .debdiff between openssh 1:6.7p1-5+deb8u7
> (in jessie-security) and my (not-yet-)proposal for 1:6.7p1-5+deb8u8.
>
> The critical patch is CVE-2019-6111-2.patch. With that patch added I
> get segfaults with scp. Without that patch scp works, but is
> susceptible to the earlier mentioned exploit for CVE-2019-6111.
>
> I am a bit lost here and would appreciate some ideas about what is
> going wrong here.
>
> I will only be able to continue on this on Monday, but maybe someone
> else can offer some genuine input over the weekend. Will be much
> appreciated.
>
> Thanks+Greets,
> Mike
>
> [1]
>
> https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874
> --
>
> mike gabriel aka sunweaver (Debian Developer)
> mobile: +49 (1520) 1976 148
> landline: +49 (4354) 8390 139
>
> GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
> mail: [email protected], http://sunweavers.net
>
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| [email protected] [email protected] |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
