Module Name: src
Committed By: martin
Date: Fri Mar 11 12:23:58 UTC 2016
Modified Files:
src/crypto/external/bsd/openssh/dist [netbsd-7-0]: channels.c
channels.h clientloop.c sshpty.c
Log Message:
Apply the following changes, requested by snj in #1138:
- Refuse ForwardX11Trusted=no connections attempted after
ForwardX11Timeout expires. (CVE-2015-5352)
- Fix TTY permissions to not be world-writable. (CVE-2015-6565)
To generate a diff of this commit:
cvs rdiff -u -r1.11.4.1 -r1.11.4.1.2.1 \
src/crypto/external/bsd/openssh/dist/channels.c
cvs rdiff -u -r1.8.4.1 -r1.8.4.1.2.1 \
src/crypto/external/bsd/openssh/dist/channels.h
cvs rdiff -u -r1.10.4.1 -r1.10.4.1.2.1 \
src/crypto/external/bsd/openssh/dist/clientloop.c
cvs rdiff -u -r1.2.26.1 -r1.2.26.1.2.1 \
src/crypto/external/bsd/openssh/dist/sshpty.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/external/bsd/openssh/dist/channels.c
diff -u src/crypto/external/bsd/openssh/dist/channels.c:1.11.4.1 src/crypto/external/bsd/openssh/dist/channels.c:1.11.4.1.2.1
--- src/crypto/external/bsd/openssh/dist/channels.c:1.11.4.1 Thu Apr 30 06:07:30 2015
+++ src/crypto/external/bsd/openssh/dist/channels.c Fri Mar 11 12:23:58 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: channels.c,v 1.11.4.1 2015/04/30 06:07:30 riz Exp $ */
+/* $NetBSD: channels.c,v 1.11.4.1.2.1 2016/03/11 12:23:58 martin Exp $ */
/* $OpenBSD: channels.c,v 1.341 2015/02/06 23:21:59 millert Exp $ */
/*
* Author: Tatu Ylonen <y...@cs.hut.fi>
@@ -41,7 +41,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: channels.c,v 1.11.4.1 2015/04/30 06:07:30 riz Exp $");
+__RCSID("$NetBSD: channels.c,v 1.11.4.1.2.1 2016/03/11 12:23:58 martin Exp $");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/param.h> /* MIN MAX */
@@ -163,6 +163,9 @@ static char *x11_saved_proto = NULL;
static char *x11_saved_data = NULL;
static u_int x11_saved_data_len = 0;
+/* Deadline after which all X11 connections are refused */
+static u_int x11_refuse_time;
+
/*
* Fake X11 authentication data. This is what the server will be sending us;
* we should replace any occurrences of this by the real data.
@@ -938,6 +941,13 @@ x11_open_helper(Buffer *b)
u_char *ucp;
u_int proto_len, data_len;
+ /* Is this being called after the refusal deadline? */
+ if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
+ verbose("Rejected X11 connection after ForwardX11Timeout "
+ "expired");
+ return -1;
+ }
+
/* Check if the fixed size part of the packet is in buffer. */
if (buffer_len(b) < 12)
return 0;
@@ -1509,6 +1519,12 @@ channel_set_reuseaddr(int fd)
error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
}
+void
+channel_set_x11_refuse_time(u_int refuse_time)
+{
+ x11_refuse_time = refuse_time;
+}
+
/*
* This socket is listening for connections to a forwarded TCP/IP port.
*/
Index: src/crypto/external/bsd/openssh/dist/channels.h
diff -u src/crypto/external/bsd/openssh/dist/channels.h:1.8.4.1 src/crypto/external/bsd/openssh/dist/channels.h:1.8.4.1.2.1
--- src/crypto/external/bsd/openssh/dist/channels.h:1.8.4.1 Thu Apr 30 06:07:30 2015
+++ src/crypto/external/bsd/openssh/dist/channels.h Fri Mar 11 12:23:58 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: channels.h,v 1.8.4.1 2015/04/30 06:07:30 riz Exp $ */
+/* $NetBSD: channels.h,v 1.8.4.1.2.1 2016/03/11 12:23:58 martin Exp $ */
/* $OpenBSD: channels.h,v 1.116 2015/01/19 20:07:45 markus Exp $ */
/*
@@ -287,6 +287,7 @@ int permitopen_port(const char *);
/* x11 forwarding */
+void channel_set_x11_refuse_time(u_int);
int x11_connect_display(void);
int x11_create_display_inet(int, int, int, u_int *, int **);
int x11_input_open(int, u_int32_t, void *);
Index: src/crypto/external/bsd/openssh/dist/clientloop.c
diff -u src/crypto/external/bsd/openssh/dist/clientloop.c:1.10.4.1 src/crypto/external/bsd/openssh/dist/clientloop.c:1.10.4.1.2.1
--- src/crypto/external/bsd/openssh/dist/clientloop.c:1.10.4.1 Thu Apr 30 06:07:30 2015
+++ src/crypto/external/bsd/openssh/dist/clientloop.c Fri Mar 11 12:23:58 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: clientloop.c,v 1.10.4.1 2015/04/30 06:07:30 riz Exp $ */
+/* $NetBSD: clientloop.c,v 1.10.4.1.2.1 2016/03/11 12:23:58 martin Exp $ */
/* $OpenBSD: clientloop.c,v 1.272 2015/02/25 19:54:02 djm Exp $ */
/*
* Author: Tatu Ylonen <y...@cs.hut.fi>
@@ -61,7 +61,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: clientloop.c,v 1.10.4.1 2015/04/30 06:07:30 riz Exp $");
+__RCSID("$NetBSD: clientloop.c,v 1.10.4.1.2.1 2016/03/11 12:23:58 martin Exp $");
#include <sys/param.h> /* MIN MAX */
#include <sys/types.h>
@@ -159,7 +159,7 @@ static int connection_in; /* Connection
static int connection_out; /* Connection to server (output). */
static int need_rekeying; /* Set to non-zero if rekeying is requested. */
static int session_closed; /* In SSH2: login session closed. */
-static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
+static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
static void client_init_dispatch(void);
int session_ident = -1;
@@ -294,7 +294,8 @@ client_x11_display_valid(const char *dis
return 1;
}
-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
+#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
+#define X11_TIMEOUT_SLACK 60
void
client_x11_get_proto(const char *display, const char *xauth_path,
u_int trusted, u_int timeout, char **_proto, char **_data)
@@ -307,7 +308,7 @@ client_x11_get_proto(const char *display
int got_data = 0, generated = 0, do_unlink = 0, i;
char *xauthdir, *xauthfile;
struct stat st;
- u_int now;
+ u_int now, x11_timeout_real;
xauthdir = xauthfile = NULL;
*_proto = proto;
@@ -340,6 +341,15 @@ client_x11_get_proto(const char *display
xauthdir = xmalloc(PATH_MAX);
xauthfile = xmalloc(PATH_MAX);
mktemp_proto(xauthdir, PATH_MAX);
+ /*
+ * The authentication cookie should briefly outlive
+ * ssh's willingness to forward X11 connections to
+ * avoid nasty fail-open behaviour in the X server.
+ */
+ if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
+ x11_timeout_real = UINT_MAX;
+ else
+ x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
if (mkdtemp(xauthdir) != NULL) {
do_unlink = 1;
snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
@@ -347,17 +357,20 @@ client_x11_get_proto(const char *display
snprintf(cmd, sizeof(cmd),
"%s -f %s generate %s " SSH_X11_PROTO
" untrusted timeout %u 2>" _PATH_DEVNULL,
- xauth_path, xauthfile, display, timeout);
+ xauth_path, xauthfile, display,
+ x11_timeout_real);
debug2("x11_get_proto: %s", cmd);
- if (system(cmd) == 0)
- generated = 1;
if (x11_refuse_time == 0) {
now = monotime() + 1;
if (UINT_MAX - timeout < now)
x11_refuse_time = UINT_MAX;
else
x11_refuse_time = now + timeout;
+ channel_set_x11_refuse_time(
+ x11_refuse_time);
}
+ if (system(cmd) == 0)
+ generated = 1;
}
}
@@ -1886,7 +1899,7 @@ client_request_x11(const char *request_t
"malicious server.");
return NULL;
}
- if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
+ if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
verbose("Rejected X11 connection after ForwardX11Timeout "
"expired");
return NULL;
Index: src/crypto/external/bsd/openssh/dist/sshpty.c
diff -u src/crypto/external/bsd/openssh/dist/sshpty.c:1.2.26.1 src/crypto/external/bsd/openssh/dist/sshpty.c:1.2.26.1.2.1
--- src/crypto/external/bsd/openssh/dist/sshpty.c:1.2.26.1 Thu Apr 30 06:07:31 2015
+++ src/crypto/external/bsd/openssh/dist/sshpty.c Fri Mar 11 12:23:58 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: sshpty.c,v 1.2.26.1 2015/04/30 06:07:31 riz Exp $ */
+/* $NetBSD: sshpty.c,v 1.2.26.1.2.1 2016/03/11 12:23:58 martin Exp $ */
/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
/*
* Author: Tatu Ylonen <y...@cs.hut.fi>
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: sshpty.c,v 1.2.26.1 2015/04/30 06:07:31 riz Exp $");
+__RCSID("$NetBSD: sshpty.c,v 1.2.26.1.2.1 2016/03/11 12:23:58 martin Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
@@ -145,7 +145,7 @@ pty_setowner(struct passwd *pw, const ch
/* Determine the group to make the owner of the tty. */
grp = getgrnam("tty");
gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
- mode = (grp != NULL) ? 0622 : 0600;
+ mode = (grp != NULL) ? 0620 : 0600;
/*
* Change owner and mode of the tty as required.
