d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MFV r311913:

Browse Source 
Fix multiple OpenSSH vulnerabilities.

Submitted by:	des
Approved by:	so
This commit is contained in:
delphij 2017-01-11 05:49:39 +00:00
parent 3797ca6b76
commit db4ad7afa3
8 changed files with 55 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crypto/openssh/serverloop.c
View File

@ -995,7 +995,7 @@ server_request_direct_streamlocal(void)
/* XXX fine grained permissions */ /* XXX fine grained permissions */
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
!no_port_forwarding_flag) { !no_port_forwarding_flag && use_privsep) {
c = channel_connect_to_path(target, c = channel_connect_to_path(target,
"direct-streamlocal@openssh.com", "direct-streamlocal"); "direct-streamlocal@openssh.com", "direct-streamlocal");
} else { } else {
@ -1279,7 +1279,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
/* check permissions */ /* check permissions */
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
|| no_port_forwarding_flag) { || no_port_forwarding_flag || !use_privsep) {
success = 0; success = 0;
packet_send_debug("Server has disabled port forwarding."); packet_send_debug("Server has disabled port forwarding.");
} else { } else {

15
crypto/openssh/ssh-agent.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-agent.1,v 1.62 2015/11/15 23:54:15 jmc Exp $ .\" $OpenBSD: ssh-agent.1,v 1.63 2016/11/30 03:07:37 djm Exp $
.\" $FreeBSD$ .\" $FreeBSD$
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -48,6 +48,7 @@
.Op Fl a Ar bind_address .Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash .Op Fl E Ar fingerprint_hash
.Op Fl t Ar life .Op Fl t Ar life
.Op Fl P Ar pkcs11_whitelist
.Op Ar command Op Ar arg ... .Op Ar command Op Ar arg ...
.Nm ssh-agent .Nm ssh-agent
.Op Fl c | s .Op Fl c | s
@ -122,6 +123,18 @@ The default is
Kill the current agent (given by the Kill the current agent (given by the
.Ev SSH_AGENT_PID .Ev SSH_AGENT_PID
environment variable). environment variable).
.It Fl P
Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
that may be added using the
.Fl s
option to
.Xr ssh-add 1 .
The default is to allow loading PKCS#11 libraries from
.Dq /usr/lib/*,/usr/local/lib/* .
PKCS#11 libraries that do not match the whitelist will be refused.
See PATTERNS in
.Xr ssh_config 5
for a description of pattern-list syntax.
.It Fl s .It Fl s
Generate Bourne shell commands on Generate Bourne shell commands on
.Dv stdout . .Dv stdout .

41
crypto/openssh/ssh-agent.c
View File

@ -84,11 +84,16 @@ __RCSID("$FreeBSD$");
#include "misc.h" #include "misc.h"
#include "digest.h" #include "digest.h"
#include "ssherr.h" #include "ssherr.h"
#include "match.h"
#ifdef ENABLE_PKCS11 #ifdef ENABLE_PKCS11
#include "ssh-pkcs11.h" #include "ssh-pkcs11.h"
#endif #endif
#ifndef DEFAULT_PKCS11_WHITELIST
# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
#endif
#if defined(HAVE_SYS_PRCTL_H) #if defined(HAVE_SYS_PRCTL_H)
#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */ #include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
#endif #endif
@ -140,6 +145,9 @@ pid_t cleanup_pid = 0;
char socket_name[PATH_MAX]; char socket_name[PATH_MAX];
char socket_dir[PATH_MAX]; char socket_dir[PATH_MAX];
/* PKCS#11 path whitelist */
static char *pkcs11_whitelist;
/* locking */ /* locking */
#define LOCK_SIZE 32 #define LOCK_SIZE 32
#define LOCK_SALT_SIZE 16 #define LOCK_SALT_SIZE 16
@ -761,7 +769,7 @@ no_identities(SocketEntry *e, u_int type)
static void static void
process_add_smartcard_key(SocketEntry *e) process_add_smartcard_key(SocketEntry *e)
{ {
char *provider = NULL, *pin; char *provider = NULL, *pin, canonical_provider[PATH_MAX];
int r, i, version, count = 0, success = 0, confirm = 0; int r, i, version, count = 0, success = 0, confirm = 0;
u_int seconds; u_int seconds;
time_t death = 0; time_t death = 0;
@ -793,10 +801,21 @@ process_add_smartcard_key(SocketEntry *e)
goto send; goto send;
} }
} }
if (realpath(provider, canonical_provider) == NULL) {
verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
provider, strerror(errno));
goto send;
}
if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
verbose("refusing PKCS#11 add of \"%.100s\": "
"provider not whitelisted", canonical_provider);
goto send;
}
debug("%s: add %.100s", __func__, canonical_provider);
if (lifetime && !death) if (lifetime && !death)
death = monotime() + lifetime; death = monotime() + lifetime;
count = pkcs11_add_provider(provider, pin, &keys); count = pkcs11_add_provider(canonical_provider, pin, &keys);
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
k = keys[i]; k = keys[i];
version = k->type == KEY_RSA1 ? 1 : 2; version = k->type == KEY_RSA1 ? 1 : 2;
@ -804,8 +823,8 @@ process_add_smartcard_key(SocketEntry *e)
if (lookup_identity(k, version) == NULL) { if (lookup_identity(k, version) == NULL) {
id = xcalloc(1, sizeof(Identity)); id = xcalloc(1, sizeof(Identity));
id->key = k; id->key = k;
id->provider = xstrdup(provider); id->provider = xstrdup(canonical_provider);
id->comment = xstrdup(provider); /* XXX */ id->comment = xstrdup(canonical_provider); /* XXX */
id->death = death; id->death = death;
id->confirm = confirm; id->confirm = confirm;
TAILQ_INSERT_TAIL(&tab->idlist, id, next); TAILQ_INSERT_TAIL(&tab->idlist, id, next);
@ -1200,7 +1219,7 @@ usage(void)
{ {
fprintf(stderr, fprintf(stderr,
"usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
" [-t life] [command [arg ...]]\n" " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
" ssh-agent [-c | -s] -k\n"); " ssh-agent [-c | -s] -k\n");
fprintf(stderr, " -x Exit when the last client disconnects.\n"); fprintf(stderr, " -x Exit when the last client disconnects.\n");
exit(1); exit(1);
@ -1246,7 +1265,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
seed_rng(); seed_rng();
while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) { while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) {
switch (ch) { switch (ch) {
case 'E': case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg); fingerprint_hash = ssh_digest_alg_by_name(optarg);
@ -1261,6 +1280,11 @@ main(int ac, char **av)
case 'k': case 'k':
k_flag++; k_flag++;
break; break;
case 'P':
if (pkcs11_whitelist != NULL)
fatal("-P option already specified");
pkcs11_whitelist = xstrdup(optarg);
break;
case 's': case 's':
if (c_flag) if (c_flag)
usage(); usage();
@ -1298,6 +1322,9 @@ main(int ac, char **av)
if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag)) if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
usage(); usage();
if (pkcs11_whitelist == NULL)
pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
if (ac == 0 && !c_flag && !s_flag) { if (ac == 0 && !c_flag && !s_flag) {
shell = getenv("SHELL"); shell = getenv("SHELL");
if (shell != NULL && (len = strlen(shell)) > 2 && if (shell != NULL && (len = strlen(shell)) > 2 &&
@ -1445,7 +1472,7 @@ main(int ac, char **av)
signal(SIGTERM, cleanup_handler); signal(SIGTERM, cleanup_handler);
nalloc = 0; nalloc = 0;
if (pledge("stdio cpath unix id proc exec", NULL) == -1) if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
fatal("%s: pledge: %s", __progname, strerror(errno)); fatal("%s: pledge: %s", __progname, strerror(errno));
platform_pledge_agent(); platform_pledge_agent();

2
crypto/openssh/ssh_config
View File

@ -50,4 +50,4 @@
# ProxyCommand ssh -q -W %h:%p gateway.example.com # ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h # RekeyLimit 1G 1h
# VerifyHostKeyDNS yes # VerifyHostKeyDNS yes
# VersionAddendum FreeBSD-20160310 # VersionAddendum FreeBSD-20161230

2
crypto/openssh/ssh_config.5
View File

@ -1727,7 +1727,7 @@ See also VERIFYING HOST KEYS in
Specifies a string to append to the regular version string to identify Specifies a string to append to the regular version string to identify
OS- or site-specific modifications. OS- or site-specific modifications.
The default is The default is
.Dq FreeBSD-20160310 . .Dq FreeBSD-20161230 .
The value The value
.Dq none .Dq none
may be used to disable this. may be used to disable this.

2
crypto/openssh/sshd_config
View File

@ -121,7 +121,7 @@
#PermitTunnel no #PermitTunnel no
#ChrootDirectory none #ChrootDirectory none
#UseBlacklist no #UseBlacklist no
#VersionAddendum FreeBSD-20160310 #VersionAddendum FreeBSD-20161230
# no default banner path # no default banner path
#Banner none #Banner none

2
crypto/openssh/sshd_config.5
View File

@ -1634,7 +1634,7 @@ The default is
Optionally specifies additional text to append to the SSH protocol banner Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection. sent by the server upon connection.
The default is The default is
.Dq FreeBSD-20160310 . .Dq FreeBSD-20161230 .
The value The value
.Dq none .Dq none
may be used to disable this. may be used to disable this.

2
crypto/openssh/version.h
View File

@ -6,7 +6,7 @@
#define SSH_PORTABLE "p2" #define SSH_PORTABLE "p2"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
#define SSH_VERSION_FREEBSD "FreeBSD-20160310" #define SSH_VERSION_FREEBSD "FreeBSD-20161230"
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
#define OPENSSL_VERSION SSLeay_version(SSLEAY_VERSION) #define OPENSSL_VERSION SSLeay_version(SSLEAY_VERSION)