[openssh/f19] ignore environment variables with embedded '=' or '\0' characters (#1077843) CVE-2014-2532
plautrba
plautrba at fedoraproject.org
Mon May 19 14:05:33 UTC 2014
commit 8e4734d19064f4697e7fb009ec3d977bc5c1391f
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Thu May 15 09:55:25 2014 +0200
ignore environment variables with embedded '=' or '\0' characters (#1077843)
CVE-2014-2532
openssh-6.2p2-ignore-bad-env-var.patch | 37 ++++++++++++++++++++++++++++++++
openssh.spec | 3 ++
2 files changed, 40 insertions(+), 0 deletions(-)
---
diff --git a/openssh-6.2p2-ignore-bad-env-var.patch b/openssh-6.2p2-ignore-bad-env-var.patch
new file mode 100644
index 0000000..3bb49c2
--- /dev/null
+++ b/openssh-6.2p2-ignore-bad-env-var.patch
@@ -0,0 +1,37 @@
+diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog
+--- openssh-6.4p1/ChangeLog.bad-env-var 2014-03-19 21:37:36.270509907 +0100
++++ openssh-6.4p1/ChangeLog 2014-03-19 21:37:36.276509878 +0100
+@@ -0,0 +1,7 @@
++20140304
++ - OpenBSD CVS Sync
++ - djm at cvs.openbsd.org 2014/03/03 22:22:30
++ [session.c]
++ ignore enviornment variables with embedded '=' or '\0' characters;
++ spotted by Jann Horn; ok deraadt@
++
+diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c
+--- openssh-6.4p1/session.c.bad-env-var 2014-03-19 21:37:36.233510090 +0100
++++ openssh-6.4p1/session.c 2014-03-19 21:37:36.277509873 +0100
+@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi
+ u_int envsize;
+ u_int i, namelen;
+
++ if (strchr(name, '=') != NULL) {
++ error("Invalid environment variable \"%.100s\"", name);
++ return;
++ }
++
+ /*
+ * If we're passed an uninitialized list, allocate a single null
+ * entry before continuing.
+@@ -2255,8 +2260,8 @@ session_env_req(Session *s)
+ char *name, *val;
+ u_int name_len, val_len, i;
+
+- name = packet_get_string(&name_len);
+- val = packet_get_string(&val_len);
++ name = packet_get_cstring(&name_len);
++ val = packet_get_cstring(&val_len);
+ packet_check_eom();
+
+ /* Don't set too many environment variables */
diff --git a/openssh.spec b/openssh.spec
index 0d7cd61..c7de73e 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -196,6 +196,8 @@ Patch912: openssh-6.2p2-fromto-remote.patch
# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
# dialog by offering only certificate keys. (#1081338)
Patch913: openssh-6.2p2-CVE-2014-2653.patch
+# ignore environment variables with embedded '=' or '\0' characters (#1077843)
+Patch914: openssh-6.2p2-ignore-bad-env-var.patch
License: BSD
@@ -422,6 +424,7 @@ popd
%patch911 -p1 -b .legacy-ssh-copy-id
%patch912 -p1 -b .fromto-remote
%patch913 -p1 -b .CVE-2014-2653
+%patch914 -p1 -b .bad-env-var
%if 0
# Nothing here yet
More information about the scm-commits
mailing list