# HG changeset patch # User Matt Johnston # Date 1457614667 -28800 # Node ID 32cdbbe4b67e59e295f8d568fcf09b89c5c1649c # Parent f7f2c37142694c491bf9f34e0362036a33f47c0d# Parent fecf384654523d389bae9357a98f94d2ea038b80 merge 2016.72 diff -r f7f2c3714269 -r 32cdbbe4b67e .hgsigs --- a/.hgsigs Tue Jan 19 00:34:37 2016 +0800 +++ b/.hgsigs Thu Mar 10 20:57:47 2016 +0800 @@ -19,3 +19,4 @@ af074dbcb68ff8670b3818e0d66d5dc6f1bd5877 0 iQIcBAABCgAGBQJWVdQfAAoJEPSYMBLCC7qs+n4P/RgZU3GsLFJN7v7Cn6NOdKdfjJBmlbCtK9KwlZZaj8fW4noqnLDcDd6a2xT4mDV3rCE6+QYialGXjNkkNCBwD9Z+gFc8spOtThrpQ54dgWzbgDlYB1y7Hp7DoWoJQIlU6Od9nWBemcSrAviOFNAX8+S6poRdEhrHgMcv2xJoqHjvT7X8gob0RnJcYxW5nLWzDaJV58QnX6QlXg4ClSB6IoCeEawdW6WzXlZ9MGsRycTtx1ool7Uo6Vo2xg48n9TaJqM/lbSsMAjHxO/fdTJMWzTId1fuZxJGFVeJbkhjSwlf7fkVXxrgDxjvIAmFDR8TSTfJo50CD82j5rPcd7KSEpQ12ImBUsntPDgOtt/mJZ3HcFds86OZ7NkPpqoJGVFFQ8yUpe//DNSB2Ovg1FrwhSKOq/9N61BBwk1INVFDp1hMq45PIa9gI9zW/99inGDeSSQlxa4iafEUEjXZTRYuX7mFjnWm5q7r134J7kyWQtN/jNUZ71F0mvhnemufgpNY/I/D7K6qkONpbDZ2nuzkhfoqugzhHYp467UePM0qmLTLdXGPPMukoGorpWeiSb2T25AEKm7N4A9NwPmdAnoFjAibjF9FAuU03sl+pu9MqFb+1ldsqjNfxhcJmoAUR5vy3pED9ailCb/OCBVTHkDPfTEhGU3waO9tPM+5x2rGB5fe 5bb5976e6902a0c9fba974a880c68c9487ee1e77 0 iQIcBAABCgAGBQJWVyIKAAoJEESTFJTynGdzQosP/0k5bVTerpUKZLjyNuMU8o0eyc7njkX8EyMOyGbtcArKpzO2opSBTRsuCT9Zsk1iiQ1GMTY1quKD7aNr86Hipqo4th/+ZXmLe9mmaCDukKjD0ZYC4dBVUy6RSUAMvdkDP9sZs7CMTO/22a9SqOsKTv3s2NN6XnsBGnmNbvVx5hkAk5hMVNFrjKIaexzI/7bWQIDRo2HQCaWaL06JvWEDSEQd2mynGSXxT/+m4hBnuGg6qxn2pd4XfG0g10tDAFx64HQkWgZqSB+F8z71Cvfjondy1zjJYgtABqNlwCKQJZhRUW2+PblqQnz08TUy83XN2vtisOju4avGcHSaBgBbMvg8Wx4ZtM7sPP9pLrhhOTd5ceERHeTceTJy+iI1SQFvccjrRfs5aJ0zAQX5q6f4bV0zp5SmxkvnZUEkZIoetkM8VrPOYugqx31LtHAWfVT9NM+VkV/rrxLhk6J0giIQvC9MPWxRDileFVDszPiOgTLcxWjOziOLT+xijcj7dtx1b/f2bNCduN5G7i+icjjTlCNtyRPRqhBqn705W7F+xESP2gsscM/1BjQ7TGidU5m1njdkUjbrqm3+Qic6iqkG7SfETHmQB9mHqpJ0hACRPvZlhwB7oimNHllkrlw8UJw9f0SiuLjfERIgVS2EOp+mAia0RU7MlTt19o017M1ffEYL 926e7275cef4f4f2a4251597ee4814748394824c 0 iQIcBAABCgAGBQJWYES4AAoJEESTFJTynGdzdT0P/0O/1frevtr698DwMe6kmJx35P6Bqq8szntMxYucv0HROTfr85JRcCCSvl/2SflDS215QmOxdvYLGLUWPJNz/gURCLpzsT88KLF68Y1tC72nl4Fj+LGIOlsWsvwEqQqw0v4iQkHIfcxI6q7g1r9Hfldf/ju4bzQ4HnKLxm6KNcLLoAsuehVpQ+njHpLmlLAGHU5a84B7xeXHFR+U/EBPxSdm637rNhmpLpkuK2Mym/Mzv7BThKDstpB8lhFHIwAVNqi3Cy4nGYxFZOJpooUN9pDornqAwuzHmOAMs9+49L8GZ1de5PBRGyFKibzjBIUWPEU9EIkfJVaVwTlqYK8Q/IRi9HjITPx6GpE8cZhdSvAibrQdb6BbIDrZ8eCvD9vnod6Uk0Jb9/ui6nCF9x+CN/3Qez4epV5+JCMYsqCiXFkVPm9Lab6L2eGZis7Q2TXImA/sSV+E4BGfH2urpkKlnuXTTtDp4XRG+lOISkIBXgjVY+uy8soVKNdx1gv+LeY8hu/oQ2NyOlaOeL47aSQ3who4Pk6pVRUOl6zfcKo9Vs6xDWm35A3Z6x/mrAENaXasB0JrfY5nIbefJUpbeSmi76fYldU98HdQNHPHCSeiKVYl7v/B6gi2JXp5xngLZz/5VVAurago7sRmpIp7G/AqU6LNE85IUzG8aQz8AfR0d1dW +fd1981f41c626a969f07b4823848deaefef3c8aa 0 iQIcBAABCgAGBQJW4W2TAAoJEESTFJTynGdzuOcP/j6tvB2WRwSj39KoJuRcRebFWWv4ZHiQXYMXWa3X0Ppzz52r9W0cXDjjlp5FyGdovCQsK+IXmjPo5cCvWBrZJYA6usFr9ssnUtTC+45lvPxPYwj47ZGPngCXDt7LD+v08XhqCu4LsctXIP/zejd30KVS1eR2RHI+tnEyaIKC0Xaa0igcv74MZX7Q8/U+B730QMX5adfYAHoeyRhoctRWaxVV3To7Vadd9jNXP45MRY5auhRcK7XyQcS85vJeCRoysfDUas4ERRQWYkX+68GyzO9GrkYFle931Akw2K6ZZfUuiC2TrF5xv1eRP1Zm2GX481U4ZGFTI8IzZL8sVQ6tvzq2Mxsecu589JNui9aB2d8Gp2Su/E2zn0h0ShIRmviGzf2HiBt+Bnji5X2h/fJKWbLaWge0MdOU5Jidfyh9k0YT7xo4piJLJYSaZ3nv+j4jTYnTfL7uYvuWbYkJ1T32aQVCan7Eup3BFAgQjzbWYi1XQVg6fvu8uHPpS3tNNA9EAMeeyTyg1l6zI2EIU5gPfd/dKmdyotY2lZBkFZNJqFkKRZuzjWekcw7hAxS+Bd68GKklt/DGrQiVycAgimqwXrfkzzQagawq2fXL2uXB8ghlsyxKLSQPnAtBF2Jcn5FH2z7HOQ+e18ZrFfNy0cYa/4OdH6K5aK1igTzhZZP2Urn0 diff -r f7f2c3714269 -r 32cdbbe4b67e .hgtags --- a/.hgtags Tue Jan 19 00:34:37 2016 +0800 +++ b/.hgtags Thu Mar 10 20:57:47 2016 +0800 @@ -51,3 +51,4 @@ 1637dbd262124d113e52967df46afd6c715e4fad DROPBEAR_2015.69 79a6ef02307d05cb9dda10465cb5b807baa8f62e DROPBEAR_2015.70 9a944a243f08be6b22d32f166a0690eb4872462b DROPBEAR_2015.71 +78b12b6549be08b0bea3da329b2578060a76ca31 DROPBEAR_2016.72 diff -r f7f2c3714269 -r 32cdbbe4b67e CHANGES --- a/CHANGES Tue Jan 19 00:34:37 2016 +0800 +++ b/CHANGES Thu Mar 10 20:57:47 2016 +0800 @@ -1,3 +1,8 @@ +2016.72 - 9 March 2016 + +- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, + found by github.com/tintinweb. Thanks for Damien Miller for a patch. + 2015.71 - 3 December 2015 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 diff -r f7f2c3714269 -r 32cdbbe4b67e debian/changelog --- a/debian/changelog Tue Jan 19 00:34:37 2016 +0800 +++ b/debian/changelog Thu Mar 10 20:57:47 2016 +0800 @@ -1,8 +1,8 @@ -dropbear (2015.71-0.1) unstable; urgency=low +dropbear (2016.72-0.1) unstable; urgency=low * New upstream release. - -- Matt Johnston Thu, 3 Dec 2015 22:52:58 +0800 + -- Matt Johnston Wed, 10 Mar 2016 22:52:58 +0800 dropbear (2015.70-0.1) unstable; urgency=low diff -r f7f2c3714269 -r 32cdbbe4b67e svr-x11fwd.c --- a/svr-x11fwd.c Tue Jan 19 00:34:37 2016 +0800 +++ b/svr-x11fwd.c Thu Mar 10 20:57:47 2016 +0800 @@ -42,11 +42,29 @@ static int bindport(int fd); static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr); +/* Check untrusted xauth strings for metacharacters */ +/* Returns DROPBEAR_SUCCESS/DROPBEAR_FAILURE */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum(s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_') { + return DROPBEAR_FAILURE; + } + } + return DROPBEAR_SUCCESS; +} + + /* called as a request for a session channel, sets up listening X11 */ /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ int x11req(struct ChanSess * chansess) { - int fd; + int fd = -1; if (!svr_pubkey_allows_x11fwd()) { return DROPBEAR_FAILURE; @@ -62,6 +80,11 @@ chansess->x11authcookie = buf_getstring(ses.payload, NULL); chansess->x11screennum = buf_getint(ses.payload); + if (xauth_valid_string(chansess->x11authprot) == DROPBEAR_FAILURE || + xauth_valid_string(chansess->x11authcookie) == DROPBEAR_FAILURE) { + dropbear_log(LOG_WARNING, "Bad xauth request"); + goto fail; + } /* create listening socket */ fd = socket(PF_INET, SOCK_STREAM, 0); if (fd < 0) { @@ -159,7 +182,7 @@ return; } - /* popen is a nice function - code is strongly based on OpenSSH's */ + /* code is strongly based on OpenSSH's */ authprog = popen(XAUTH_COMMAND, "w"); if (authprog) { fprintf(authprog, "add %s %s %s\n", diff -r f7f2c3714269 -r 32cdbbe4b67e sysoptions.h --- a/sysoptions.h Tue Jan 19 00:34:37 2016 +0800 +++ b/sysoptions.h Thu Mar 10 20:57:47 2016 +0800 @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2015.71" +#define DROPBEAR_VERSION "2016.72" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION