Mercurial > dropbear
changeset 1247:428d83f2e5db
merge github master
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Thu, 10 Mar 2016 21:37:35 +0800 |
parents | 11f645c3715b (diff) 1df4a0a162d7 (current diff) |
children | 739b3909c499 |
files | svr-x11fwd.c |
diffstat | 7 files changed, 57 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/.hgsigs Wed Jan 20 21:36:58 2016 +0800 +++ b/.hgsigs Thu Mar 10 21:37:35 2016 +0800 @@ -19,3 +19,4 @@ af074dbcb68ff8670b3818e0d66d5dc6f1bd5877 0 iQIcBAABCgAGBQJWVdQfAAoJEPSYMBLCC7qs+n4P/RgZU3GsLFJN7v7Cn6NOdKdfjJBmlbCtK9KwlZZaj8fW4noqnLDcDd6a2xT4mDV3rCE6+QYialGXjNkkNCBwD9Z+gFc8spOtThrpQ54dgWzbgDlYB1y7Hp7DoWoJQIlU6Od9nWBemcSrAviOFNAX8+S6poRdEhrHgMcv2xJoqHjvT7X8gob0RnJcYxW5nLWzDaJV58QnX6QlXg4ClSB6IoCeEawdW6WzXlZ9MGsRycTtx1ool7Uo6Vo2xg48n9TaJqM/lbSsMAjHxO/fdTJMWzTId1fuZxJGFVeJbkhjSwlf7fkVXxrgDxjvIAmFDR8TSTfJo50CD82j5rPcd7KSEpQ12ImBUsntPDgOtt/mJZ3HcFds86OZ7NkPpqoJGVFFQ8yUpe//DNSB2Ovg1FrwhSKOq/9N61BBwk1INVFDp1hMq45PIa9gI9zW/99inGDeSSQlxa4iafEUEjXZTRYuX7mFjnWm5q7r134J7kyWQtN/jNUZ71F0mvhnemufgpNY/I/D7K6qkONpbDZ2nuzkhfoqugzhHYp467UePM0qmLTLdXGPPMukoGorpWeiSb2T25AEKm7N4A9NwPmdAnoFjAibjF9FAuU03sl+pu9MqFb+1ldsqjNfxhcJmoAUR5vy3pED9ailCb/OCBVTHkDPfTEhGU3waO9tPM+5x2rGB5fe 5bb5976e6902a0c9fba974a880c68c9487ee1e77 0 iQIcBAABCgAGBQJWVyIKAAoJEESTFJTynGdzQosP/0k5bVTerpUKZLjyNuMU8o0eyc7njkX8EyMOyGbtcArKpzO2opSBTRsuCT9Zsk1iiQ1GMTY1quKD7aNr86Hipqo4th/+ZXmLe9mmaCDukKjD0ZYC4dBVUy6RSUAMvdkDP9sZs7CMTO/22a9SqOsKTv3s2NN6XnsBGnmNbvVx5hkAk5hMVNFrjKIaexzI/7bWQIDRo2HQCaWaL06JvWEDSEQd2mynGSXxT/+m4hBnuGg6qxn2pd4XfG0g10tDAFx64HQkWgZqSB+F8z71Cvfjondy1zjJYgtABqNlwCKQJZhRUW2+PblqQnz08TUy83XN2vtisOju4avGcHSaBgBbMvg8Wx4ZtM7sPP9pLrhhOTd5ceERHeTceTJy+iI1SQFvccjrRfs5aJ0zAQX5q6f4bV0zp5SmxkvnZUEkZIoetkM8VrPOYugqx31LtHAWfVT9NM+VkV/rrxLhk6J0giIQvC9MPWxRDileFVDszPiOgTLcxWjOziOLT+xijcj7dtx1b/f2bNCduN5G7i+icjjTlCNtyRPRqhBqn705W7F+xESP2gsscM/1BjQ7TGidU5m1njdkUjbrqm3+Qic6iqkG7SfETHmQB9mHqpJ0hACRPvZlhwB7oimNHllkrlw8UJw9f0SiuLjfERIgVS2EOp+mAia0RU7MlTt19o017M1ffEYL 926e7275cef4f4f2a4251597ee4814748394824c 0 iQIcBAABCgAGBQJWYES4AAoJEESTFJTynGdzdT0P/0O/1frevtr698DwMe6kmJx35P6Bqq8szntMxYucv0HROTfr85JRcCCSvl/2SflDS215QmOxdvYLGLUWPJNz/gURCLpzsT88KLF68Y1tC72nl4Fj+LGIOlsWsvwEqQqw0v4iQkHIfcxI6q7g1r9Hfldf/ju4bzQ4HnKLxm6KNcLLoAsuehVpQ+njHpLmlLAGHU5a84B7xeXHFR+U/EBPxSdm637rNhmpLpkuK2Mym/Mzv7BThKDstpB8lhFHIwAVNqi3Cy4nGYxFZOJpooUN9pDornqAwuzHmOAMs9+49L8GZ1de5PBRGyFKibzjBIUWPEU9EIkfJVaVwTlqYK8Q/IRi9HjITPx6GpE8cZhdSvAibrQdb6BbIDrZ8eCvD9vnod6Uk0Jb9/ui6nCF9x+CN/3Qez4epV5+JCMYsqCiXFkVPm9Lab6L2eGZis7Q2TXImA/sSV+E4BGfH2urpkKlnuXTTtDp4XRG+lOISkIBXgjVY+uy8soVKNdx1gv+LeY8hu/oQ2NyOlaOeL47aSQ3who4Pk6pVRUOl6zfcKo9Vs6xDWm35A3Z6x/mrAENaXasB0JrfY5nIbefJUpbeSmi76fYldU98HdQNHPHCSeiKVYl7v/B6gi2JXp5xngLZz/5VVAurago7sRmpIp7G/AqU6LNE85IUzG8aQz8AfR0d1dW +fd1981f41c626a969f07b4823848deaefef3c8aa 0 iQIcBAABCgAGBQJW4W2TAAoJEESTFJTynGdzuOcP/j6tvB2WRwSj39KoJuRcRebFWWv4ZHiQXYMXWa3X0Ppzz52r9W0cXDjjlp5FyGdovCQsK+IXmjPo5cCvWBrZJYA6usFr9ssnUtTC+45lvPxPYwj47ZGPngCXDt7LD+v08XhqCu4LsctXIP/zejd30KVS1eR2RHI+tnEyaIKC0Xaa0igcv74MZX7Q8/U+B730QMX5adfYAHoeyRhoctRWaxVV3To7Vadd9jNXP45MRY5auhRcK7XyQcS85vJeCRoysfDUas4ERRQWYkX+68GyzO9GrkYFle931Akw2K6ZZfUuiC2TrF5xv1eRP1Zm2GX481U4ZGFTI8IzZL8sVQ6tvzq2Mxsecu589JNui9aB2d8Gp2Su/E2zn0h0ShIRmviGzf2HiBt+Bnji5X2h/fJKWbLaWge0MdOU5Jidfyh9k0YT7xo4piJLJYSaZ3nv+j4jTYnTfL7uYvuWbYkJ1T32aQVCan7Eup3BFAgQjzbWYi1XQVg6fvu8uHPpS3tNNA9EAMeeyTyg1l6zI2EIU5gPfd/dKmdyotY2lZBkFZNJqFkKRZuzjWekcw7hAxS+Bd68GKklt/DGrQiVycAgimqwXrfkzzQagawq2fXL2uXB8ghlsyxKLSQPnAtBF2Jcn5FH2z7HOQ+e18ZrFfNy0cYa/4OdH6K5aK1igTzhZZP2Urn0
--- a/.hgtags Wed Jan 20 21:36:58 2016 +0800 +++ b/.hgtags Thu Mar 10 21:37:35 2016 +0800 @@ -51,3 +51,4 @@ 1637dbd262124d113e52967df46afd6c715e4fad DROPBEAR_2015.69 79a6ef02307d05cb9dda10465cb5b807baa8f62e DROPBEAR_2015.70 9a944a243f08be6b22d32f166a0690eb4872462b DROPBEAR_2015.71 +78b12b6549be08b0bea3da329b2578060a76ca31 DROPBEAR_2016.72
--- a/CHANGES Wed Jan 20 21:36:58 2016 +0800 +++ b/CHANGES Thu Mar 10 21:37:35 2016 +0800 @@ -1,3 +1,8 @@ +2016.72 - 9 March 2016 + +- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, + found by github.com/tintinweb. Thanks for Damien Miller for a patch. + 2015.71 - 3 December 2015 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69
--- a/dbmulti.c Wed Jan 20 21:36:58 2016 +0800 +++ b/dbmulti.c Thu Mar 10 21:37:35 2016 +0800 @@ -26,17 +26,13 @@ /* definitions are cleanest if we just put them here */ int dropbear_main(int argc, char ** argv); +int cli_main(int argc, char ** argv); int dropbearkey_main(int argc, char ** argv); int dropbearconvert_main(int argc, char ** argv); int scp_main(int argc, char ** argv); -int main(int argc, char ** argv) { - - char * progname; - - if (argc > 0) { - /* figure which form we're being called as */ - progname = basename(argv[0]); +static int runprog(const char *progname, int argc, char ** argv, int *match) { + *match = DROPBEAR_SUCCESS; #ifdef DBMULTI_dropbear if (strcmp(progname, "dropbear") == 0) { @@ -64,10 +60,28 @@ return scp_main(argc, argv); } #endif + *match = DROPBEAR_FAILURE; + return 1; +} + +int main(int argc, char ** argv) { + int i; + for (i = 0; i < 2; i++) { + /* Try symlink first, then try as an argument eg "dropbearmulti dbclient host ..." */ + if (argc > i) { + int match, res; + /* figure which form we're being called as */ + const char* progname = basename(argv[i]); + res = runprog(progname, argc-i, &argv[i], &match); + if (match == DROPBEAR_SUCCESS) { + return res; + } + } } fprintf(stderr, "Dropbear SSH multi-purpose v%s\n" - "Make a symlink pointing at this binary with one of the following names:\n" + "Make a symlink pointing at this binary with one of the\n" + "following names or run 'dropbearmulti <command>'.\n" #ifdef DBMULTI_dropbear "'dropbear' - the Dropbear server\n" #endif
--- a/debian/changelog Wed Jan 20 21:36:58 2016 +0800 +++ b/debian/changelog Thu Mar 10 21:37:35 2016 +0800 @@ -1,8 +1,8 @@ -dropbear (2015.71-0.1) unstable; urgency=low +dropbear (2016.72-0.1) unstable; urgency=low * New upstream release. - -- Matt Johnston <[email protected]> Thu, 3 Dec 2015 22:52:58 +0800 + -- Matt Johnston <[email protected]> Wed, 10 Mar 2016 22:52:58 +0800 dropbear (2015.70-0.1) unstable; urgency=low
--- a/svr-x11fwd.c Wed Jan 20 21:36:58 2016 +0800 +++ b/svr-x11fwd.c Thu Mar 10 21:37:35 2016 +0800 @@ -42,11 +42,29 @@ static int bindport(int fd); static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr); +/* Check untrusted xauth strings for metacharacters */ +/* Returns DROPBEAR_SUCCESS/DROPBEAR_FAILURE */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum(s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_') { + return DROPBEAR_FAILURE; + } + } + return DROPBEAR_SUCCESS; +} + + /* called as a request for a session channel, sets up listening X11 */ /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ int x11req(struct ChanSess * chansess) { - int fd; + int fd = -1; if (!svr_pubkey_allows_x11fwd()) { return DROPBEAR_FAILURE; @@ -62,6 +80,11 @@ chansess->x11authcookie = buf_getstring(ses.payload, NULL); chansess->x11screennum = buf_getint(ses.payload); + if (xauth_valid_string(chansess->x11authprot) == DROPBEAR_FAILURE || + xauth_valid_string(chansess->x11authcookie) == DROPBEAR_FAILURE) { + dropbear_log(LOG_WARNING, "Bad xauth request"); + goto fail; + } /* create listening socket */ fd = socket(PF_INET, SOCK_STREAM, 0); if (fd < 0) { @@ -159,7 +182,7 @@ return; } - /* popen is a nice function - code is strongly based on OpenSSH's */ + /* code is strongly based on OpenSSH's */ authprog = popen(XAUTH_COMMAND, "w"); if (authprog) { fprintf(authprog, "add %s %s %s\n",
--- a/sysoptions.h Wed Jan 20 21:36:58 2016 +0800 +++ b/sysoptions.h Thu Mar 10 21:37:35 2016 +0800 @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2015.71" +#define DROPBEAR_VERSION "2016.72" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION