forked from pool/openssh
e8b9919265
- Fix preauth seccomp separation on mainframes (bsc#1016709) [openssh-7.2p2-s390_hw_crypto_syscalls.patch] [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch] - enable case-insensitive hostname matching (bsc#1017099) [openssh-7.2p2-ssh_case_insensitive_host_matching.patch] - add CAVS tests [openssh-7.2p2-cavstest-ctr.patch] [openssh-7.2p2-cavstest-kdf.patch] - Adding missing pieces for user matching (bsc#1021626) - Properly verify CIDR masks in configuration (bsc#1005893) [openssh-7.2p2-verify_CIDR_address_ranges.patch] - Remove pre-auth compression support from the server to prevent possible cryptographic attacks. (CVE-2016-10012, bsc#1016370) [openssh-7.2p2-disable_preauth_compression.patch] - limit directories for loading PKCS11 modules (CVE-2016-10009, bsc#1016366) [openssh-7.2p2-restrict_pkcs11-modules.patch] - Prevent possible leaks of host private keys to low-privilege process handling authentication (CVE-2016-10011, bsc#1016369) [openssh-7.2p2-prevent_private_key_leakage.patch] - Do not allow unix socket forwarding when running without privilege separation (CVE-2016-10010, bsc#1016368) [openssh-7.2p2-secure_unix_sockets_forwarding.patch] - prevent resource depletion during key exchange (bsc#1005480, CVE-2016-8858) [openssh-7.2p2-kex_resource_depletion.patch] OBS-URL: https://build.opensuse.org/request/show/500279 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=117
176 lines
5.3 KiB
Diff
176 lines
5.3 KiB
Diff
# HG changeset patch
|
|
# Parent 1b2dad1b57b086d094fe09327fcf1c490475a7cd
|
|
Check for invalid CIDR adress masks.
|
|
bsc#1005893
|
|
|
|
backported upstream commit: 010359b32659f455fddd2bd85fd7cc4d7a3b994a (7.4)
|
|
backported upstream commit: 1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a
|
|
backported upstream commit: fe06b68f824f8f55670442fb31f2c03526dd326c
|
|
|
|
diff --git a/openssh-7.2p2/auth.c b/openssh-7.2p2/auth.c
|
|
--- a/openssh-7.2p2/auth.c
|
|
+++ b/openssh-7.2p2/auth.c
|
|
@@ -95,16 +95,17 @@ int auth_debug_init;
|
|
* Otherwise true is returned.
|
|
*/
|
|
int
|
|
allowed_user(struct passwd * pw)
|
|
{
|
|
struct stat st;
|
|
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
|
|
u_int i;
|
|
+ int r;
|
|
#ifdef USE_SHADOW
|
|
struct spwd *spw = NULL;
|
|
#endif
|
|
|
|
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
|
if (!pw || !pw->pw_name)
|
|
return 0;
|
|
|
|
@@ -183,31 +184,41 @@ allowed_user(struct passwd * pw)
|
|
if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
|
|
options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
|
hostname = get_canonical_hostname(options.use_dns);
|
|
ipaddr = get_remote_ipaddr();
|
|
}
|
|
|
|
/* Return false if user is listed in DenyUsers */
|
|
if (options.num_deny_users > 0) {
|
|
- for (i = 0; i < options.num_deny_users; i++)
|
|
- if (match_user(pw->pw_name, hostname, ipaddr,
|
|
- options.deny_users[i])) {
|
|
+ for (i = 0; i < options.num_deny_users; i++) {
|
|
+ r = match_user(pw->pw_name, hostname, ipaddr,
|
|
+ options.deny_users[i]);
|
|
+ if (r < 0) {
|
|
+ fatal("Invalid DenyUsers pattern \"%.100s\"",
|
|
+ options.deny_users[i]);
|
|
+ } else if (r != 0) {
|
|
logit("User %.100s from %.100s not allowed "
|
|
"because listed in DenyUsers",
|
|
pw->pw_name, hostname);
|
|
return 0;
|
|
}
|
|
+ }
|
|
}
|
|
/* Return false if AllowUsers isn't empty and user isn't listed there */
|
|
if (options.num_allow_users > 0) {
|
|
- for (i = 0; i < options.num_allow_users; i++)
|
|
- if (match_user(pw->pw_name, hostname, ipaddr,
|
|
- options.allow_users[i]))
|
|
+ for (i = 0; i < options.num_allow_users; i++) {
|
|
+ r = match_user(pw->pw_name, hostname, ipaddr,
|
|
+ options.allow_users[i]);
|
|
+ if (r < 0) {
|
|
+ fatal("Invalid AllowUsers pattern \"%.100s\"",
|
|
+ options.allow_users[i]);
|
|
+ } else if (r == 1)
|
|
break;
|
|
+ }
|
|
/* i < options.num_allow_users iff we break for loop */
|
|
if (i >= options.num_allow_users) {
|
|
logit("User %.100s from %.100s not allowed because "
|
|
"not listed in AllowUsers", pw->pw_name, hostname);
|
|
return 0;
|
|
}
|
|
}
|
|
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
|
diff --git a/openssh-7.2p2/match.c b/openssh-7.2p2/match.c
|
|
--- a/openssh-7.2p2/match.c
|
|
+++ b/openssh-7.2p2/match.c
|
|
@@ -186,41 +186,50 @@ match_hostname(const char *host, const c
|
|
* successful match.
|
|
*/
|
|
int
|
|
match_host_and_ip(const char *host, const char *ipaddr,
|
|
const char *patterns)
|
|
{
|
|
int mhost, mip;
|
|
|
|
- /* error in ipaddr match */
|
|
if ((mip = addr_match_list(ipaddr, patterns)) == -2)
|
|
- return -1;
|
|
- else if (mip == -1) /* negative ip address match */
|
|
- return 0;
|
|
+ return -1; /* error in ipaddr match */
|
|
+ else if (host == NULL || ipaddr == NULL || mip == -1)
|
|
+ return 0; /* negative ip address match, or testing pattern */
|
|
|
|
/* negative hostname match */
|
|
if ((mhost = match_hostname(host, patterns)) == -1)
|
|
return 0;
|
|
/* no match at all */
|
|
if (mhost == 0 && mip == 0)
|
|
return 0;
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
- * match user, user@host_or_ip, user@host_or_ip_list against pattern
|
|
+ * Match user, user@host_or_ip, user@host_or_ip_list against pattern.
|
|
+ * If user, host and ipaddr are all NULL then validate pattern/
|
|
+ * Returns -1 on invalid pattern, 0 on no match, 1 on match.
|
|
*/
|
|
int
|
|
match_user(const char *user, const char *host, const char *ipaddr,
|
|
const char *pattern)
|
|
{
|
|
char *p, *pat;
|
|
int ret;
|
|
|
|
+ /* test mode */
|
|
+ if (user == NULL && host == NULL && ipaddr == NULL) {
|
|
+ if ((p = strchr(pattern, '@')) != NULL &&
|
|
+ match_host_and_ip(NULL, NULL, p + 1) < 0)
|
|
+ return -1;
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
if ((p = strchr(pattern,'@')) == NULL)
|
|
return match_pattern(user, pattern);
|
|
|
|
pat = xstrdup(pattern);
|
|
p = strchr(pat, '@');
|
|
*p++ = '\0';
|
|
|
|
if ((ret = match_pattern(user, pat)) == 1)
|
|
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
|
--- a/openssh-7.2p2/servconf.c
|
|
+++ b/openssh-7.2p2/servconf.c
|
|
@@ -1462,28 +1462,34 @@ process_server_config_line(ServerOptions
|
|
multistate_ptr = multistate_privsep;
|
|
goto parse_multistate;
|
|
|
|
case sAllowUsers:
|
|
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
|
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
|
fatal("%s line %d: too many allow users.",
|
|
filename, linenum);
|
|
+ if (match_user(NULL, NULL, NULL, arg) == -1)
|
|
+ fatal("%s line %d: invalid AllowUsers pattern: "
|
|
+ "\"%.100s\"", filename, linenum, arg);
|
|
if (!*activep)
|
|
continue;
|
|
options->allow_users[options->num_allow_users++] =
|
|
xstrdup(arg);
|
|
}
|
|
break;
|
|
|
|
case sDenyUsers:
|
|
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
|
if (options->num_deny_users >= MAX_DENY_USERS)
|
|
fatal("%s line %d: too many deny users.",
|
|
filename, linenum);
|
|
+ if (match_user(NULL, NULL, NULL, arg) == -1)
|
|
+ fatal("%s line %d: invalid DenyUsers pattern: "
|
|
+ "\"%.100s\"", filename, linenum, arg);
|
|
if (!*activep)
|
|
continue;
|
|
options->deny_users[options->num_deny_users++] =
|
|
xstrdup(arg);
|
|
}
|
|
break;
|
|
|
|
case sAllowGroups:
|