From 8f8619e1e639556acfcbcc3c93056b87cb6c2840 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: May 15 2014 08:24:04 +0000 Subject: ignore environment variables with embedded '=' or '\0' characters (#1077843) CVE-2014-2532 --- diff --git a/openssh-6.4p1-ignore-bad-env-var.patch b/openssh-6.4p1-ignore-bad-env-var.patch new file mode 100644 index 0000000..3bb49c2 --- /dev/null +++ b/openssh-6.4p1-ignore-bad-env-var.patch @@ -0,0 +1,37 @@ +diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog +--- openssh-6.4p1/ChangeLog.bad-env-var 2014-03-19 21:37:36.270509907 +0100 ++++ openssh-6.4p1/ChangeLog 2014-03-19 21:37:36.276509878 +0100 +@@ -0,0 +1,7 @@ ++20140304 ++ - OpenBSD CVS Sync ++ - djm@cvs.openbsd.org 2014/03/03 22:22:30 ++ [session.c] ++ ignore enviornment variables with embedded '=' or '\0' characters; ++ spotted by Jann Horn; ok deraadt@ ++ +diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c +--- openssh-6.4p1/session.c.bad-env-var 2014-03-19 21:37:36.233510090 +0100 ++++ openssh-6.4p1/session.c 2014-03-19 21:37:36.277509873 +0100 +@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi + u_int envsize; + u_int i, namelen; + ++ if (strchr(name, '=') != NULL) { ++ error("Invalid environment variable \"%.100s\"", name); ++ return; ++ } ++ + /* + * If we're passed an uninitialized list, allocate a single null + * entry before continuing. +@@ -2255,8 +2260,8 @@ session_env_req(Session *s) + char *name, *val; + u_int name_len, val_len, i; + +- name = packet_get_string(&name_len); +- val = packet_get_string(&val_len); ++ name = packet_get_cstring(&name_len); ++ val = packet_get_cstring(&val_len); + packet_check_eom(); + + /* Don't set too many environment variables */ diff --git a/openssh.spec b/openssh.spec index 5b78b54..37d757a 100644 --- a/openssh.spec +++ b/openssh.spec @@ -193,6 +193,8 @@ Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch # Prevents a server from skipping SSHFP lookup and forcing a new-hostkey # dialog by offering only certificate keys. (#1081338) Patch908: openssh-6.4p1-CVE-2014-2653.patch +# ignore environment variables with embedded '=' or '\0' characters (#1077843) +Patch909: openssh-6.4p1-ignore-bad-env-var.patch License: BSD @@ -420,6 +422,7 @@ popd %patch906 -p1 -b .fromto-remote %patch907 -p1 -b .CLOCK_BOOTTIME %patch908 -p1 -b .CVE-2014-2653 +%patch909 -p1 -b .bad-env-var %if 0 # Nothing here yet