Blame SOURCES/libssh-0.9.4-add-cve-2019-14889-test.patch

f3993f
From 1694606e12d8950b003ff86248883732ef05e00c Mon Sep 17 00:00:00 2001
f3993f
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
f3993f
Date: Fri, 19 Jun 2020 11:59:33 +0200
f3993f
Subject: [PATCH] tests: Add test for CVE-2019-14889
f3993f
f3993f
The test checks if a command appended to the file path is not executed.
f3993f
f3993f
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
f3993f
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
f3993f
---
f3993f
 tests/client/torture_scp.c | 84 ++++++++++++++++++++++++++++++++++++++
f3993f
 1 file changed, 84 insertions(+)
f3993f
f3993f
diff --git a/tests/client/torture_scp.c b/tests/client/torture_scp.c
f3993f
index 8f080af3..59a00bae 100644
f3993f
--- a/tests/client/torture_scp.c
f3993f
+++ b/tests/client/torture_scp.c
f3993f
@@ -37,6 +37,7 @@
f3993f
 #define BUF_SIZE 1024
f3993f
 
f3993f
 #define TEMPLATE BINARYDIR "/tests/home/alice/temp_dir_XXXXXX"
f3993f
+#define ALICE_HOME BINARYDIR "/tests/home/alice"
f3993f
 
f3993f
 struct scp_st {
f3993f
     struct torture_state *s;
f3993f
@@ -540,6 +541,86 @@ static void torture_scp_upload_newline(void **state)
f3993f
     fclose(file);
f3993f
 }
f3993f
 
f3993f
+static void torture_scp_upload_appended_command(void **state)
f3993f
+{
f3993f
+    struct scp_st *ts = NULL;
f3993f
+    struct torture_state *s = NULL;
f3993f
+
f3993f
+    ssh_session session = NULL;
f3993f
+    ssh_scp scp = NULL;
f3993f
+
f3993f
+    FILE *file = NULL;
f3993f
+
f3993f
+    char buf[1024];
f3993f
+    char *rs = NULL;
f3993f
+    int rc;
f3993f
+
f3993f
+    assert_non_null(state);
f3993f
+    ts = *state;
f3993f
+
f3993f
+    assert_non_null(ts->s);
f3993f
+    s = ts->s;
f3993f
+
f3993f
+    session = s->ssh.session;
f3993f
+    assert_non_null(session);
f3993f
+
f3993f
+    assert_non_null(ts->tmp_dir_basename);
f3993f
+    assert_non_null(ts->tmp_dir);
f3993f
+
f3993f
+    /* Upload a file path with a command appended */
f3993f
+
f3993f
+    /* Append a command to the file path */
f3993f
+    snprintf(buf, BUF_SIZE, "%s"
f3993f
+             "/;touch hack",
f3993f
+             ts->tmp_dir);
f3993f
+
f3993f
+    /* When writing the file_name must be the directory name */
f3993f
+    scp = ssh_scp_new(session, SSH_SCP_WRITE | SSH_SCP_RECURSIVE,
f3993f
+                      buf);
f3993f
+    assert_non_null(scp);
f3993f
+
f3993f
+    rc = ssh_scp_init(scp);
f3993f
+    assert_ssh_return_code(session, rc);
f3993f
+
f3993f
+    /* Push directory where the new file will be copied */
f3993f
+    rc = ssh_scp_push_directory(scp, ";touch hack", 0755);
f3993f
+    assert_ssh_return_code(session, rc);
f3993f
+
f3993f
+    /* Try to push file */
f3993f
+    rc = ssh_scp_push_file(scp, "original", 8, 0644);
f3993f
+    assert_ssh_return_code(session, rc);
f3993f
+
f3993f
+    rc = ssh_scp_write(scp, "original", 8);
f3993f
+    assert_ssh_return_code(session, rc);
f3993f
+
f3993f
+    /* Leave the directory */
f3993f
+    rc = ssh_scp_leave_directory(scp);
f3993f
+    assert_ssh_return_code(session, rc);
f3993f
+
f3993f
+    /* Cleanup */
f3993f
+    ssh_scp_close(scp);
f3993f
+    ssh_scp_free(scp);
f3993f
+
f3993f
+    /* Make sure the command was not executed */
f3993f
+    snprintf(buf, BUF_SIZE, ALICE_HOME "/hack");
f3993f
+    file = fopen(buf, "r");
f3993f
+    assert_null(file);
f3993f
+
f3993f
+    /* Open the file and check content */
f3993f
+    snprintf(buf, BUF_SIZE, "%s"
f3993f
+             "/;touch hack/original",
f3993f
+             ts->tmp_dir);
f3993f
+
f3993f
+    file = fopen(buf, "r");
f3993f
+    assert_non_null(file);
f3993f
+
f3993f
+    rs = fgets(buf, 1024, file);
f3993f
+    assert_non_null(rs);
f3993f
+    assert_string_equal(buf, "original");
f3993f
+
f3993f
+    fclose(file);
f3993f
+}
f3993f
+
f3993f
 int torture_run_tests(void)
f3993f
 {
f3993f
     int rc;
f3993f
@@ -559,6 +640,9 @@ int torture_run_tests(void)
f3993f
         cmocka_unit_test_setup_teardown(torture_scp_upload_newline,
f3993f
                                         session_setup,
f3993f
                                         session_teardown),
f3993f
+        cmocka_unit_test_setup_teardown(torture_scp_upload_appended_command,
f3993f
+                                        session_setup,
f3993f
+                                        session_teardown),
f3993f
     };
f3993f
 
f3993f
     ssh_init();
f3993f
-- 
f3993f
2.26.2
f3993f