[oe-core][kirkstone][PATCH 2/2] openssh: fix CVE-2023-51385

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli <archana.polampa...@windriver.com>

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or
host name has shell metacharacters, and this name is referenced by an expansion
token in certain situations. For example, an untrusted Git repository can have a
submodule with shell metacharacters in a user name or host name.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-51385

Upstream patches:
https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a

Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com>
---
 .../openssh/openssh/CVE-2023-51385.patch      | 97 +++++++++++++++++++
 .../openssh/openssh_8.9p1.bb                  |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch 
b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
new file mode 100644
index 0000000000..b8e6813857
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
@@ -0,0 +1,97 @@
+From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" <d...@openbsd.org>
+Date: Mon, 18 Dec 2023 14:47:44 +0000
+Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
+ This makes ssh(1) refuse user or host names provided on the commandline that
+ contain most shell metacharacters.
+
+Some programs that invoke ssh(1) using untrusted data do not filter
+metacharacters in arguments they supply. This could create
+interactions with user-specified ProxyCommand and other directives
+that allow shell injection attacks to occur.
+
+It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+but getting this stuff right can be tricky, so this should prevent
+most obvious ways of creating risky situations. It however is not
+and cannot be perfect: ssh(1) has no practical way of interpreting
+what shell quoting rules are in use and how they interact with the
+user's specified ProxyCommand.
+
+To allow configurations that use strange user or hostnames to
+continue to work, this strictness is applied only to names coming
+from the commandline. Names specified using User or Hostname
+directives in ssh_config(5) are not affected.
+
+feedback/ok millert@ markus@ dtucker@ deraadt@
+
+OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+
+CVE: CVE-2023-51385
+
+Upstream-Status: Backport
+[https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]
+
+Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com>
+---
+ ssh.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/ssh.c b/ssh.c
+index 8ff9788..82ed15f 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -611,6 +611,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
+       free(cinfo);
+ }
+
++static int
++valid_hostname(const char *s)
++{
++      size_t i;
++
++      if (*s == '-')
++              return 0;
++      for (i = 0; s[i] != 0; i++) {
++              if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
++                  isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++                      return 0;
++      }
++      return 1;
++}
++
++static int
++valid_ruser(const char *s)
++{
++      size_t i;
++
++      if (*s == '-')
++              return 0;
++      for (i = 0; s[i] != 0; i++) {
++              if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++                      return 0;
++              /* Disallow '-' after whitespace */
++              if (isspace((u_char)s[i]) && s[i + 1] == '-')
++                      return 0;
++              /* Disallow \ in last position */
++              if (s[i] == '\\' && s[i + 1] == '\0')
++                      return 0;
++      }
++      return 1;
++}
++
+ /*
+  * Main program for the ssh client.
+  */
+@@ -1097,6 +1132,10 @@ main(int ac, char **av)
+       if (!host)
+               usage();
+
++      if (!valid_hostname(host))
++              fatal("hostname contains invalid characters");
++      if (options.user != NULL && !valid_ruser(options.user))
++              fatal("remote username contains invalid characters");
+       host_arg = xstrdup(host);
+
+       /* Initialize the command to execute on remote host. */
+--
+2.40.0
diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb 
b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 3860899540..bc8e2d81b8 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -35,6 +35,7 @@ SRC_URI = 
"http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://fix-authorized-principals-command.patch \
            file://CVE-2023-48795.patch \
            file://CVE-2023-51384.patch \
+           file://CVE-2023-51385.patch \
            "
 SRC_URI[sha256sum] = 
"fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192975): 
https://lists.openembedded.org/g/openembedded-core/message/192975
Mute This Topic: https://lists.openembedded.org/mt/103397336/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-