packages/libssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libssh/backport-0001-CVE-2023-6004-torture_config-Allow-multiple-in-usern.patch

113 lines
4.2 KiB
Diff
Raw Permalink Blame History

From c2c56bacab00766d01671413321d564227aabf19 Mon Sep 17 00:00:00 2001
From: Norbert Pocs <norbertpocs0@gmail.com>
Date: Sun, 5 Nov 2023 13:12:47 +0100
Subject: [PATCH 01/20] CVE-2023-6004: torture_config: Allow multiple '@' in
usernames
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
tests/unittests/torture_config.c | 56 +++++++++++++++++---------------
1 file changed, 30 insertions(+), 26 deletions(-)
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
index 406f1985..b7c763af 100644
--- a/tests/unittests/torture_config.c
+++ b/tests/unittests/torture_config.c
@@ -995,23 +995,22 @@ static void torture_config_proxyjump(void **state,
assert_string_equal(session->opts.ProxyCommand,
"ssh -W '[%h]:%p' 2620:52:0::fed");
- /* In this part, we try various other config files and strings. */
-
- /* Try to create some invalid configurations */
- /* Non-numeric port */
- config = "Host bad-port\n"
- "\tProxyJump jumpbox:22bad22\n";
+ /* Multiple @ is allowed in second jump */
+ config = "Host allowed-hostname\n"
+ "\tProxyJump localhost,user@principal.com@jumpbox:22\n";
if (file != NULL) {
torture_write_file(file, config);
} else {
string = config;
}
torture_reset_config(session);
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
- _parse_config(session, file, string, SSH_ERROR);
+ ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
+ _parse_config(session, file, string, SSH_OK);
+ assert_string_equal(session->opts.ProxyCommand,
+ "ssh -J user@principal.com@jumpbox:22 -W '[%h]:%p' localhost");
- /* Too many @ */
- config = "Host bad-hostname\n"
+ /* Multiple @ is allowed */
+ config = "Host allowed-hostname\n"
"\tProxyJump user@principal.com@jumpbox:22\n";
if (file != NULL) {
torture_write_file(file, config);
@@ -1019,7 +1018,24 @@ static void torture_config_proxyjump(void **state,
string = config;
}
torture_reset_config(session);
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
+ ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
+ _parse_config(session, file, string, SSH_OK);
+ assert_string_equal(session->opts.ProxyCommand,
+ "ssh -l user@principal.com -p 22 -W '[%h]:%p' jumpbox");
+
+ /* In this part, we try various other config files and strings. */
+
+ /* Try to create some invalid configurations */
+ /* Non-numeric port */
+ config = "Host bad-port\n"
+ "\tProxyJump jumpbox:22bad22\n";
+ if (file != NULL) {
+ torture_write_file(file, config);
+ } else {
+ string = config;
+ }
+ torture_reset_config(session);
+ ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
_parse_config(session, file, string, SSH_ERROR);
/* Braces mismatch in hostname */
@@ -1094,18 +1110,6 @@ static void torture_config_proxyjump(void **state,
ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port-2");
_parse_config(session, file, string, SSH_ERROR);
- /* Too many @ in second jump */
- config = "Host bad-hostname\n"
- "\tProxyJump localhost,user@principal.com@jumpbox:22\n";
- if (file != NULL) {
- torture_write_file(file, config);
- } else {
- string = config;
- }
- torture_reset_config(session);
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
- _parse_config(session, file, string, SSH_ERROR);
-
/* Braces mismatch in second jump */
config = "Host mismatch\n"
"\tProxyJump localhost,[::1:20\n";
@@ -1448,10 +1452,10 @@ static void torture_config_parser_get_cmd(void **state)
} else if (pid == 0) {
ssh_execute_command(tok, fileno(outfile), fileno(outfile));
/* Does not return */
- } else {
- /* parent
+ } else {
+ /* parent
* wait child process */
- wait(NULL);
+ wait(NULL);
infile = fopen("output.log", "r");
assert_non_null(infile);
p = fgets(buffer, sizeof(buffer), infile);
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink