!43 add strict-scp-check for CVE-2020-15778

From: @seuzw
Reviewed-by: @wangxp006
Signed-off-by: @wangxp006

add-strict-scp-check-for-CVE-2020-15778.patch

@@ -0,0 +1,159 @@
+From 2e0b74242220a97926d006719d1ac6e113918e2b Mon Sep 17 00:00:00 2001
+From: seuzw <930zhaowei@163.com>
+Date: Thu, 20 May 2021 20:23:30 +0800
+Subject: [PATCH] add strict-scp-check for CVE-2020-15778
+
+---
+ servconf.c | 12 ++++++++++++
+ servconf.h |  1 +
+ session.c  | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 63 insertions(+)
+
+diff --git a/servconf.c b/servconf.c
+index 76147f9..4e0401f 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -90,6 +90,7 @@ initialize_server_options(ServerOptions *options)
+ {
+ 	memset(options, 0, sizeof(*options));
+ 
++	options->strict_scp_check = -1;
+ 	/* Portable-specific options */
+ 	options->use_pam = -1;
+ 
+@@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
+ 		    _PATH_HOST_XMSS_KEY_FILE, 0);
+ #endif /* WITH_XMSS */
+ 	}
++	if (options->strict_scp_check == -1)
++		options->strict_scp_check = 0;
+ 	/* No certificates by default */
+ 	if (options->num_ports == 0)
+ 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+@@ -540,6 +543,7 @@ fill_default_server_options(ServerOptions *options)
+ /* Keyword tokens. */
+ typedef enum {
+ 	sBadOption,		/* == unknown option */
++	sStrictScpCheck,
+ 	/* Portable-specific options */
+ 	sUsePAM,
+ 	/* Standard Options */
+@@ -598,6 +602,7 @@ static struct {
+ #else
+ 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
+ #endif
++	{ "strictscpcheck", sStrictScpCheck, SSHCFG_GLOBAL },
+ 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
+ 	/* Standard Options */
+ 	{ "port", sPort, SSHCFG_GLOBAL },
+@@ -1372,6 +1377,11 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+ 	/* Standard Options */
+ 	case sBadOption:
+ 		return -1;
++
++	case sStrictScpCheck:
++		intptr = &options->strict_scp_check;
++		goto parse_flag;
++
+ 	case sPort:
+ 		/* ignore ports from configfile if cmdline specifies ports */
+ 		if (options->ports_from_cmdline)
+@@ -2556,6 +2566,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+ 		dst->n = src->n; \
+ } while (0)
+ 
++	M_CP_INTOPT(strict_scp_check);
+ 	M_CP_INTOPT(password_authentication);
+ 	M_CP_INTOPT(gss_authentication);
+ 	M_CP_INTOPT(pubkey_authentication);
+@@ -2846,6 +2857,7 @@ dump_config(ServerOptions *o)
+ #ifdef USE_PAM
+ 	dump_cfg_fmtint(sUsePAM, o->use_pam);
+ #endif
++	dump_cfg_fmtint(sStrictScpCheck, o->strict_scp_check);
+ 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
+ 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
+ 	dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
+diff --git a/servconf.h b/servconf.h
+index 2c16b5a..e37dc25 100644
+--- a/servconf.h
++++ b/servconf.h
+@@ -192,6 +192,7 @@ typedef struct {
+ 					 * disconnect the session
+ 					 */
+ 
++	int	strict_scp_check;
+ 	u_int	num_authkeys_files;	/* Files containing public keys */
+ 	char   **authorized_keys_files;
+ 
+diff --git a/session.c b/session.c
+index 607f17a..383c8ee 100644
+--- a/session.c
++++ b/session.c
+@@ -175,6 +175,50 @@ static char *auth_sock_dir = NULL;
+ 
+ /* removes the agent forwarding socket */
+ 
++int scp_check(const char *command)
++{
++	debug("Entering scp check");
++        int check = 0;
++        if (command == NULL) {
++		debug("scp check succeeded for shell mode");
++                return check;
++        }
++        int lc = strlen(command);
++        char special_characters[] = "|;&$><`\\!\n";
++        int ls = strlen(special_characters);
++        int count_char[128] = {0};
++
++        for (int i = 0; i < ls; i++) {
++                count_char[special_characters[i]] = 1;
++        }
++
++        char scp_prefix[6] = "scp -";
++        int lp = 5;
++
++        if (lc <= lp) {
++		debug("scp check succeeded for length");
++                return check;
++        }
++
++        for (int i = 0; i < lp; i++) {
++                if (command[i] - scp_prefix[i]) {
++			debug("scp check succeeded for prefix");
++                        return check;
++                }
++        }
++
++        for (int i = lp; i < lc; i++) {
++                if (command[i] > 0 && command[i] < 128) {
++                        if (count_char[command[i]]) {
++                                check = 1;
++				debug("scp check failed at %d: %c", i, command[i]);
++                                break;
++                        }
++                }
++        }
++        return check;
++}
++
+ static void
+ auth_sock_cleanup_proc(struct passwd *pw)
+ {
+@@ -696,6 +740,12 @@ do_exec(struct ssh *ssh, Session *s, const char *command)
+ 		command = auth_opts->force_command;
+ 		forced = "(key-option)";
+ 	}
++
++	if (options.strict_scp_check && scp_check(command)) {
++        verbose("Special characters not allowed in scp");
++        return 1;
++    }
++
+ #ifdef GSSAPI
+ #ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
+ 	else if (k5users_allowed_cmds) {
+-- 
+2.23.0
+

openssh.spec

@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 9
+%global openssh_release 10
 
 Name:           openssh
 Version:        8.2p1
@@ -91,6 +91,7 @@ Patch58:        CVE-2020-12062-2.patch
 Patch59:        upstream-expose-vasnmprintf.patch
 Patch60:        CVE-2018-15919.patch
 Patch61:        CVE-2020-14145.patch
+Patch62:        add-strict-scp-check-for-CVE-2020-15778.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -254,6 +255,7 @@ popd
 %patch59 -p1
 %patch60 -p1
 %patch61 -p1
+%patch62 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-0.10.3
@@ -469,6 +471,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Thu May 20 2021 seuzw<930zhaowei@163.com> - 8.2P1-10
+- Type:cves
+- CVE:CVE-2020-15778
+- SUG:NA
+- DESC:add strict-scp-check for CVE-2020-15778
+
 * Mon Jan 4 2021 chxssg<chxssg@qq.com> - 8.2P1-9
 - Type:cves
 - CVE:CVE-2020-14145