packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!43 add strict-scp-check for CVE-2020-15778

Browse Source 
From: @seuzw
Reviewed-by: @wangxp006
Signed-off-by: @wangxp006
This commit is contained in:
openeuler-ci-bot 2021-05-21 10:12:02 +08:00 committed by Gitee
commit 1575d3deb7
2 changed files with 168 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
add-strict-scp-check-for-CVE-2020-15778.patch Normal file
View File

@ -0,0 +1,159 @@
From 2e0b74242220a97926d006719d1ac6e113918e2b Mon Sep 17 00:00:00 2001
From: seuzw <930zhaowei@163.com>
Date: Thu, 20 May 2021 20:23:30 +0800
Subject: [PATCH] add strict-scp-check for CVE-2020-15778
---
servconf.c | 12 ++++++++++++
servconf.h | 1 +
session.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 63 insertions(+)
diff --git a/servconf.c b/servconf.c
index 76147f9..4e0401f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -90,6 +90,7 @@ initialize_server_options(ServerOptions *options)
{
memset(options, 0, sizeof(*options));
+ options->strict_scp_check = -1;
/* Portable-specific options */
options->use_pam = -1;
@@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
_PATH_HOST_XMSS_KEY_FILE, 0);
#endif /* WITH_XMSS */
}
+ if (options->strict_scp_check == -1)
+ options->strict_scp_check = 0;
/* No certificates by default */
if (options->num_ports == 0)
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
@@ -540,6 +543,7 @@ fill_default_server_options(ServerOptions *options)
/* Keyword tokens. */
typedef enum {
sBadOption, /* == unknown option */
+ sStrictScpCheck,
/* Portable-specific options */
sUsePAM,
/* Standard Options */
@@ -598,6 +602,7 @@ static struct {
#else
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
#endif
+ { "strictscpcheck", sStrictScpCheck, SSHCFG_GLOBAL },
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
{ "port", sPort, SSHCFG_GLOBAL },
@@ -1372,6 +1377,11 @@ process_server_config_line_depth(ServerOptions *options, char *line,
/* Standard Options */
case sBadOption:
return -1;
+
+ case sStrictScpCheck:
+ intptr = &options->strict_scp_check;
+ goto parse_flag;
+
case sPort:
/* ignore ports from configfile if cmdline specifies ports */
if (options->ports_from_cmdline)
@@ -2556,6 +2566,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
dst->n = src->n; \
} while (0)
+ M_CP_INTOPT(strict_scp_check);
M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(pubkey_authentication);
@@ -2846,6 +2857,7 @@ dump_config(ServerOptions *o)
#ifdef USE_PAM
dump_cfg_fmtint(sUsePAM, o->use_pam);
#endif
+ dump_cfg_fmtint(sStrictScpCheck, o->strict_scp_check);
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
diff --git a/servconf.h b/servconf.h
index 2c16b5a..e37dc25 100644
--- a/servconf.h
+++ b/servconf.h
@@ -192,6 +192,7 @@ typedef struct {
* disconnect the session
*/
+ int strict_scp_check;
u_int num_authkeys_files; /* Files containing public keys */
char **authorized_keys_files;
diff --git a/session.c b/session.c
index 607f17a..383c8ee 100644
--- a/session.c
+++ b/session.c
@@ -175,6 +175,50 @@ static char *auth_sock_dir = NULL;
/* removes the agent forwarding socket */
+int scp_check(const char *command)
+{
+ debug("Entering scp check");
+ int check = 0;
+ if (command == NULL) {
+ debug("scp check succeeded for shell mode");
+ return check;
+ }
+ int lc = strlen(command);
+ char special_characters[] = "|;&$><`\\!\n";
+ int ls = strlen(special_characters);
+ int count_char[128] = {0};
+
+ for (int i = 0; i < ls; i++) {
+ count_char[special_characters[i]] = 1;
+ }
+
+ char scp_prefix[6] = "scp -";
+ int lp = 5;
+
+ if (lc <= lp) {
+ debug("scp check succeeded for length");
+ return check;
+ }
+
+ for (int i = 0; i < lp; i++) {
+ if (command[i] - scp_prefix[i]) {
+ debug("scp check succeeded for prefix");
+ return check;
+ }
+ }
+
+ for (int i = lp; i < lc; i++) {
+ if (command[i] > 0 && command[i] < 128) {
+ if (count_char[command[i]]) {
+ check = 1;
+ debug("scp check failed at %d: %c", i, command[i]);
+ break;
+ }
+ }
+ }
+ return check;
+}
+
static void
auth_sock_cleanup_proc(struct passwd *pw)
{
@@ -696,6 +740,12 @@ do_exec(struct ssh *ssh, Session *s, const char *command)
command = auth_opts->force_command;
forced = "(key-option)";
}
+
+ if (options.strict_scp_check && scp_check(command)) {
+ verbose("Special characters not allowed in scp");
+ return 1;
+ }
+
#ifdef GSSAPI
#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
else if (k5users_allowed_cmds) {
--
2.23.0

10
openssh.spec
View File

@ -6,7 +6,7 @@
%{?no_gtk2:%global gtk2 0}
%global sshd_uid 74
%global openssh_release 9
%global openssh_release 10
Name: openssh
Version: 8.2p1
@ -91,6 +91,7 @@ Patch58: CVE-2020-12062-2.patch
Patch59: upstream-expose-vasnmprintf.patch
Patch60: CVE-2018-15919.patch
Patch61: CVE-2020-14145.patch
Patch62: add-strict-scp-check-for-CVE-2020-15778.patch
Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -254,6 +255,7 @@ popd
%patch59 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
autoreconf
pushd pam_ssh_agent_auth-0.10.3
@ -469,6 +471,12 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog
* Thu May 20 2021 seuzw<930zhaowei@163.com> - 8.2P1-10
- Type:cves
- CVE:CVE-2020-15778
- SUG:NA
- DESC:add strict-scp-check for CVE-2020-15778
* Mon Jan 4 2021 chxssg<chxssg@qq.com> - 8.2P1-9
- Type:cves
- CVE:CVE-2020-14145