File openssh-6.6p1-sanitise_xauth_input.patch of Package openssh.10219

Sanitise strings passed to xauth to prevent possibly unwanted actions by
authenticated users.

CVE-2016-3115
bsc#970632

Backport of upstream:
commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56
Author: Damien Miller <djm@mindrot.org>
Date:   Thu Mar 10 05:03:39 2016 +1100

    sanitise characters destined for xauth(1)

    reported by github.com/tintinweb

diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -41,16 +41,17 @@
 # include <sys/stat.h>
 #endif
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <sys/wait.h>
 
 #include <arpa/inet.h>
 
+#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
 #ifdef HAVE_PATHS_H
 #include <paths.h>
 #endif
 #include <pwd.h>
 #include <signal.h>
@@ -286,16 +287,31 @@ do_authenticated(Authctxt *authctxt)
 	if (compat20)
 		do_authenticated2(authctxt);
 	else
 		do_authenticated1(authctxt);
 
 	do_cleanup(authctxt);
 }
 
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+	size_t i;
+
+	for (i = 0; s[i] != '\0'; i++) {
+		if (!isalnum((u_char)s[i]) &&
+		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+		    s[i] != '-' && s[i] != '_')
+		return 0;
+	}
+	return 1;
+}
+
 /*
  * Prepares for an interactive session.  This is called after the user has
  * been successfully authenticated.  During this message exchange, pseudo
  * terminals are allocated, X11, TCP/IP, and authentication agent forwardings
  * are requested, etc.
  */
 static void
 do_authenticated1(Authctxt *authctxt)
@@ -359,17 +375,23 @@ do_authenticated1(Authctxt *authctxt)
 				if (!screen_flag)
 					debug2("Buggy client: "
 					    "X11 screen flag missing");
 				s->screen = packet_get_int();
 			} else {
 				s->screen = 0;
 			}
 			packet_check_eom();
-			success = session_setup_x11fwd(s);
+			if (xauth_valid_string(s->auth_proto) &&
+			    xauth_valid_string(s->auth_data))
+				success = session_setup_x11fwd(s);
+			else {
+				success = 0;
+				error("Invalid X11 forwarding data");
+			}
 			if (!success) {
 				free(s->auth_proto);
 				free(s->auth_data);
 				s->auth_proto = NULL;
 				s->auth_data = NULL;
 			}
 			break;
 
@@ -2294,17 +2316,23 @@ session_x11_req(Session *s)
 		return 0;
 	}
 	s->single_connection = packet_get_char();
 	s->auth_proto = packet_get_string(NULL);
 	s->auth_data = packet_get_string(NULL);
 	s->screen = packet_get_int();
 	packet_check_eom();
 
-	success = session_setup_x11fwd(s);
+	if (xauth_valid_string(s->auth_proto) &&
+	    xauth_valid_string(s->auth_data))
+		success = session_setup_x11fwd(s);
+	else {
+		success = 0;
+		error("Invalid X11 forwarding data");
+	}
 	if (!success) {
 		free(s->auth_proto);
 		free(s->auth_data);
 		s->auth_proto = NULL;
 		s->auth_data = NULL;
 	}
 	return success;
 }