File openssh-7.2p2-secure_unix_sockets_forwarding.patch of Package openssh.21987

# HG changeset patch
# Parent  49d9204835f069a6b628e7bf4ed53baf81f8bf91
Do not allow unix socket when running without privilege separation to prevent
privilege escalation through a socket created with root: ownership.

CVE-2016-10010
bsc#1016368
bsc#1051559

backported upstream commits
b737e4d7433577403a31cff6614f6a1b0b5e22f4
51045869fa084cdd016fdd721ea760417c0a3bf3

diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
--- a/openssh-7.2p2/serverloop.c
+++ b/openssh-7.2p2/serverloop.c
@@ -979,28 +979,32 @@ server_request_direct_tcpip(void)
 }
 
 static Channel *
 server_request_direct_streamlocal(void)
 {
 	Channel *c = NULL;
 	char *target, *originator;
 	u_short originator_port;
+	struct passwd *pw = the_authctxt->pw;
+
+	if (pw == NULL || !the_authctxt->valid)
+		fatal("server_input_global_request: no/invalid user");
 
 	target = packet_get_string(NULL);
 	originator = packet_get_string(NULL);
 	originator_port = packet_get_int();
 	packet_check_eom();
 
 	debug("server_request_direct_streamlocal: originator %s port %d, target %s",
 	    originator, originator_port, target);
 
 	/* XXX fine grained permissions */
 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
-	    !no_port_forwarding_flag) {
+	    !no_port_forwarding_flag && (pw->pw_uid == 0 || use_privsep)) {
 		c = channel_connect_to_path(target,
 		    "direct-streamlocal@openssh.com", "direct-streamlocal");
 	} else {
 		logit("refused streamlocal port forward: "
 		    "originator %s port %d, target %s",
 		    originator, originator_port, target);
 	}
 
@@ -1212,29 +1216,29 @@ server_input_hostkeys_prove(struct sshbu
 
 static int
 server_input_global_request(int type, u_int32_t seq, void *ctxt)
 {
 	char *rtype;
 	int want_reply;
 	int r, success = 0, allocated_listen_port = 0;
 	struct sshbuf *resp = NULL;
+	struct passwd *pw = the_authctxt->pw;
+
+	if (pw == NULL || !the_authctxt->valid)
+		fatal("server_input_global_request: no/invalid user");
 
 	rtype = packet_get_string(NULL);
 	want_reply = packet_get_char();
 	debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);
 
 	/* -R style forwarding */
 	if (strcmp(rtype, "tcpip-forward") == 0) {
-		struct passwd *pw;
 		struct Forward fwd;
 
-		pw = the_authctxt->pw;
-		if (pw == NULL || !the_authctxt->valid)
-			fatal("server_input_global_request: no/invalid user");
 		memset(&fwd, 0, sizeof(fwd));
 		fwd.listen_host = packet_get_string(NULL);
 		fwd.listen_port = (u_short)packet_get_int();
 		debug("server_input_global_request: tcpip-forward listen %s port %d",
 		    fwd.listen_host, fwd.listen_port);
 
 		/* check permissions */
 		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
@@ -1274,19 +1278,20 @@ server_input_global_request(int type, u_
 
 		memset(&fwd, 0, sizeof(fwd));
 		fwd.listen_path = packet_get_string(NULL);
 		debug("server_input_global_request: streamlocal-forward listen path %s",
 		    fwd.listen_path);
 
 		/* check permissions */
 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
-		    || no_port_forwarding_flag) {
+		    || no_port_forwarding_flag || (pw->pw_uid != 0 && !use_privsep)) {
 			success = 0;
-			packet_send_debug("Server has disabled port forwarding.");
+			packet_send_debug("Server has disabled "
+			    "streamlocal forwarding.");
 		} else {
 			/* Start listening on the socket */
 			success = channel_setup_remote_fwd_listener(
 			    &fwd, NULL, &options.fwd_opts);
 		}
 		free(fwd.listen_path);
 	} else if (strcmp(rtype, "cancel-streamlocal-forward@openssh.com") == 0) {
 		struct Forward fwd;
Places

File openssh-7.2p2-secure_unix_sockets_forwarding.patch of Package openssh.21987

Places
