packages/libssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libssh/backport-0010-CVE-2023-6004-torture_config-Allow-multiple-in-usern.patch
renmingshuai 3af789a411 fix CVE-2023-6004, CVE-2023-6918 and CVE-2023-48795 
(cherry picked from commit 9222a7fc667186111a524a9dc1e5cb5d442beeac)
2023-12-28 22:06:06 +08:00

90 lines
3.8 KiB
Diff
Raw Blame History

From 11bd6e6ad926a38cd7b9f8308a4c2fd8dfd9200c Mon Sep 17 00:00:00 2001
From: Norbert Pocs <norbertpocs0@gmail.com>
Date: Sun, 5 Nov 2023 13:12:47 +0100
Subject: [PATCH] CVE-2023-6004: torture_config: Allow multiple '@' in
usernames
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Conflict: NA
Reference:https://gitlab.com/libssh/libssh-mirror/-/commit/11bd6e6ad926a38cd7b9f8308a4c2fd8dfd9200c
---
tests/unittests/torture_config.c | 44 ++++++++++++++++++--------------
1 file changed, 25 insertions(+), 19 deletions(-)
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
index f91112a9..3a5a74bf 100644
--- a/tests/unittests/torture_config.c
+++ b/tests/unittests/torture_config.c
@@ -671,24 +671,40 @@ static void torture_config_proxyjump(void **state) {
assert_string_equal(session->opts.ProxyCommand,
"ssh -W '[%h]:%p' 2620:52:0::fed");
- /* Try to create some invalid configurations */
- /* Non-numeric port */
+ /* Multiple @ is allowed in second jump */
torture_write_file(LIBSSH_TESTCONFIG11,
- "Host bad-port\n"
- "\tProxyJump jumpbox:22bad22\n"
+ "Host allowed-hostname\n"
+ "\tProxyJump localhost,user@principal.com@jumpbox:22\n"
"");
torture_reset_config(session);
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
+ ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
- assert_ssh_return_code_equal(session, ret, SSH_ERROR);
+ assert_ssh_return_code(session, ret);
+ assert_string_equal(session->opts.ProxyCommand,
+ "ssh -J user@principal.com@jumpbox:22 -W '[%h]:%p' localhost");
- /* Too many @ */
+ /* Multiple @ is allowed */
torture_write_file(LIBSSH_TESTCONFIG11,
- "Host bad-hostname\n"
+ "Host allowed-hostname\n"
"\tProxyJump user@principal.com@jumpbox:22\n"
"");
torture_reset_config(session);
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
+ ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
+ ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
+ assert_ssh_return_code(session, ret);
+ assert_string_equal(session->opts.ProxyCommand,
+ "ssh -l user@principal.com -p 22 -W '[%h]:%p' jumpbox");
+
+ /* In this part, we try various other config files and strings. */
+
+ /* Try to create some invalid configurations */
+ /* Non-numeric port */
+ torture_write_file(LIBSSH_TESTCONFIG11,
+ "Host bad-port\n"
+ "\tProxyJump jumpbox:22bad22\n"
+ "");
+ torture_reset_config(session);
+ ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
assert_ssh_return_code_equal(session, ret, SSH_ERROR);
@@ -752,16 +768,6 @@ static void torture_config_proxyjump(void **state) {
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
assert_ssh_return_code_equal(session, ret, SSH_ERROR);
- /* Too many @ in second jump */
- torture_write_file(LIBSSH_TESTCONFIG11,
- "Host bad-hostname\n"
- "\tProxyJump localhost,user@principal.com@jumpbox:22\n"
- "");
- torture_reset_config(session);
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
- ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
- assert_ssh_return_code_equal(session, ret, SSH_ERROR);
-
/* Braces mismatch in second jump */
torture_write_file(LIBSSH_TESTCONFIG11,
"Host mismatch\n"
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink