Projects
Eulaceura:Mainline:GA
libssh
_service:obs_scm:backport-0006-CVE-2023-6004-co...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:backport-0006-CVE-2023-6004-config_parser-Check-for-valid-syntax-o.patch of Package libssh
From 22492b69bba22b102342afc574800d354a08e405 Mon Sep 17 00:00:00 2001 From: Norbert Pocs <norbertpocs0@gmail.com> Date: Tue, 10 Oct 2023 18:33:56 +0200 Subject: [PATCH 06/20] CVE-2023-6004: config_parser: Check for valid syntax of a hostname if it is a domain name This prevents code injection. The domain name syntax checker is based on RFC1035. Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com> --- src/config_parser.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/config_parser.c b/src/config_parser.c index cf83e2c5..b8b94611 100644 --- a/src/config_parser.c +++ b/src/config_parser.c @@ -30,6 +30,7 @@ #include "libssh/config_parser.h" #include "libssh/priv.h" +#include "libssh/misc.h" /* Returns the original string after skipping the leading whitespace * until finding LF. @@ -47,7 +48,7 @@ char *ssh_config_get_cmd(char **str) break; } } - + for (r = c; *c; c++) { if (*c == '\n') { *c = '\0'; @@ -167,6 +168,7 @@ int ssh_config_parse_uri(const char *tok, { char *endp = NULL; long port_n; + int rc; /* Sanitize inputs */ if (username != NULL) { @@ -224,6 +226,14 @@ int ssh_config_parse_uri(const char *tok, if (*hostname == NULL) { goto error; } + /* if not an ip, check syntax */ + rc = ssh_is_ipaddr(*hostname); + if (rc == 0) { + rc = ssh_check_hostname_syntax(*hostname); + if (rc != SSH_OK) { + goto error; + } + } } /* Skip also the closing bracket */ if (*endp == ']') { -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2