File _service:tar_scm:backport-0001-CVE-2023-6004-to... of Package libssh

File _service:tar_scm:backport-0001-CVE-2023-6004-torture_config-Allow-multiple-in-usern.patch of Package libssh

From c2c56bacab00766d01671413321d564227aabf19 Mon Sep 17 00:00:00 2001
From: Norbert Pocs <norbertpocs0@gmail.com>
Date: Sun, 5 Nov 2023 13:12:47 +0100
Subject: [PATCH 01/20] CVE-2023-6004: torture_config: Allow multiple '@' in
 usernames

Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
 tests/unittests/torture_config.c | 56 +++++++++++++++++---------------
 1 file changed, 30 insertions(+), 26 deletions(-)

diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
index 406f1985..b7c763af 100644
--- a/tests/unittests/torture_config.c
+++ b/tests/unittests/torture_config.c
@@ -995,23 +995,22 @@ static void torture_config_proxyjump(void **state,
     assert_string_equal(session->opts.ProxyCommand,
                         "ssh -W '[%h]:%p' 2620:52:0::fed");
 
-    /* In this part, we try various other config files and strings. */
-
-    /* Try to create some invalid configurations */
-    /* Non-numeric port */
-    config = "Host bad-port\n"
-             "\tProxyJump jumpbox:22bad22\n";
+    /* Multiple @ is allowed in second jump */
+    config = "Host allowed-hostname\n"
+             "\tProxyJump localhost,user@principal.com@jumpbox:22\n";
     if (file != NULL) {
         torture_write_file(file, config);
     } else {
         string = config;
     }
     torture_reset_config(session);
-    ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
-    _parse_config(session, file, string, SSH_ERROR);
+    ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
+    _parse_config(session, file, string, SSH_OK);
+    assert_string_equal(session->opts.ProxyCommand,
+                        "ssh -J user@principal.com@jumpbox:22 -W '[%h]:%p' localhost");
 
-    /* Too many @ */
-    config = "Host bad-hostname\n"
+    /* Multiple @ is allowed */
+    config = "Host allowed-hostname\n"
              "\tProxyJump user@principal.com@jumpbox:22\n";
     if (file != NULL) {
         torture_write_file(file, config);
@@ -1019,7 +1018,24 @@ static void torture_config_proxyjump(void **state,
         string = config;
     }
     torture_reset_config(session);
-    ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
+    ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
+    _parse_config(session, file, string, SSH_OK);
+    assert_string_equal(session->opts.ProxyCommand,
+                        "ssh -l user@principal.com -p 22 -W '[%h]:%p' jumpbox");
+
+    /* In this part, we try various other config files and strings. */
+
+    /* Try to create some invalid configurations */
+    /* Non-numeric port */
+    config = "Host bad-port\n"
+             "\tProxyJump jumpbox:22bad22\n";
+    if (file != NULL) {
+        torture_write_file(file, config);
+    } else {
+        string = config;
+    }
+    torture_reset_config(session);
+    ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
     _parse_config(session, file, string, SSH_ERROR);
 
     /* Braces mismatch in hostname */
@@ -1094,18 +1110,6 @@ static void torture_config_proxyjump(void **state,
     ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port-2");
     _parse_config(session, file, string, SSH_ERROR);
 
-    /* Too many @ in second jump */
-    config = "Host bad-hostname\n"
-             "\tProxyJump localhost,user@principal.com@jumpbox:22\n";
-    if (file != NULL) {
-        torture_write_file(file, config);
-    } else {
-        string = config;
-    }
-    torture_reset_config(session);
-    ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
-    _parse_config(session, file, string, SSH_ERROR);
-
     /* Braces mismatch in second jump */
     config = "Host mismatch\n"
              "\tProxyJump localhost,[::1:20\n";
@@ -1448,10 +1452,10 @@ static void torture_config_parser_get_cmd(void **state)
     } else if (pid == 0) {
         ssh_execute_command(tok, fileno(outfile), fileno(outfile));
         /* Does not return */
-    } else {        
-        /* parent 
+    } else {
+        /* parent
          * wait child process */
-        wait(NULL); 
+        wait(NULL);
         infile = fopen("output.log", "r");
         assert_non_null(infile);
         p = fgets(buffer, sizeof(buffer), infile);
-- 
2.33.0