[openssh-commits] [openssh] 09/11: upstream: process security key provider via realpath() in agent,
git+noreply at mindrot.org
git+noreply at mindrot.org
Sat Jan 25 11:36:35 AEDT 2020
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit e5a278a62ab49dffe96929fa8d8506c6928dba90
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sat Jan 25 00:06:48 2020 +0000
upstream: process security key provider via realpath() in agent,
avoids malicious client from being able to cause agent to load arbitrary
libraries into ssh-sk-helper.
reported by puck AT puckipedia.com; ok markus
OpenBSD-Commit-ID: 1086643df1b7eee4870825c687cf0c26a6145d1c
---
ssh-agent.c | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
diff --git a/ssh-agent.c b/ssh-agent.c
index 6092f19d..5c9a9de6 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.253 2020/01/25 00:03:36 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.254 2020/01/25 00:06:48 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -430,6 +430,7 @@ process_add_identity(SocketEntry *e)
int success = 0, confirm = 0;
u_int seconds, maxsign;
char *fp, *comment = NULL, *ext_name = NULL, *sk_provider = NULL;
+ char canonical_provider[PATH_MAX];
time_t death = 0;
struct sshkey *k = NULL;
u_char ctype;
@@ -514,14 +515,25 @@ process_add_identity(SocketEntry *e)
free(sk_provider);
goto send;
}
- if (strcasecmp(sk_provider, "internal") == 0)
+ if (strcasecmp(sk_provider, "internal") == 0) {
debug("%s: internal provider", __func__);
- else if (match_pattern_list(sk_provider,
- provider_whitelist, 0) != 1) {
- error("Refusing add key: provider %s not whitelisted",
- sk_provider);
+ } else {
+ if (realpath(sk_provider, canonical_provider) == NULL) {
+ verbose("failed provider \"%.100s\": "
+ "realpath: %s", sk_provider,
+ strerror(errno));
+ free(sk_provider);
+ goto send;
+ }
free(sk_provider);
- goto send;
+ sk_provider = xstrdup(canonical_provider);
+ if (match_pattern_list(sk_provider,
+ provider_whitelist, 0) != 1) {
+ error("Refusing add key: "
+ "provider %s not whitelisted", sk_provider);
+ free(sk_provider);
+ goto send;
+ }
}
}
if ((r = sshkey_shield_private(k)) != 0) {
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list