Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
openssh-testuser.32839
openssh-7.2p2-verify_CIDR_address_ranges.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssh-7.2p2-verify_CIDR_address_ranges.patch of Package openssh-testuser.32839
From 2827bf01e682c08901eb813a6afe309252ea8de9 Mon Sep 17 00:00:00 2001 From: Old openssh patches <pcerny@suse.com> Date: Wed, 26 Oct 2022 09:55:48 +0200 Subject: [PATCH] openssh-7.2p2-verify_CIDR_address_ranges # HG changeset patch # Parent 76837f24077a1fe8832153b245a2f556ac296767 Check for invalid CIDR adress masks. bsc#1005893 backported upstream commit: 010359b32659f455fddd2bd85fd7cc4d7a3b994a (7.4) backported upstream commit: 1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a backported upstream commit: fe06b68f824f8f55670442fb31f2c03526dd326c --- auth.c | 23 +++++++++++++++++------ match.c | 19 ++++++++++++++----- servconf.c | 6 ++++++ 3 files changed, 37 insertions(+), 11 deletions(-) diff --git a/auth.c b/auth.c index 98f10bfd..a072856a 100644 --- a/auth.c +++ b/auth.c @@ -100,6 +100,7 @@ allowed_user(struct passwd * pw) struct stat st; const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; u_int i; + int r; #ifdef USE_SHADOW struct spwd *spw = NULL; #endif @@ -188,21 +189,31 @@ allowed_user(struct passwd * pw) /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { - for (i = 0; i < options.num_deny_users; i++) - if (match_user(pw->pw_name, hostname, ipaddr, - options.deny_users[i])) { + for (i = 0; i < options.num_deny_users; i++) { + r = match_user(pw->pw_name, hostname, ipaddr, + options.deny_users[i]); + if (r < 0) { + fatal("Invalid DenyUsers pattern \"%.100s\"", + options.deny_users[i]); + } else if (r != 0) { logit("User %.100s from %.100s not allowed " "because listed in DenyUsers", pw->pw_name, hostname); return 0; } + } } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { - for (i = 0; i < options.num_allow_users; i++) - if (match_user(pw->pw_name, hostname, ipaddr, - options.allow_users[i])) + for (i = 0; i < options.num_allow_users; i++) { + r = match_user(pw->pw_name, hostname, ipaddr, + options.allow_users[i]); + if (r < 0) { + fatal("Invalid AllowUsers pattern \"%.100s\"", + options.allow_users[i]); + } else if (r == 1) break; + } /* i < options.num_allow_users iff we break for loop */ if (i >= options.num_allow_users) { logit("User %.100s from %.100s not allowed because " diff --git a/match.c b/match.c index 913b6bae..876156b3 100644 --- a/match.c +++ b/match.c @@ -191,11 +191,10 @@ match_host_and_ip(const char *host, const char *ipaddr, { int mhost, mip; - /* error in ipaddr match */ if ((mip = addr_match_list(ipaddr, patterns)) == -2) - return -1; - else if (mip == -1) /* negative ip address match */ - return 0; + return -1; /* error in ipaddr match */ + else if (host == NULL || ipaddr == NULL || mip == -1) + return 0; /* negative ip address match, or testing pattern */ /* negative hostname match */ if ((mhost = match_hostname(host, patterns)) == -1) @@ -207,7 +206,9 @@ match_host_and_ip(const char *host, const char *ipaddr, } /* - * match user, user@host_or_ip, user@host_or_ip_list against pattern + * Match user, user@host_or_ip, user@host_or_ip_list against pattern. + * If user, host and ipaddr are all NULL then validate pattern/ + * Returns -1 on invalid pattern, 0 on no match, 1 on match. */ int match_user(const char *user, const char *host, const char *ipaddr, @@ -216,6 +217,14 @@ match_user(const char *user, const char *host, const char *ipaddr, char *p, *pat; int ret; + /* test mode */ + if (user == NULL && host == NULL && ipaddr == NULL) { + if ((p = strchr(pattern, '@')) != NULL && + match_host_and_ip(NULL, NULL, p + 1) < 0) + return -1; + return 0; + } + if ((p = strchr(pattern,'@')) == NULL) return match_pattern(user, pattern); diff --git a/servconf.c b/servconf.c index e3970dd1..466f431b 100644 --- a/servconf.c +++ b/servconf.c @@ -1467,6 +1467,9 @@ process_server_config_line(ServerOptions *options, char *line, if (options->num_allow_users >= MAX_ALLOW_USERS) fatal("%s line %d: too many allow users.", filename, linenum); + if (match_user(NULL, NULL, NULL, arg) == -1) + fatal("%s line %d: invalid AllowUsers pattern: " + "\"%.100s\"", filename, linenum, arg); if (!*activep) continue; options->allow_users[options->num_allow_users++] = @@ -1479,6 +1482,9 @@ process_server_config_line(ServerOptions *options, char *line, if (options->num_deny_users >= MAX_DENY_USERS) fatal("%s line %d: too many deny users.", filename, linenum); + if (match_user(NULL, NULL, NULL, arg) == -1) + fatal("%s line %d: invalid DenyUsers pattern: " + "\"%.100s\"", filename, linenum, arg); if (!*activep) continue; options->deny_users[options->num_deny_users++] = -- 2.38.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor