head 1.2; access; symbols pkgsrc-2023Q1:1.1.0.42 pkgsrc-2023Q1-base:1.1 pkgsrc-2022Q4:1.1.0.40 pkgsrc-2022Q4-base:1.1 pkgsrc-2022Q3:1.1.0.38 pkgsrc-2022Q3-base:1.1 pkgsrc-2022Q2:1.1.0.36 pkgsrc-2022Q2-base:1.1 pkgsrc-2022Q1:1.1.0.34 pkgsrc-2022Q1-base:1.1 pkgsrc-2021Q4:1.1.0.32 pkgsrc-2021Q4-base:1.1 pkgsrc-2021Q3:1.1.0.30 pkgsrc-2021Q3-base:1.1 pkgsrc-2021Q2:1.1.0.28 pkgsrc-2021Q2-base:1.1 pkgsrc-2021Q1:1.1.0.26 pkgsrc-2021Q1-base:1.1 pkgsrc-2020Q4:1.1.0.24 pkgsrc-2020Q4-base:1.1 pkgsrc-2020Q3:1.1.0.22 pkgsrc-2020Q3-base:1.1 pkgsrc-2020Q2:1.1.0.20 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.16 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.18 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.14 pkgsrc-2019Q3-base:1.1 pkgsrc-2019Q2:1.1.0.12 pkgsrc-2019Q2-base:1.1 pkgsrc-2019Q1:1.1.0.10 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.8 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.6 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.4 pkgsrc-2018Q2-base:1.1 pkgsrc-2018Q1:1.1.0.2 pkgsrc-2018Q1-base:1.1; locks; strict; comment @# @; 1.2 date 2023.05.02.16.31.41; author wiz; state dead; branches; next 1.1; commitid 0rLQx2SAk2unmpnE; 1.1 date 2018.01.09.22.18.57; author tez; state Exp; branches; next ; commitid qC5hsB3otMCNBfmA; desc @@ 1.2 log @bzr: remove, use breezy instead Python 2 only, upstream development has stopped @ text @$NetBSD: patch-CVE-2017-14176,v 1.1 2018/01/09 22:18:57 tez Exp $ Patch for CVE-2017-14176 from http://bazaar.launchpad.net/~brz/brz/trunk/revision/6754 --- bzrlib/transport/ssh.py.orig 2013-07-27 11:50:53.000000000 +0000 +++ bzrlib/transport/ssh.py @@@@ -45,6 +45,10 @@@@ else: from paramiko.sftp_client import SFTPClient +class StrangeHostname(errors.BzrError): + _fmt = "Refusing to connect to strange SSH hostname %(hostname)s" + + SYSTEM_HOSTKEYS = {} BZR_HOSTKEYS = {} @@@@ -359,6 +363,11 @@@@ class SubprocessVendor(SSHVendor): # tests, but beware of using PIPE which may hang due to not being read. _stderr_target = None + @@staticmethod + def _check_hostname(arg): + if arg.startswith('-'): + raise StrangeHostname(hostname=arg) + def _connect(self, argv): # Attempt to make a socketpair to use as stdin/stdout for the SSH # subprocess. We prefer sockets to pipes because they support @@@@ -423,9 +432,9 @@@@ class OpenSSHSubprocessVendor(Subprocess if username is not None: args.extend(['-l', username]) if subsystem is not None: - args.extend(['-s', host, subsystem]) + args.extend(['-s', '--', host, subsystem]) else: - args.extend([host] + command) + args.extend(['--', host] + command) return args register_ssh_vendor('openssh', OpenSSHSubprocessVendor()) @@@@ -438,6 +447,7 @@@@ class SSHCorpSubprocessVendor(Subprocess def _get_vendor_specific_argv(self, username, host, port, subsystem=None, command=None): + self._check_hostname(host) args = [self.executable_path, '-x'] if port is not None: args.extend(['-p', str(port)]) @@@@ -459,6 +469,7 @@@@ class LSHSubprocessVendor(SubprocessVend def _get_vendor_specific_argv(self, username, host, port, subsystem=None, command=None): + self._check_hostname(host) args = [self.executable_path] if port is not None: args.extend(['-p', str(port)]) @@@@ -480,6 +491,7 @@@@ class PLinkSubprocessVendor(SubprocessVe def _get_vendor_specific_argv(self, username, host, port, subsystem=None, command=None): + self._check_hostname(host) args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch'] if port is not None: args.extend(['-P', str(port)]) --- bzrlib/tests/test_ssh_transport.py.orig 2013-07-27 11:50:53.000000000 +0000 +++ bzrlib/tests/test_ssh_transport.py @@@@ -22,6 +22,7 @@@@ from bzrlib.transport.ssh import ( SSHCorpSubprocessVendor, LSHSubprocessVendor, SSHVendorManager, + StrangeHostname, ) @@@@ -161,6 +162,19 @@@@ class SSHVendorManagerTests(TestCase): class SubprocessVendorsTests(TestCase): + def test_openssh_command_tricked(self): + vendor = OpenSSHSubprocessVendor() + self.assertEqual( + vendor._get_vendor_specific_argv( + "user", "-oProxyCommand=blah", 100, command=["bzr"]), + ["ssh", "-oForwardX11=no", "-oForwardAgent=no", + "-oClearAllForwardings=yes", + "-oNoHostAuthenticationForLocalhost=yes", + "-p", "100", + "-l", "user", + "--", + "-oProxyCommand=blah", "bzr"]) + def test_openssh_command_arguments(self): vendor = OpenSSHSubprocessVendor() self.assertEqual( @@@@ -171,6 +185,7 @@@@ class SubprocessVendorsTests(TestCase): "-oNoHostAuthenticationForLocalhost=yes", "-p", "100", "-l", "user", + "--", "host", "bzr"] ) @@@@ -184,9 +199,16 @@@@ class SubprocessVendorsTests(TestCase): "-oNoHostAuthenticationForLocalhost=yes", "-p", "100", "-l", "user", - "-s", "host", "sftp"] + "-s", "--", "host", "sftp"] ) + def test_openssh_command_tricked(self): + vendor = SSHCorpSubprocessVendor() + self.assertRaises( + StrangeHostname, + vendor._get_vendor_specific_argv, + "user", "-oProxyCommand=host", 100, command=["bzr"]) + def test_sshcorp_command_arguments(self): vendor = SSHCorpSubprocessVendor() self.assertEqual( @@@@ -209,6 +231,13 @@@@ class SubprocessVendorsTests(TestCase): "-s", "sftp", "host"] ) + def test_lsh_command_tricked(self): + vendor = LSHSubprocessVendor() + self.assertRaises( + StrangeHostname, + vendor._get_vendor_specific_argv, + "user", "-oProxyCommand=host", 100, command=["bzr"]) + def test_lsh_command_arguments(self): vendor = LSHSubprocessVendor() self.assertEqual( @@@@ -231,6 +260,13 @@@@ class SubprocessVendorsTests(TestCase): "--subsystem", "sftp", "host"] ) + def test_plink_command_tricked(self): + vendor = PLinkSubprocessVendor() + self.assertRaises( + StrangeHostname, + vendor._get_vendor_specific_argv, + "user", "-oProxyCommand=host", 100, command=["bzr"]) + def test_plink_command_arguments(self): vendor = PLinkSubprocessVendor() self.assertEqual( @ 1.1 log @Add patch for CVE-2017-14176 @ text @d1 1 a1 1 $NetBSD$ @