2 files changed, 26 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 3ebe0df30..8eebcaffb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,11 @@
     Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow.
     While there, be sure to buffer_clear() between send_msg() and recv_msg().
     ok markus@
+   - dtucker@cvs.openbsd.org 2012/01/18 21:46:43
+     [clientloop.c]
+     Ensure that $DISPLAY contains only valid characters before using it to
+     extract xauth data so that it can't be used to play local shell
+     metacharacter games.  Report from r00t_ati at ihteam.net, ok markus.
 20120206
 - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms
diff --git a/clientloop.c b/clientloop.c
index 1339521f4..f69a9b025 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.237 2011/09/10 22:26:34 markus Exp $ */
+/* $OpenBSD: clientloop.c,v 1.238 2012/01/18 21:46:43 dtucker Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -281,6 +281,23 @@ set_control_persist_exit_time(void)
        /* else we are already counting down to the timeout */
 }
+#define SSH_X11_VALID_DISPLAY_CHARS ":/.-_"
+static int
+client_x11_display_valid(const char *display)
+{
+        size_t i, dlen;
+        dlen = strlen(display);
+        for (i = 0; i < dlen; i++) {
+                if (!isalnum(display[i]) &&
+                    strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) {
+                        debug("Invalid character '%c' in DISPLAY", display[i]);
+                        return 0;
+                }
+        }
+        return 1;
+}
 #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
 void
 client_x11_get_proto(const char *display, const char *xauth_path,
@@ -303,6 +320,9 @@ client_x11_get_proto(const char *display, const char *xauth_path,
        if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
                debug("No xauth program.");
+        } else if (!client_x11_display_valid(display)) {
+                logit("DISPLAY '%s' invalid, falling back to fake xauth data",
+                    display);
        } else {
                if (display == NULL) {
                        debug("x11_get_proto: DISPLAY not set");

diff --git a/ChangeLog b/ChangeLog index 3ebe0df30..8eebcaffb 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -15,6 +15,11 @@
15	Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow.	15	Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow.
16	While there, be sure to buffer_clear() between send_msg() and recv_msg().	16	While there, be sure to buffer_clear() between send_msg() and recv_msg().
17	ok markus@	17	ok markus@
		18	- dtucker@cvs.openbsd.org 2012/01/18 21:46:43
		19	[clientloop.c]
		20	Ensure that $DISPLAY contains only valid characters before using it to
		21	extract xauth data so that it can't be used to play local shell
		22	metacharacter games. Report from r00t_ati at ihteam.net, ok markus.
18		23
19	20120206	24	20120206
20	- (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms	25	- (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms


diff --git a/clientloop.c b/clientloop.c index 1339521f4..f69a9b025 100644 --- a/clientloop.c +++ b/clientloop.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: clientloop.c,v 1.237 2011/09/10 22:26:34 markus Exp $ */	1	/* $OpenBSD: clientloop.c,v 1.238 2012/01/18 21:46:43 dtucker Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -281,6 +281,23 @@ set_control_persist_exit_time(void)
281	/* else we are already counting down to the timeout */	281	/* else we are already counting down to the timeout */
282	}	282	}
283		283
		284	#define SSH_X11_VALID_DISPLAY_CHARS ":/.-_"
		285	static int
		286	client_x11_display_valid(const char *display)
		287	{
		288	size_t i, dlen;
		289
		290	dlen = strlen(display);
		291	for (i = 0; i < dlen; i++) {
		292	if (!isalnum(display[i]) &&
		293	strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) {
		294	debug("Invalid character '%c' in DISPLAY", display[i]);
		295	return 0;
		296	}
		297	}
		298	return 1;
		299	}
		300
284	#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"	301	#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
285	void	302	void
286	client_x11_get_proto(const char display, const char xauth_path,	303	client_x11_get_proto(const char display, const char xauth_path,
@@ -303,6 +320,9 @@ client_x11_get_proto(const char display, const char xauth_path,
303		320
304	if (xauth_path == NULL \|\|(stat(xauth_path, &st) == -1)) {	321	if (xauth_path == NULL \|\|(stat(xauth_path, &st) == -1)) {
305	debug("No xauth program.");	322	debug("No xauth program.");
		323	} else if (!client_x11_display_valid(display)) {
		324	logit("DISPLAY '%s' invalid, falling back to fake xauth data",
		325	display);
306	} else {	326	} else {
307	if (display == NULL) {	327	if (display == NULL) {
308	debug("x11_get_proto: DISPLAY not set");	328	debug("x11_get_proto: DISPLAY not set");