Headline
CVE-2021-28041: upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own · openssh/openssh-portable@e04fd6d
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
@@ -1,4 +1,4 @@ /* $OpenBSD: ssh-agent.c,v 1.276 2021/02/02 22:35:14 djm Exp $ */ /* $OpenBSD: ssh-agent.c,v 1.277 2021/02/12 03:14:18 djm Exp $ */ /* * Author: Tatu Ylonen [email protected] * Copyright © 1995 Tatu Ylonen [email protected], Espoo, Finland @@ -574,96 +574,114 @@ reaper(void) return (deadline - now); }
static int parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp) { char *ext_name = NULL; int r;
if ((r = sshbuf_get_cstring(m, &ext_name, NULL)) != 0) { error_fr(r, “parse constraint extension”); goto out; } debug_f("constraint ext %s", ext_name); if (strcmp(ext_name, “[email protected]”) == 0) { if (sk_providerp == NULL) { error_f("%s not valid here", ext_name); r = SSH_ERR_INVALID_FORMAT; goto out; } if (*sk_providerp != NULL) { error_f("%s already set", ext_name); r = SSH_ERR_INVALID_FORMAT; goto out; } if ((r = sshbuf_get_cstring(m, sk_providerp, NULL)) != 0) { error_fr(r, "parse %s", ext_name); goto out; } } else { error_f("unsupported constraint \"%s\"", ext_name); r = SSH_ERR_FEATURE_UNSUPPORTED; goto out; } /* success */ r = 0; out: free(ext_name); return r; }
static int parse_key_constraints(struct sshbuf *m, struct sshkey *k, time_t *deathp, u_int *secondsp, int *confirmp, char **sk_providerp) { u_char ctype; int r; u_int seconds, maxsign = 0; char *ext_name = NULL; struct sshbuf *b = NULL;
while (sshbuf_len(m)) { if ((r = sshbuf_get_u8(m, &ctype)) != 0) { error_fr(r, “parse constraint type”); goto err; goto out; } switch (ctype) { case SSH_AGENT_CONSTRAIN_LIFETIME: if (*deathp != 0) { error_f(“lifetime already set”); goto err; r = SSH_ERR_INVALID_FORMAT; goto out; } if ((r = sshbuf_get_u32(m, &seconds)) != 0) { error_fr(r, “parse lifetime constraint”); goto err; goto out; } *deathp = monotime() + seconds; *secondsp = seconds; break; case SSH_AGENT_CONSTRAIN_CONFIRM: if (*confirmp != 0) { error_f(“confirm already set”); goto err; r = SSH_ERR_INVALID_FORMAT; goto out; } *confirmp = 1; break; case SSH_AGENT_CONSTRAIN_MAXSIGN: if (k == NULL) { error_f(“maxsign not valid here”); goto err; r = SSH_ERR_INVALID_FORMAT; goto out; } if (maxsign != 0) { error_f(“maxsign already set”); goto err; r = SSH_ERR_INVALID_FORMAT; goto out; } if ((r = sshbuf_get_u32(m, &maxsign)) != 0) { error_fr(r, “parse maxsign constraint”); goto err; goto out; } if ((r = sshkey_enable_maxsign(k, maxsign)) != 0) { error_fr(r, “enable maxsign”); goto err; goto out; } break; case SSH_AGENT_CONSTRAIN_EXTENSION: if ((r = sshbuf_get_cstring(m, &ext_name, NULL)) != 0) { error_fr(r, “parse constraint extension”); goto err; } debug_f("constraint ext %s", ext_name); if (strcmp(ext_name, “[email protected]”) == 0) { if (sk_providerp == NULL) { error_f("%s not valid here", ext_name); goto err; } if (*sk_providerp != NULL) { error_f("%s already set", ext_name); goto err; } if ((r = sshbuf_get_cstring(m, sk_providerp, NULL)) != 0) { error_fr(r, "parse %s", ext_name); goto err; } } else { error_f("unsupported constraint \"%s\"", ext_name); goto err; } free(ext_name); if ((r = parse_key_constraint_extension(m, sk_providerp)) != 0) goto out; /* error already logged */ break; default: error_f("Unknown constraint %d", ctype); err: free(ext_name); sshbuf_free(b); return -1; r = SSH_ERR_FEATURE_UNSUPPORTED; goto out; } } /* success */ return 0; r = 0; out: return r; }
static void
Related news
Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.
Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.
Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.
Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...