In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.

CVE-2018-3845: TALOS-2018-0528 || Cisco Talos Intelligence Group

An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULBLANK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.

**Summary**

An exploitable integer overflow vulnerability exists in the xls\_preparseWorkSheet function of libxls 1.4 when handling a MULBLANK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.

**Tested Versions**

libxls 1.4 readxl package 1.0.0 for R (tested using Microsoft R 4.3.1)

**Product URLs**

http://libxls.sourceforge.net/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSSv3 Calculator: https://www.first.org/cvss/calculator/3.0

**CWE**

CWE-680: Integer Overflow to Buffer Overflow

**Details**

libxls is a C library supported on windows, mac, cygwin which can read Microsoft Excel File Format ( XLS ) files. The library is used by the readxl package that can be installed in the R programming language. The integer overflow appears in the xls\_preparseWorkSheet function, so let’s take a look at the vulnerable code:

    Line 970 void xls_preparseWorkSheet(xlsWorkSheet* pWS)
    Line 971 {
    			   (...)
    Line 985         read = ole2_read(buf, 1,tmp.size,pWS->workbook->olestr);
    Line 986 		assert(read == tmp.size);
    Line 987 		// xls_showBOF(&tmp);
    Line 988         switch (tmp.id)
    Line 989         {
    				(...)		
    Line 1012        case 0x00BE:        //MULBLANK
    Line 1013            if (pWS->rows.lastcol<xlsShortVal(((MULBLANK*)buf)->col) + (tmp.size - 6)/2 - 1)
    Line 1014                pWS->rows.lastcol=xlsShortVal(((MULBLANK*)buf)->col) + (tmp.size - 6)/2 - 1;
    Line 1015            if (pWS->rows.lastrow<xlsShortVal(((MULBLANK*)buf)->row))
    Line 1016                pWS->rows.lastrow=xlsShortVal(((MULBLANK*)buf)->row);
    Line 1017            break;		
    

The general purpose of the xls_preparseWorkSheet function is to obtain the maximal size of col and row value from records present in the worksheet and update the lastcol and lastrow fields with that value. As we can see in lines 1013-1014 an integer overflow can occur. This can have two potential impacts. In one case, the maximum value stored in lastcol will not be updated even if the MULBLANK col field is greater than the value in lastcol. The other case will result in the lastcol value being updated to the overflowed value.

The malformed MULBLANK record is located at offset : 0xCB1F and looks as follows:

    0xCB1F 		BE 00 20 00 AA AA FF FF
    

Setting breakpoint at line 1007 we can obtain the following information:

    (gdb) p/x tmp
    $1 = {id = 0xbe, size = 0x20}
    (gdb) p/x *((MULBLANK*)buf)
    $3 = {row = 0xaaaa, col = 0xffff, rk = 0x60f3e4}
    (gdb) p/x pWS->rows.lastcol
    $4 = 0x0
    

stepping further after line 1014:

    (gdb) p/x pWS->rows.lastcol
    $5 = 0x2
    

We see that lastcol field has been updated with overflowed value 0x2. It has further consequences in function xls_makeTable where based on the lastcol field an array for cells is allocated:

    Line 409	void xls_makeTable(xlsWorkSheet* pWS)
    Line 410	{
    Line 412		struct st_row_data* tmp;
    Line 418		for (t=0;t<=pWS->rows.lastrow;t++)
    				{
    Line 420			tmp=&pWS->rows.row[t];
    					(...)
    Line 425			tmp->cells.count = pWS->rows.lastcol+1;
    Line 426			tmp->cells.cell=(struct st_cell_data *)calloc(tmp->cells.count,sizeof(struct st_cell_data));					
    

next during the final parsing of the malformed MULBLANK record in xls_addCell, an out of bound write occurs because the col value being used as index for the cell array is greater than amount of allocated elements for that array.

    Line 446	struct st_cell_data *xls_addCell(xlsWorkSheet* pWS,BOF* bof,BYTE* buf)
    Line 447	{
    Line 448		struct st_cell_data*	cell;
    				(...)
    Line 457		cell=&row->cells.cell[xlsShortVal(((COL*)buf)->col)];
    Line 458		cell->id=bof->id;
    Line 459		cell->xf=xlsShortVal(((COL*)buf)->xf);	
    

At line 457 the cell element points to a value outside of the array range which leads to an out-of-bounds write at lines 458,459...

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7bce936 in xls_addCell (pWS=0x60f3a0, bof=0x7fffffffdb80, buf=0x607c50 
    "\252\252\377\377\273\273\273\273\314\314\314\314\335\335\335\335", 
    <incomplete sequence \345>) at xls.c:458
    458         cell->id=bof->id;
    gdb-peda$ p cell
    $8 = (struct st_cell_data *) 0xdea898
    gdb-peda$ vmmap 0xdea898
    Warning: not found or cannot access procfs
    

**Crash Information**

    Microsoft R crash
    
    (94c.c74): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Users\Icewall\Documents\R\win-
    library\3.4\readxl\libs\x64\readxl.dll - 
    readxl!xls_addCell+0x61:
    00000000`6534b191 668903          mov     word ptr [rbx],ax ds:00000000`312f5f58=????
    0:000> kb 10
     # RetAddr           : Args to Child                                                           : Call Site
    00 00000000`6534c8e2 : 00000000`48332fd0 00000000`31135ff0 00000000`00000006 00000000`00000000 : 
    readxl!xls_addCell+0x61
    01 00000000`65382714 : 00000000`044079c0 00000000`00000000 00000000`00000000 00000000`00000000 : 
    readxl!xls_parseWorkSheet+0x302
    02 00000000`6534572b : 00000000`04407750 00000000`044076b0 00000000`00000000 00007ffe`179295c9 : readxl!
    ZN12XlsWorkSheetC1E11XlsWorkBookiN4Rcpp6VectorILi13ENS1_15PreserveStorageEEEb+0x2b4
    03 00000000`65343ddb : 00000000`044079b0 00007ffe`02922b4f 00000000`00000000 00000000`00000000 : readxl!
    Z9read_xls_SsiN4Rcpp6VectorILi13ENS_15PreserveStorageEEEbNS_12RObject_ImplIS1_EES4_St6vectorISsSaISsEEbi+0x31b
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft\R Open\R-
    3.4.1\bin\x64\R.dll - 
    04 00000000`6c7977cf : 00000000`25cecec8 00000000`10cfdf98 00000000`6cbfdbd0 00000000`04407cd0 : 
    readxl!readxl_read_xls_+0x1db
    05 00000000`6c797f04 : 00000000`00000272 00000000`04407cc8 00000000`00000139 00000000`04407f00 : 
    R!Rf_NewFrameConfirm+0x7b6f
    06 00000000`6c7ee8c8 : 00000000`23747fa0 00000000`2607c7c0 00000000`23747fa0 00000000`6cbfdcb8 : 
    R!Rf_NewFrameConfirm+0x82a4
    07 00000000`6c7f11dd : 00000000`6cbfdc08 00000000`6cbfdd20 00000000`6cbfdc90 00000000`6c7c070c : R!Rf_eval+0x6f8
    08 00000000`6c7ee6ba : 00000000`23748010 00000000`14595aa8 00000000`23748010 00000000`25e0b818 :   
    R!R_execMethod+0x8bd
    09 00000000`6c7f0550 : 00000000`31f17618 00000000`145dbd58 00000000`25f56dc0 00000000`264e3c08 : R!Rf_eval+0x4ea
    0a 00000000`6c7f08d2 : 00000000`237b8cb8 00000000`261e92b0 00000000`237b8cb8 00000000`264e4270 : 
    R!R_cmpfun1+0xf50
    0b 00000000`6c7e28ba : 00000000`6cbfdbd0 00000000`2607f130 00000000`14590600 00000000`6c7f08d2 : 
    R!Rf_applyClosure+0x192
    0c 00000000`6c7ee341 : 00000000`31efd850 00000000`264e4270 00000000`2607cf08 00000000`6c7eebd5 : 
     R!R_initAssignSymbols+0xf27a
    0d 00000000`6c7eeb9c : 00000000`31dfaad8 0000002e`2375f578 00000000`00000000 00000000`2607c4e8 : R!Rf_eval+0x171
    0e 00000000`6c7ee3dc : 00000000`00000000 00000000`14590670 00000000`2607cf08 00000000`324006f8 : R!Rf_eval+0x9cc
    0f 00000000`6c82251b : 00000000`2fa88528 00000000`14590788 00000000`23992b28 00000000`6c7f08d2 : R!Rf_eval+0x20c
    0:000> lmv m readxl
    Browse full module list
    start             end                 module name
    00000000`65340000 00000000`6543f000   readxl     (export symbols)       C:\Users\Icewall\Documents\R\win-
    library\3.4\readxl\libs\x64\readxl.dll
    	Loaded symbol image file: C:\Users\Icewall\Documents\R\win-library\3.4\readxl\libs\x64\readxl.dll
    	Image path: C:\Users\Icewall\Documents\R\win-library\3.4\readxl\libs\x64\readxl.dll
    	Image name: readxl.dll
    	Browse all global symbols  functions  data
    	Timestamp:        Wed Aug 30 18:38:23 2017 (59A6E9FF)
    	CheckSum:         001018F6
    	ImageSize:        000FF000
    	Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    
    
    Linux version	
    
    [----------------------------------registers-----------------------------------]
    RAX: 0xdea898 
    RBX: 0xb6a8c0 --> 0xaaaa0201 
    RCX: 0x7fffffffdb80 --> 0x2000bd 
    RDX: 0xbe 
    RSI: 0x7fffffffdb80 --> 0x2000bd 
    RDI: 0xffffffff 
    RBP: 0x7fffffffdb60 --> 0x7fffffffdc00 --> 0x7fffffffdc70 --> 0x401610 (<__libc_csu_init>:      push   r15)
    RSP: 0x7fffffffdb00 --> 0x60f3a0 --> 0x8000000c90b 
    RIP: 0x7ffff7bce936 (<xls_addCell+144>: mov    WORD PTR [rax],dx)
    R8 : 0x60f360 --> 0x0 
    R9 : 0x800000003000000 
    R10: 0x6f ('o')
    R11: 0x7ffff7bce8a6 (<xls_addCell>:     push   rbp)
    R12: 0x400b60 (<_start>:        xor    ebp,ebp)
    R13: 0x7fffffffdd50 --> 0x2 
    R14: 0x0 
    R15: 0x0
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff7bce92b <xls_addCell+133>:    mov    rax,QWORD PTR [rbp-0x50]
       0x7ffff7bce92f <xls_addCell+137>:    movzx  edx,WORD PTR [rax]
       0x7ffff7bce932 <xls_addCell+140>:    mov    rax,QWORD PTR [rbp-0x28]
    => 0x7ffff7bce936 <xls_addCell+144>:    mov    WORD PTR [rax],dx
       0x7ffff7bce939 <xls_addCell+147>:    mov    rax,QWORD PTR [rbp-0x58]
       0x7ffff7bce93d <xls_addCell+151>:    movzx  eax,WORD PTR [rax+0x4]
       0x7ffff7bce941 <xls_addCell+155>:    cwde   
       0x7ffff7bce942 <xls_addCell+156>:    mov    edi,eax
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffdb00 --> 0x60f3a0 --> 0x8000000c90b 
    0008| 0x7fffffffdb08 --> 0x607c50 --> 0xbbbbbbbbffffaaaa 
    0016| 0x7fffffffdb10 --> 0x7fffffffdb80 --> 0x2000bd 
    0024| 0x7fffffffdb18 --> 0x60f3a0 --> 0x8000000c90b 
    0032| 0x7fffffffdb20 --> 0x60f3a0 --> 0x8000000c90b 
    0040| 0x7fffffffdb28 --> 0x60f360 --> 0x0 
    0048| 0x7fffffffdb30 --> 0x800000003000000 
    0056| 0x7fffffffdb38 --> 0xdea898 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff7bce936 in xls_addCell (pWS=0x60f3a0, bof=0x7fffffffdb80, buf=0x607c50 
     "\252\252\377\377\273\273\273\273\314\314\314\314\335\335\335\335", 
    <incomplete sequence \345>) at xls.c:458
    458         cell->id=bof->id;
    gdb-peda$ bt
    #0  0x00007ffff7bce936 in xls_addCell (pWS=0x60f3a0, bof=0x7fffffffdb80, buf=0x607c50 
     "\252\252\377\377\273\273\273\273\314\314\314\314\335\335\335\335", 
    <incomplete sequence \345>) at xls.c:458
    #1  0x00007ffff7bd0b1a in xls_parseWorkSheet (pWS=0x60f3a0) at xls.c:1150
    #2  0x0000000000400ff8 in main (argc=0x2, argv=0x7fffffffdd58) at xls2csv.c:149
    #3  0x00007ffff781c830 in __libc_start_main (main=0x400d78 <main>, argc=0x2, argv=0x7fffffffdd58, init=<optimized out>, fini=
     <optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffdd48) at ../csu/libc-
           start.c:291
    #4  0x0000000000400b89 in _start ()
    gdb-peda$ exploitable -m
    __main__:102: UserWarning: GDB v7.11 may not support required Python API
    Warning: machine string printing is deprecated and may be removed in a future release.
    EXCEPTION_FAULTING_ADDRESS:0x00000000dea898
    EXCEPTION_CODE:0xb
    FAULTING_INSTRUCTION:mov    WORD PTR [rax],dx
    MAJOR_HASH:34754c1fb7e7f36e18e374f783e4c876
    MINOR_HASH:34754c1fb7e7f36e18e374f783e4c876
    STACK_DEPTH:3
    STACK_FRAME:/home/icewall/bugs/libxls-1.4.0/build/lib/libxlsreader.so.1.2.1!xls_addCell+0x0
    STACK_FRAME:/home/icewall/bugs/libxls-1.4.0/build/lib/libxlsreader.so.1.2.1!xls_parseWorkSheet+0x0
    STACK_FRAME:/home/icewall/bugs/libxls-1.4.0/build/bin/xls2csv!main+0x0
    INSTRUCTION_ADDRESS:0x007ffff7bce936
    INVOKING_STACK_FRAME:0
    DESCRIPTION:Access violation on destination operand
    SHORT_DESCRIPTION:DestAv (9/29)
    OTHER_RULES:AccessViolation (28/29)
    CLASSIFICATION:EXPLOITABLE
    EXPLANATION:The target crashed on an access violation at an address matching the destination operand of the instruction. This 
         likely indicates a write access 
         violation, which means the attacker may control the write 
         address and/or value.
    Description: Access violation on destination operand
    Short description: DestAv (9/29)
    Hash: 34754c1fb7e7f36e18e374f783e4c876.34754c1fb7e7f36e18e374f783e4c876
    Exploitability Classification: EXPLOITABLE
    Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This    
         likely indicates a write access 
         violation, which means the attacker may control the 
         write address and/or value.
    Other tags: AccessViolation (28/29)
    

**Timeline**

2017-10-25 - Vendor Disclosure  
2017-11-15 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2017-12108: TALOS-2017-0460 || Cisco Talos Intelligence Group

CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the `module` value of the `index.php` file.

Document Title: =============== CentOS Web Panel v0.9.8.12 - CS Cross Site Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get\_content.php?id=1835 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5961 CVE-ID: ======= CVE-2018-5961 Release Date: ============= 2018-01-17 Vulnerability Laboratory ID (VL-ID): ==================================== 1835 Common Vulnerability Scoring System: ==================================== 4 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== CentOS Web Panel - Free Web Hosting control panel is designed for quick and easy management of (Dedicated & VPS) servers without of need to use ssh console for every little thing. There is lot's of options and features for server management in this control panel. CWP automatically installs full LAMP on your server (apache,php, phpmyadmin, webmail, mailserver…). (Copy of the Homepage: http://centos-webpanel.com/features ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a client-side cross site scripting vulnerability in the CentOS Web Panel v0.9.8.12. Vulnerability Disclosure Timeline: ================================== 2017-01-15: Non-Public Disclosure (Vulnerability Laboratory - Shared Customer Research Feed) Discovery Status: ================= Published Affected Product(s): ==================== CWP Product: CentOS Web Panel - (CWP) 0.9.8.12 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A client-side cross site scripting web vulnerability has been discovered in the official CentOS Web Panel v0.9.8.12. The vulnerability allows remote attackers to inject script code to the client-side browser to application requests. The client-side cross site web vulnerability is located in the \`module\` value of the \`index.php\` file GET method request. The vulnerability can be exploited by remote attackers with a prepared malicious link to the centos web-panel application. The request method to inject is GET and the attack vector is non-persistent. The injection point is the module parameter and the execution point occurs in the module exception. The security risk of the client-side vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. Exploitation of the non-persisten vulnerability requires no privileged web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules. Request Method(s): \[+\] GET Vulnerable Module(s): \[+\] index.php Vulnerable Parameter(s): \[+\] module Proof of Concept (PoC): ======================= The cross site scripting vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Dork(s): "powered by CentOS-WebPanel.com" PoC: Payload(s) http://localhost:2030/index.php?module=clam%3E%22%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C http://localhost:2030/index.php?module=clam PoC: Exception-Handling

The module clam>"<\[CLIENT SIDE SCRIPT CODE PAYLOAD EXECUTION!\]> does not exist.

\--- PoC Session Logs \[POST\] --- Status: 200\[OK\] GET http://localhost:2030/index.php?module=clam%3E%22%3Ciframesrc=a%20onload=alert(document.cookie)%20%3C Mime Type\[text/html\] Request Header: Host\[localhost:2030\] User-Agent\[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Cookie\[cwpsrv-3cc0cea69668d490e1029c2a41ce5df3=8fnvi0bqgjj162mqklruu8clq5; PHPSESSID=8dsrha0ivd80kkgukvklgvmct1\] Connection\[keep-alive\] Response Header: Server\[Apache/2.2.27 (Unix) mod\_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27\] X-Powered-By\[PHP/5.4.27\] Expires\[Thu, 19 Nov 1981 08:52:00 GMT\] Keep-Alive\[timeout=5, max=100\] Connection\[Keep-Alive\] Transfer-Encoding\[chunked\] Content-Type\[text/html\] Reference(s): http://localhost:2030/index.php Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable module parameter in the index-php file GET method request. Disallow special chars and restrict the parameter input to prevent further client-side script code injection attacks. Encode the output of the error exception for invalid inputs to prevent the execution point of the client-side vulnerability. Security Risk: ============== The security risk of the client-side cross site scripting web vulnerability in the centos web panel is estimated as medium. Credits & Authors: ================== Vulnerability-Lab \[admin@vulnerability-lab.com\] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss\_upcoming.php - vulnerability-lab.com/rss/rss\_news.php Social: twitter.com/vuln\_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2017 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2018-5961

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

OpenSSH 7.6 was released on 2017-10-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: \* ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. \* ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. \* ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. \* Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. \* ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- \* sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ \* ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. \* sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH\_USER\_AUTH environment variable in the subsequent session. \* ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. \* sshd(8): allow LogLevel directive in sshd\_config Match blocks; bz#2717 \* ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. \* ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 \* ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. \* ssh-add(1): added -q option to make ssh-add quiet on success. \* ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 \* ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- \* ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 \* sftp(1): implement sorting for globbed ls; bz#2649 \* ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 \* ssh(1): accept unknown EXT\_INFO extension values that contain \\0 characters. These are legal, but would previously cause fatal connection errors if received. \* ssh(1)/sshd(8): repair compression statistics printed at connection exit \* sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 \* ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 \* ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 \* Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 \* sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 \* ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 \* ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 \* ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. \* ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 \* sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 \* sshd\_config(8): document available AuthenticationMethods; bz#2453 \* ssh(1): avoid truncation in some login prompts; bz#2768 \* sshd(8): Fix various compilations failures, inc bz#2767 \* ssh(1): make "--" before the hostname terminate argument processing after the hostname too. \* ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 \* ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 \* sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 \* sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 \* sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. \* Make integrity.sh regression tests more robust against timeouts. bz#2658 \* ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- \* sshd(9): drop two more privileges in the Solaris sandbox: PRIV\_DAX\_ACCESS and PRIV\_SYS\_IB\_INFO; bz#2723 \* sshd(8): expose list of completed authentication methods to PAM via the SSH\_AUTH\_INFO\_0 PAM environment variable. bz#2408 \* ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 \* Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. \* sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. \* Fix use of ldns when using ldns-config; bz#2697 \* configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. \* Add clang libFuzzer harnesses for public key parsing and signature verification. Checksums: ========== - SHA1 (openssh-7.6.tar.gz) = 157fe3989a245c58fcdb34d9fe722a3c4e14c008 - SHA1 (openssh-7.6p1.tar.gz) = a6984bc2c72192bed015c8b879b35dd9f5350b3b - SHA256 (openssh-7.6.tar.gz) = Xu3bdpCcu65vM2FnW7b6IKLgd4Kvf2P3WBTMw+I7Bao= - SHA256 (openssh-7.6p1.tar.gz) = oyPK7t3+FFuqoNsW6Y14Sx+8fdQ2pr8fR539XNHSFyM= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available as RELEASE\_KEY.asc from the mirror sites. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.

CVE-2017-15906

Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization

This is the test I came up with:

\+    def test\_write\_gitolite\_project\_test\_private(self):
+        """ Test the write\_gitolite\_acls function of pagure.lib.git with
+        a postconf set """
+
+        with open(self.outputconf, 'w') as stream:
+            pass
+
+        # Make the test project private
+        project = pagure.lib.\_get\_project(self.session, 'test')
+        project.private = True
+        self.session.add(project)
+        self.session.commit()
+
+        # Re-generate the gitolite config just for this project
+        helper = pagure.lib.git\_auth.get\_git\_auth\_helper('gitolite3')
+        helper.write\_gitolite\_acls(
+            self.session,
+            self.outputconf,
+            project=project,
+        )
+        self.assertTrue(os.path.exists(self.outputconf))
+
+        with open(self.outputconf) as stream:
+            data = stream.read().decode('utf-8')
+
+        exp = u"""@grp2  = foo
+@grp  = pingou
+# end of groups
+
+repo test
+  RW+ = pingou
+
+repo docs/test
+  RW+ = pingou
+
+repo tickets/test
+  RW+ = pingou
+
+repo requests/test
+  RW+ = pingou
+
+# end of body
+"""
+        print data
+        self.assertEqual(data, exp)
+

If someone can review this, I'll merge the PR manually.

CVE-2017-1002151: PR#2426: hide private repos in ssh too - pagure

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

Secure Open Source has completed the following audits.

**Contents**

*   1 2019
    *   1.1 tcpdump & libpcap
    *   1.2 libssh
*   2 2018
    *   2.1 graphite
    *   2.2 Thunderbird and Enigmail
    *   2.3 SimpleSAMLphp
    *   2.4 oauth2-server
    *   2.5 Knot DNS
*   3 2017
    *   3.1 CakePHP
    *   3.2 chrony
    *   3.3 expat
    *   3.4 GNU libmicrohttpd
    *   3.5 oauth2-server
    *   3.6 dovecot
    *   3.7 ntp
    *   3.8 ntpsec
*   4 2016
    *   4.1 PCRE
    *   4.2 libjpeg-turbo
    *   4.3 phpMyAdmin
    *   4.4 dnsmasq
    *   4.5 zlib
    *   4.6 curl

**2019****tcpdump & libpcap**

Dates: 2019

tcpdump & libpcap are a powerful command-line packet analyzer and a portable C/C++ library for network traffic capture, respectively. The audit was performed by Michael Richardson.

The team found the following problems:

*   8 Verified Fixes

The documents are as follows:

*   Audit report
*   Fix and validation log

**libssh**

Dates: 2019

libshh is a multiplatform C library implementing the SSHv2 protocol on client and server side. The audit was performed by Cure53.

The team found the following problems:

*   1 Critical
*   1 Medium
*   7 Low
*   3 Informational

The documents are as follows:

*   Audit report
*   Fix and validation log

**2018****graphite**

Dates: August 2018

graphite is "a "smart font" system developed specifically to handle the complexities of lesser-known languages of the world. The audit was performed by Radically Open Security.

The team found the following problems:

*   1 Elevated
*   9 Moderate
*   11 Low

The documents are as follows:

*   Audit report
*   Fix and validation log

**Thunderbird and Enigmail**

Dates: January 2018

Thunderbird and Enigmail work together to provide a free, simple interface for OpenPGP email security. The audit was performed by Cure53.

The team found the following problems:

*   3 Critical
*   3 High
*   3 Medium

The documents are as follows:

*   Audit report
*   Fix and validation log

**SimpleSAMLphp**

Dates: January 2018

SimpleSAMLphp is an application written in native PHP that deals with authentication. The audit was performed by Cure53.

The team found the following problems:

*   1 Critical
*   3 Medium
*   1 Informational

The documents are as follows:

*   Audit report
*   Fix and validation log

**oauth2-server**

Dates: September 2017 - February 2018

oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP. The audit was performed by Least Authority.

The team found the following problems:

*   1 High
*   3 Medium
*   1 Low
*   2 Informational

The documents are as follows:

*   Audit report
*   Fix and validation log

**Knot DNS**

Dates: September 2017 - January 2018

Knot DNS is a high-performance authoritative-only DNS server which supports all key features of the modern domain name system. Also audited was Knot Resolver, a caching full DNS resolver implementation, including both a resolver library and a daemon. The audit was performed by Least Authority.

The team found the following problems:

*   4 Medium
*   7 Low
*   2 Informational

Least Authority made the following comment on the code quality: "Overall,​ ​we​​ found​​ the​​ code​​ to​​ be​​ well​ structured​ and​ cleanly​ written. Additionally​ Knot​ makes good​ use​ of​ available​ tools,​ such​ as​ fuzzers​ and​ compiler​ sanitizers."

The documents are as follows:

*   Audit report
*   Fix and validation log

**2017****CakePHP**

Dates: July - November 2017

CakePHP is an open source web framework in PHP. The audit was performed by NCC Group.

The team found the following problems:

*   1 High
*   5 Medium
*   9 Low
*   5 Informational

The documents are as follows:

*   Audit report
*   Fix and validation log

**chrony**

Dates: June - September 2017

chrony is an implementation of the Network Time Protocol, used either to set the time on a particular machine or act as an NTP server for other machines on the network. The audit was performed by Cure53, and kindly funded by CII.

The team found the following problems:

*   2 Low

Cure53 write: The overwhelmingly positive result of this security assignment performed by three Cure53 testers can be clearly inferred from a marginal number and low-risk nature of the findings amassed in this report. Withstanding eleven full days of on-remote testing in August of 2017 means that Chrony is robust, strong, and developed with security in mind. The software boasts sound design and is secure across all tested areas. It is quite safe to assume that untested software in the Chrony family is of a similarly exceptional quality. In general, the software proved to be well-structured and marked by the right abstractions at the appropriate locations. While the functional scope of the software is quite wide, the actual implementation is surprisingly elegant and of a minimal and just necessary complexity. In sum, the Chrony NTP software stands solid and can be seen as trustworthy.

The documents are as follows:

*   Audit report
*   Fix and validation log

**expat**

Dates: February - July 2017

expat is a stream-oriented XML parser library written in C. The audit was performed by Radically Open Security.

The team found the following problems:

*   4 Medium
*   3 Low

The documents are as follows:

*   Audit report
*   Fix and validation log

**GNU libmicrohttpd**

Dates: January - May 2017

GNU libmicrohttpd is a small embeddable HTTP 1.1 server written in C which supports TLS and IPv6. The audit was performed by Least Authority.

The team found the following problems:

*   1 Medium
*   2 Low
*   1 Informational

The documents are as follows:

*   Audit report
*   Fix and validation log

**oauth2-server**

Dates: December 2016 - January 2017

oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP. The audit was performed by independent auditor Brian Carpenter.

The team found the following problems:

*   1 Low

There is no fix and validation log; the subsystem in which the issue was found is being removed.

*   Audit report

**dovecot**

Dates: October 2016 - January 2017

dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server deployments worldwide. The audit was performed by Cure53.

The team found the following problems:

*   3 Low

The Cure53 team were extremely impressed with the quality of the dovecot code. They wrote: "Despite much effort and thoroughly all-encompassing approach, the Cure53 testers only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase, thus translating to an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations."

*   Audit report
*   Fix and validation log
*   Developer blog post

**ntp**

Dates: December 2016 - March 2017

ntp is a implementation of the Network Time Protocol. The audit was performed by Cure53.

The team found the following problems:

*   1 Critical
*   2 High
*   1 Medium
*   8 Low
*   2 Informational

This audit was performed at the same time as an audit of ntpsec, which is based on a version of the ntp code.

*   Audit report
*   Fix and validation log
*   Developer security announcement

**ntpsec**

Dates: December 2016 - March 2017

ntpsec is a implementation of the Network Time Protocol, a fork of ntp. The audit was performed by Cure53.

The team found the following problems:

*   3 High
*   1 Medium
*   3 Low
*   1 Informational

This audit was performed at the same time as an audit of ntp, of which this codebase is a fork.

*   Audit report
*   Fix and validation log
*   Developer blog post

**2016****PCRE**

Dates: October 2015 - June 2016

PCRE (Perl-Compatible Regular Expressions) is a C library for implementing regular expressions in a codebase. It is used in various open source projects including Exim, Apache, PHP and KDE, as well as Apple Safari. We audited PCRE2, a newer version which is currently less commonly-used but which is expected to become increasingly common. The audit was performed by Cure53.

The team found the following problems:

*   1 Critical
*   5 Medium
*   20 Low
*   3 Informational

The critical vulnerability was a stack buffer overflow which could have led to arbitrary code execution when compiling untrusted regular expressions.

*   Audit report
*   Fix and validation log

**libjpeg-turbo**

Dates: November 2015 - June 2016

libjpeg-turbo is a fork of the libjpeg codebase which is particularly focussed on speed, and on compatibility with the most commonly-used standard profiles of JPEG. It is used by a number of open source projects, including Chrome, LibreOffice, Firefox and various flavours of VNC. The audit was performed by Cure53.

The team found the following problems:

*   1 High
*   2 Medium
*   2 Low

The high vulnerability was an out-of-bounds read. It is unclear exactly how exploitable it was. However, more interesting were the two medium vulnerabilities, which were initially reported as DoS bugs in the libjpeg-turbo library but on further investigation were found to be issues with the JPEG standard itself. These issues were reproduced across multiple JPEG implementations, can be triggered by entirely legal JPEGs, and so are not easy to mitigate in any JPEG library itself. We have written up these issues in a separate report, along with our suggestions as to how applications using JPEG can mitigate them in their own code.

*   Audit report
*   Fix and validation log
*   Special report on issues in the JPEG standard

**phpMyAdmin**

Dates: May - June 2016

phpMyAdmin is a web-based administration tool for MySQL databases. The audit was performed by NCC Group.

The team found the following problems:

*   3 Medium
*   5 Low
*   1 Informational

NCC Group found no serious issues in this codebase.

*   Audit report
*   Fix and validation log
*   Developer blog post

**dnsmasq**

Dates: May - August 2016

dnsmasq is a lightweight implementation of DNS, DHCP, router advertisement and network boot. It is used in resource-constrained environments such as routers and firewalls (e.g. openWRT and DD-WRT), Android, and OpenStack. The audit was performed by Cure53.

The team found the following problems:

*   1 Medium
*   5 Low

*   Audit report
*   Fix and validation log

**zlib**

Dates: July - September 2016

zlib is a compression library implementing the 'deflate' compression algorithm, used in countless applications. The audit was performed by Trail of Bits.

The team found the following problems:

*   1 Medium
*   4 Low

*   Audit report
*   Fix and validation log

One of the Low severity issues is still under discussion between the zlib development team and the auditors, as they are working out how to resolve it without performance degradation.

**curl**

Dates: August - November 2016

curl is a command-line application for transferring data, most usually over HTTP or HTTPS. The audit was performed by Cure53.

The team found the following problems:

*   4 High
*   5 Medium
*   9 Low
*   5 Informational

8 of the vulnerabilities resulted in security advisories being produced by the curl team on November 2nd, 2016.

*   Audit report
*   Fix and validation log
*   Developer blog post

CVE-2016-9840: MOSS/Secure Open Source/Completed - MozillaWiki

The server in Dropbear before 2017.75 might allow post-authentication root remote code execution because of a double free in cleanup of TCP listeners when the -a option is enabled.

**Matt Johnston** matt at ucc.asn.au  
_Thu May 18 23:02:09 AWST 2017_

*   Previous message: Errorcodes
*   Next message: Dropbear 2017.75
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

Hi all,

Dropbear 2017.75 is released. This has a couple of security
fixes and a couple of bug fixes since 2016.74.

https://matt.ucc.asn.au/dropbear/dropbear.html

I'm intending to make another release in the next couple of
weeks including the various pending fixes in the Mercurial
tree and pull requests.  That's a bit more obtrusive with
changes to options.h and #ifdef => #if.

Cheers,
Matt

2017.75 - 18 May 2017

- Security: Fix double-free in server TCP listener cleanup
  A double-free in the server could be triggered by an authenticated user if
  dropbear is running with -a (Allow connections to forwarded ports from any host)
  This could potentially allow arbitrary code execution as root by an authenticated user.
  Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash.

- Security: Fix information disclosure with ~/.ssh/authorized\_keys symlink.
  Dropbear parsed authorized\_keys as root, even if it were a symlink. The fix
  is to switch to user permissions when opening authorized\_keys

  A user could symlink their ~/.ssh/authorized\_keys to a root-owned file they
  couldn't normally read. If they managed to get that file to contain valid
  authorized\_keys with command= options it might be possible to read other
  contents of that file.
  This information disclosure is to an already authenticated user.
  Thanks to Jann Horn of Google Project Zero for reporting this.

- Generate hostkeys with dropbearkey atomically and flush to disk with fsync
  Thanks to Andrei Gherzan for a patch

- Fix out of tree builds with bundled libtom
  Thanks to Henrik Nordström and Peter Krefting for patches.

*   Previous message: Errorcodes
*   Next message: Dropbear 2017.75
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the Dropbear mailing list

CVE-2017-9078: Dropbear 2017.75

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.

'1298741?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2016-1908: Invalid Bug ID

Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.

@@ -1,4 +1,4 @@ /\* $OpenBSD: ssh-agent.c,v 1.214 2016/09/12 01:22:38 deraadt Exp $ \*/ /\* $OpenBSD: ssh-agent.c,v 1.215 2016/11/30 03:07:37 djm Exp $ \*/ /\* \* Author: Tatu Ylonen <ylo@cs.hut.fi> \* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland Expand Down Expand Up @@ -69,11 +69,16 @@ #include "misc.h" #include "digest.h" #include "ssherr.h" #include "match.h"  
#ifdef ENABLE\_PKCS11 #include "ssh-pkcs11.h" #endif  
#ifndef DEFAULT\_PKCS11\_WHITELIST \# define DEFAULT\_PKCS11\_WHITELIST "/usr/lib/\*,/usr/local/lib/\*" #endif  
typedef enum { AUTH\_UNUSED, AUTH\_SOCKET, Expand Down Expand Up @@ -121,6 +126,9 @@ pid\_t cleanup\_pid = 0; char socket\_name\[PATH\_MAX\]; char socket\_dir\[PATH\_MAX\];  
/\* PKCS#11 path whitelist \*/ static char \*pkcs11\_whitelist;  
/\* locking \*/ #define LOCK\_SIZE 32 #define LOCK\_SALT\_SIZE 16 Expand Down Expand Up @@ -724,7 +732,7 @@ no\_identities(SocketEntry \*e, u\_int type) static void process\_add\_smartcard\_key(SocketEntry \*e) { char \*provider \= NULL, \*pin; char \*provider \= NULL, \*pin, canonical\_provider\[PATH\_MAX\]; int r, i, version, count \= 0, success \= 0, confirm \= 0; u\_int seconds; time\_t death \= 0; Expand Down Expand Up @@ -756,19 +764,30 @@ process\_add\_smartcard\_key(SocketEntry \*e) goto send; } } if (realpath(provider, canonical\_provider) \== NULL) { verbose("failed PKCS#11 add of \\"%.100s\\": realpath: %s", provider, strerror(errno)); goto send; } if (match\_pattern\_list(canonical\_provider, pkcs11\_whitelist, 0) != 1) { verbose("refusing PKCS#11 add of \\"%.100s\\": " "provider not whitelisted", canonical\_provider); goto send; } debug("%s: add %.100s", \_\_func\_\_, canonical\_provider); if (lifetime && !death) death \= monotime() + lifetime;  
count \= pkcs11\_add\_provider(provider, pin, &keys); count \= pkcs11\_add\_provider(canonical\_provider, pin, &keys); for (i \= 0; i < count; i++) { k \= keys\[i\]; version \= k\->type \== KEY\_RSA1 ? 1 : 2; tab \= idtab\_lookup(version); if (lookup\_identity(k, version) \== NULL) { id \= xcalloc(1, sizeof(Identity)); id\->key \= k; id\->provider \= xstrdup(provider); id\->comment \= xstrdup(provider); /\* XXX \*/ id\->provider \= xstrdup(canonical\_provider); id\->comment \= xstrdup(canonical\_provider); /\* XXX \*/ id\->death \= death; id\->confirm \= confirm; TAILQ\_INSERT\_TAIL(&tab\->idlist, id, next); Expand Down Expand Up @@ -1157,7 +1176,7 @@ usage(void) { fprintf(stderr, "usage: ssh-agent \[-c | -s\] \[-Dd\] \[-a bind\_address\] \[-E fingerprint\_hash\]\\n" " \[-t life\] \[command \[arg ...\]\]\\n" " \[-P pkcs11\_whitelist\] \[-t life\] \[command \[arg ...\]\]\\n" " ssh-agent \[-c | -s\] -k\\n"); exit(1); } Expand Down Expand Up @@ -1191,7 +1210,7 @@ main(int ac, char \*\*av) OpenSSL\_add\_all\_algorithms(); #endif  
while ((ch \= getopt(ac, av, "cDdksE:a:t:")) != \-1) { while ((ch \= getopt(ac, av, "cDdksE:a:P:t:")) != \-1) { switch (ch) { case 'E': fingerprint\_hash \= ssh\_digest\_alg\_by\_name(optarg); Expand All @@ -1206,6 +1225,11 @@ main(int ac, char \*\*av) case 'k': k\_flag++; break; case 'P': if (pkcs11\_whitelist != NULL) fatal("-P option already specified"); pkcs11\_whitelist \= xstrdup(optarg); break; case 's': if (c\_flag) usage(); Expand Down Expand Up @@ -1240,6 +1264,9 @@ main(int ac, char \*\*av) if (ac \> 0 && (c\_flag || k\_flag || s\_flag || d\_flag || D\_flag)) usage();  
if (pkcs11\_whitelist \== NULL) pkcs11\_whitelist \= xstrdup(DEFAULT\_PKCS11\_WHITELIST);  
if (ac \== 0 && !c\_flag && !s\_flag) { shell \= getenv("SHELL"); if (shell != NULL && (len \= strlen(shell)) \> 2 && Expand Down Expand Up @@ -1385,7 +1412,7 @@ main(int ac, char \*\*av) signal(SIGTERM, cleanup\_handler); nalloc \= 0;  
if (pledge("stdio cpath unix id proc exec", NULL) \== \-1) if (pledge("stdio rpath cpath unix id proc exec", NULL) \== \-1) fatal("%s: pledge: %s", \_\_progname, strerror(errno));  
while (1) { Expand Down

Tag

#ssh