1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
Fix CVE-2017-14176:
https://bugs.launchpad.net/bzr/+bug/1710979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176
Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+deb9u1:
https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4204
Description: Prevent SSH command line options from being specified in bzr+ssh:// URLs
Bug: https://bugs.launchpad.net/brz/+bug/1710979
Bug-Debian: https://bugs.debian.org/874429
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14176
Forwarded: no
Author: Jelmer Vernooij <jelmer@jelmer.uk>
Last-Update: 2017-11-26
=== modified file 'bzrlib/tests/test_ssh_transport.py'
--- old/bzrlib/tests/test_ssh_transport.py 2010-10-07 12:45:51 +0000
+++ new/bzrlib/tests/test_ssh_transport.py 2017-08-20 01:59:20 +0000
@@ -22,6 +22,7 @@
SSHCorpSubprocessVendor,
LSHSubprocessVendor,
SSHVendorManager,
+ StrangeHostname,
)
@@ -161,6 +162,19 @@
class SubprocessVendorsTests(TestCase):
+ def test_openssh_command_tricked(self):
+ vendor = OpenSSHSubprocessVendor()
+ self.assertEqual(
+ vendor._get_vendor_specific_argv(
+ "user", "-oProxyCommand=blah", 100, command=["bzr"]),
+ ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
+ "-oClearAllForwardings=yes",
+ "-oNoHostAuthenticationForLocalhost=yes",
+ "-p", "100",
+ "-l", "user",
+ "--",
+ "-oProxyCommand=blah", "bzr"])
+
def test_openssh_command_arguments(self):
vendor = OpenSSHSubprocessVendor()
self.assertEqual(
@@ -171,6 +185,7 @@
"-oNoHostAuthenticationForLocalhost=yes",
"-p", "100",
"-l", "user",
+ "--",
"host", "bzr"]
)
@@ -184,9 +199,16 @@
"-oNoHostAuthenticationForLocalhost=yes",
"-p", "100",
"-l", "user",
- "-s", "host", "sftp"]
+ "-s", "--", "host", "sftp"]
)
+ def test_openssh_command_tricked(self):
+ vendor = SSHCorpSubprocessVendor()
+ self.assertRaises(
+ StrangeHostname,
+ vendor._get_vendor_specific_argv,
+ "user", "-oProxyCommand=host", 100, command=["bzr"])
+
def test_sshcorp_command_arguments(self):
vendor = SSHCorpSubprocessVendor()
self.assertEqual(
@@ -209,6 +231,13 @@
"-s", "sftp", "host"]
)
+ def test_lsh_command_tricked(self):
+ vendor = LSHSubprocessVendor()
+ self.assertRaises(
+ StrangeHostname,
+ vendor._get_vendor_specific_argv,
+ "user", "-oProxyCommand=host", 100, command=["bzr"])
+
def test_lsh_command_arguments(self):
vendor = LSHSubprocessVendor()
self.assertEqual(
@@ -231,6 +260,13 @@
"--subsystem", "sftp", "host"]
)
+ def test_plink_command_tricked(self):
+ vendor = PLinkSubprocessVendor()
+ self.assertRaises(
+ StrangeHostname,
+ vendor._get_vendor_specific_argv,
+ "user", "-oProxyCommand=host", 100, command=["bzr"])
+
def test_plink_command_arguments(self):
vendor = PLinkSubprocessVendor()
self.assertEqual(
=== modified file 'bzrlib/transport/ssh.py'
--- old/bzrlib/transport/ssh.py 2015-07-31 01:04:41 +0000
+++ new/bzrlib/transport/ssh.py 2017-08-20 01:59:20 +0000
@@ -46,6 +46,10 @@
from paramiko.sftp_client import SFTPClient
+class StrangeHostname(errors.BzrError):
+ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
+
+
SYSTEM_HOSTKEYS = {}
BZR_HOSTKEYS = {}
@@ -360,6 +364,11 @@
# tests, but beware of using PIPE which may hang due to not being read.
_stderr_target = None
+ @staticmethod
+ def _check_hostname(arg):
+ if arg.startswith('-'):
+ raise StrangeHostname(hostname=arg)
+
def _connect(self, argv):
# Attempt to make a socketpair to use as stdin/stdout for the SSH
# subprocess. We prefer sockets to pipes because they support
@@ -424,9 +433,9 @@
if username is not None:
args.extend(['-l', username])
if subsystem is not None:
- args.extend(['-s', host, subsystem])
+ args.extend(['-s', '--', host, subsystem])
else:
- args.extend([host] + command)
+ args.extend(['--', host] + command)
return args
register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
@@ -439,6 +448,7 @@
def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
command=None):
+ self._check_hostname(host)
args = [self.executable_path, '-x']
if port is not None:
args.extend(['-p', str(port)])
@@ -460,6 +470,7 @@
def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
command=None):
+ self._check_hostname(host)
args = [self.executable_path]
if port is not None:
args.extend(['-p', str(port)])
@@ -481,6 +492,7 @@
def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
command=None):
+ self._check_hostname(host)
args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
if port is not None:
args.extend(['-P', str(port)])
|