gnu/packages/patches/bazaar-CVE-2017-14176.patch

   1 Fix CVE-2017-14176:
   2
   3 https://bugs.launchpad.net/bzr/+bug/1710979
   4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176
   5
   6 Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+deb9u1:
   7
   8 https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4204
   9
  10 Description: Prevent SSH command line options from being specified in bzr+ssh:// URLs
  11 Bug: https://bugs.launchpad.net/brz/+bug/1710979
  12 Bug-Debian: https://bugs.debian.org/874429
  13 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14176
  14 Forwarded: no
  15 Author: Jelmer Vernooĳ <jelmer@jelmer.uk>
  16 Last-Update: 2017-11-26
  17
  18 === modified file 'bzrlib/tests/test_ssh_transport.py'
  19 --- old/bzrlib/tests/test_ssh_transport.py      2010-10-07 12:45:51 +0000
  20 +++ new/bzrlib/tests/test_ssh_transport.py      2017-08-20 01:59:20 +0000
  21 @@ -22,6 +22,7 @@
  22      SSHCorpSubprocessVendor,
  23      LSHSubprocessVendor,
  24      SSHVendorManager,
  25 +    StrangeHostname,
  26      )
  27
  28
  29 @@ -161,6 +162,19 @@
  30
  31  class SubprocessVendorsTests(TestCase):
  32
  33 +    def test_openssh_command_tricked(self):
  34 +        vendor = OpenSSHSubprocessVendor()
  35 +        self.assertEqual(
  36 +            vendor._get_vendor_specific_argv(
  37 +                "user", "-oProxyCommand=blah", 100, command=["bzr"]),
  38 +            ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
  39 +                "-oClearAllForwardings=yes",
  40 +                "-oNoHostAuthenticationForLocalhost=yes",
  41 +                "-p", "100",
  42 +                "-l", "user",
  43 +                "--",
  44 +                "-oProxyCommand=blah", "bzr"])
  45 +
  46      def test_openssh_command_arguments(self):
  47          vendor = OpenSSHSubprocessVendor()
  48          self.assertEqual(
  49 @@ -171,6 +185,7 @@
  50                  "-oNoHostAuthenticationForLocalhost=yes",
  51                  "-p", "100",
  52                  "-l", "user",
  53 +                "--",
  54                  "host", "bzr"]
  55              )
  56
  57 @@ -184,9 +199,16 @@
  58                  "-oNoHostAuthenticationForLocalhost=yes",
  59                  "-p", "100",
  60                  "-l", "user",
  61 -                "-s", "host", "sftp"]
  62 +                "-s", "--", "host", "sftp"]
  63              )
  64
  65 +    def test_openssh_command_tricked(self):
  66 +        vendor = SSHCorpSubprocessVendor()
  67 +        self.assertRaises(
  68 +            StrangeHostname,
  69 +            vendor._get_vendor_specific_argv,
  70 +                "user", "-oProxyCommand=host", 100, command=["bzr"])
  71 +
  72      def test_sshcorp_command_arguments(self):
  73          vendor = SSHCorpSubprocessVendor()
  74          self.assertEqual(
  75 @@ -209,6 +231,13 @@
  76                  "-s", "sftp", "host"]
  77              )
  78
  79 +    def test_lsh_command_tricked(self):
  80 +        vendor = LSHSubprocessVendor()
  81 +        self.assertRaises(
  82 +            StrangeHostname,
  83 +            vendor._get_vendor_specific_argv,
  84 +                "user", "-oProxyCommand=host", 100, command=["bzr"])
  85 +
  86      def test_lsh_command_arguments(self):
  87          vendor = LSHSubprocessVendor()
  88          self.assertEqual(
  89 @@ -231,6 +260,13 @@
  90                  "--subsystem", "sftp", "host"]
  91              )
  92
  93 +    def test_plink_command_tricked(self):
  94 +        vendor = PLinkSubprocessVendor()
  95 +        self.assertRaises(
  96 +            StrangeHostname,
  97 +            vendor._get_vendor_specific_argv,
  98 +                "user", "-oProxyCommand=host", 100, command=["bzr"])
  99 +
 100      def test_plink_command_arguments(self):
 101          vendor = PLinkSubprocessVendor()
 102          self.assertEqual(
 103
 104 === modified file 'bzrlib/transport/ssh.py'
 105 --- old/bzrlib/transport/ssh.py 2015-07-31 01:04:41 +0000
 106 +++ new/bzrlib/transport/ssh.py 2017-08-20 01:59:20 +0000
 107 @@ -46,6 +46,10 @@
 108      from paramiko.sftp_client import SFTPClient
 109
 110
 111 +class StrangeHostname(errors.BzrError):
 112 +    _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
 113 +
 114 +
 115  SYSTEM_HOSTKEYS = {}
 116  BZR_HOSTKEYS = {}
 117
 118 @@ -360,6 +364,11 @@
 119      # tests, but beware of using PIPE which may hang due to not being read.
 120      _stderr_target = None
 121
 122 +    @staticmethod
 123 +    def _check_hostname(arg):
 124 +        if arg.startswith('-'):
 125 +            raise StrangeHostname(hostname=arg)
 126 +
 127      def _connect(self, argv):
 128          # Attempt to make a socketpair to use as stdin/stdout for the SSH
 129          # subprocess.  We prefer sockets to pipes because they support
 130 @@ -424,9 +433,9 @@
 131          if username is not None:
 132              args.extend(['-l', username])
 133          if subsystem is not None:
 134 -            args.extend(['-s', host, subsystem])
 135 +            args.extend(['-s', '--', host, subsystem])
 136          else:
 137 -            args.extend([host] + command)
 138 +            args.extend(['--', host] + command)
 139          return args
 140
 141  register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
 142 @@ -439,6 +448,7 @@
 143
 144      def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
 145                                    command=None):
 146 +        self._check_hostname(host)
 147          args = [self.executable_path, '-x']
 148          if port is not None:
 149              args.extend(['-p', str(port)])
 150 @@ -460,6 +470,7 @@
 151
 152      def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
 153                                    command=None):
 154 +        self._check_hostname(host)
 155          args = [self.executable_path]
 156          if port is not None:
 157              args.extend(['-p', str(port)])
 158 @@ -481,6 +492,7 @@
 159
 160      def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
 161                                    command=None):
 162 +        self._check_hostname(host)
 163          args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
 164          if port is not None:
 165              args.extend(['-P', str(port)])
 166