untrusted comment: signature from openbsd 5.7 base secret key RWSvUZXnw9gUb+vi10cqgMKu2LfcwOkFdyx8OskgpLkH/O/AEOTn1gEsaBmr4HvlTlnd9Z8egvmDvfB1SL4pcM6+g3+kcS5TtwI= OpenBSD 5.7 errata 23, Mar 10, 2016: Lack of credential sanitization allows injection of commands to xauth(1). More information: http://www.openssh.com/txt/x11fwd.adv Prevent this problem immediately by not using the "X11Forwarding" feature (which is disabled by default). Apply by doing: signify -Vep /etc/signify/openbsd-57-base.pub -x 023_sshd.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install sshd: cd /usr/src/usr.bin/ssh make obj make depend make make install Index: usr.bin/ssh/session.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/session.c,v retrieving revision 1.277 diff -u -p -u -r1.277 session.c --- usr.bin/ssh/session.c 16 Jan 2015 06:40:12 -0000 1.277 +++ usr.bin/ssh/session.c 9 Mar 2016 17:03:04 -0000 @@ -40,6 +40,7 @@ #include #include +#include #include #include #include @@ -255,6 +256,22 @@ do_authenticated(Authctxt *authctxt) do_cleanup(authctxt); } +/* Check untrusted xauth strings for metacharacters */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum((u_char)s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_' && s[i] != '[' && + s[i] != ']') + return 0; + } + return 1; +} + /* * Prepares for an interactive session. This is called after the user has * been successfully authenticated. During this message exchange, pseudo @@ -328,7 +345,13 @@ do_authenticated1(Authctxt *authctxt) s->screen = 0; } packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); @@ -1800,7 +1823,13 @@ session_x11_req(Session *s) s->screen = packet_get_int(); packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data);