From a7da1af68893bb67ccb9d2cccd7e135e6432c888 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Jan 10 2024 14:19:49 +0000
Subject: Forbid shell metasymbols in username/hostname


Resolves: CVE-2023-51385

---

diff --git a/openssh-9.6p1-CVE-2023-51385.patch b/openssh-9.6p1-CVE-2023-51385.patch
new file mode 100644
index 0000000..7596d20
--- /dev/null
+++ b/openssh-9.6p1-CVE-2023-51385.patch
@@ -0,0 +1,57 @@
+diff --git a/ssh.c b/ssh.c
+index 35c48e62..48d93ddf 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
+ 	free(cinfo);
+ }
+ 
++static int
++valid_hostname(const char *s)
++{
++	size_t i;
++
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
++		    isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++			return 0;
++	}
++	return 1;
++}
++
++static int
++valid_ruser(const char *s)
++{
++	size_t i;
++
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++			return 0;
++		/* Disallow '-' after whitespace */
++		if (isspace((u_char)s[i]) && s[i + 1] == '-')
++			return 0;
++		/* Disallow \ in last position */
++		if (s[i] == '\\' && s[i + 1] == '\0')
++			return 0;
++	}
++	return 1;
++}
++
+ /*
+  * Main program for the ssh client.
+  */
+@@ -1118,6 +1153,10 @@ main(int ac, char **av)
+ 	if (!host)
+ 		usage();
+ 
++	if (!valid_hostname(host))
++		fatal("hostname contains invalid characters");
++	if (options.user != NULL && !valid_ruser(options.user))
++		fatal("remote username contains invalid characters");
+ 	options.host_arg = xstrdup(host);
+ 
+ 	/* Initialize the command to execute on remote host. */
diff --git a/openssh.spec b/openssh.spec
index ecad6bc..dcf0ec8 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -47,7 +47,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 9.3p1
-%global openssh_rel 9
+%global openssh_rel 10
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 9
 
@@ -231,6 +231,7 @@ Patch1014: openssh-8.7p1-nohostsha1proof.patch
 Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
 # upstream b7afd8a4ecaca8afd3179b55e9db79c0ff210237
 Patch1016: openssh-9.3p1-openssl-compat.patch
+Patch1017: openssh-9.6p1-CVE-2023-51385.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -435,6 +436,7 @@ popd
 %patch -P 1014 -p1 -b .nosha1hostproof
 %patch -P 1015 -p1 -b .cve-2023-38408
 %patch -P 1016 -p1 -b .ossl-version
+%patch -P 1017 -p1 -b .cve-2023-51385
 
 %patch -P 100 -p1 -b .coverity
 
@@ -744,6 +746,10 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Wed Jan 10 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.3p1-10
+- Forbid shell metasymbols in username/hostname
+  Resolves: CVE-2023-51385
+
 * Fri Sep 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.3p1-9
 - Revert "Remove sshd.socket unit (rhbz#2025716)" according to FESCO decision