pull up r19396 from trunk
authorTom Yu <tlyu@mit.edu>
Wed, 4 Apr 2007 21:39:26 +0000 (21:39 +0000)
committerTom Yu <tlyu@mit.edu>
Wed, 4 Apr 2007 21:39:26 +0000 (21:39 +0000)
 r19396@cathode-dark-space:  tlyu | 2007-04-03 17:27:25 -0400
 ticket: new
 subject: MITKRB5-SA-2007-001: telnetd allows login as arbitrary user
 tags: pullup
 target_version: 1.6.1

 Fix MITKRB5-SA-2007-001:

  * src/appl/telnet/telnetd/sys_term.c (start_login): Add "--"
  argument preceding username, in addition to the original patch.
  Explicitly check for leading hyphen in username.

  * src/appl/telnet/telnetd/state.c (envvarok): Check for leading
  hyphen in environment variables.  On advice from Shawn Emery, not
  using strchr() as in the original patch.

ticket: 5508
version_fixed: 1.6.1

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19398 dc483132-0cff-0310-8789-dd5450dbe970

src/appl/telnet/telnetd/state.c
src/appl/telnet/telnetd/sys_term.c

index e08c5bb13ad035348085b06c88c8f21afe2ee2ac..4693fc912647c92e8108c7cb24e692a42224d1e1 100644 (file)
@@ -1665,7 +1665,8 @@ static int envvarok(varp)
            strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
            strcmp(varp, "NLSPATH") && /* locale stuff */
            strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
-           strcmp(varp, "IFS")) {
+           strcmp(varp, "IFS") &&
+           (varp[0] != '-')) {
                return 1;
        } else {
                syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
index bfd1f81afeb8454baaa868526a08a9562c6a534a..d78c2e83dea6d53ac66f09e17cad6a1a0a1956ad 100644 (file)
@@ -1287,12 +1287,25 @@ start_login(host, autologin, name)
 #endif
 #if    defined (AUTHENTICATION)
        if (auth_level >= 0 && autologin == AUTH_VALID) {
+               if (name[0] == '-') {
+                   /*
+                    * Authenticated and authorized to log in to an
+                    * account starting with '-'?  Even if that
+                    * unlikely case comes to pass, the current login
+                    * program will not parse the resulting command
+                    * line properly.
+                    */
+                   syslog(LOG_ERR, "user name cannot start with '-'");
+                   fatal(net, "user name cannot start with '-'");
+                   exit(1);
+               }
 # if   !defined(NO_LOGIN_F)
 #if    defined(LOGIN_CAP_F)
                argv = addarg(argv, "-F");
 #else
                argv = addarg(argv, "-f");
 #endif
+               argv = addarg(argv, "--");
                argv = addarg(argv, name);
 # else
 #  if defined(LOGIN_R)
@@ -1371,17 +1384,27 @@ start_login(host, autologin, name)
                        pty = xpty;
                }
 #  else
+               argv = addarg(argv, "--");
                argv = addarg(argv, name);
 #  endif
 # endif
        } else
 #endif
        if (getenv("USER")) {
-               argv = addarg(argv, getenv("USER"));
+               char *user = getenv("USER");
+               if (user[0] == '-') {
+                   /* "telnet -l-x ..." */
+                   syslog(LOG_ERR, "user name cannot start with '-'");
+                   fatal(net, "user name cannot start with '-'");
+                   exit(1);
+               }
+               argv = addarg(argv, "--");
+               argv = addarg(argv, user);
 #if    defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
                {
                        register char **cpp;
                        for (cpp = environ; *cpp; cpp++)
+                           if ((*cpp)[0] != '-')
                                argv = addarg(argv, *cpp);
                }
 #endif