Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: dd8ba51abe93
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 8de1206d0c89
Choose a head ref
  • 1 commit
  • 2 files changed
  • 1 contributor

Commits on Aug 3, 2018

  1. bazaar: actually fix patch 

    My previous attempt to be clever failed, and I'm now bringing over the
patch from master instead
    @copumpkin
    copumpkin committed Aug 3, 2018
    Copy the full SHA
    8de1206 View commit details
Showing with 150 additions and 5 deletions.
  1. +149 −0 pkgs/applications/version-management/bazaar/CVE-2017-14176.patch
  2. +1 −5 pkgs/applications/version-management/bazaar/default.nix
149 changes: 149 additions & 0 deletions pkgs/applications/version-management/bazaar/CVE-2017-14176.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
diff --git a/bzrlib/tests/test_ssh_transport.py b/bzrlib/tests/test_ssh_transport.py
index 9e37c3b..fe9f219 100644
--- a/bzrlib/tests/test_ssh_transport.py
+++ b/bzrlib/tests/test_ssh_transport.py
@@ -22,6 +22,7 @@ from bzrlib.transport.ssh import (
SSHCorpSubprocessVendor,
LSHSubprocessVendor,
SSHVendorManager,
+ StrangeHostname,
)


@@ -161,6 +162,19 @@ class SSHVendorManagerTests(TestCase):

class SubprocessVendorsTests(TestCase):

+ def test_openssh_command_tricked(self):
+ vendor = OpenSSHSubprocessVendor()
+ self.assertEqual(
+ vendor._get_vendor_specific_argv(
+ "user", "-oProxyCommand=blah", 100, command=["bzr"]),
+ ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
+ "-oClearAllForwardings=yes",
+ "-oNoHostAuthenticationForLocalhost=yes",
+ "-p", "100",
+ "-l", "user",
+ "--",
+ "-oProxyCommand=blah", "bzr"])
+
def test_openssh_command_arguments(self):
vendor = OpenSSHSubprocessVendor()
self.assertEqual(
@@ -171,6 +185,7 @@ class SubprocessVendorsTests(TestCase):
"-oNoHostAuthenticationForLocalhost=yes",
"-p", "100",
"-l", "user",
+ "--",
"host", "bzr"]
)

@@ -184,9 +199,16 @@ class SubprocessVendorsTests(TestCase):
"-oNoHostAuthenticationForLocalhost=yes",
"-p", "100",
"-l", "user",
- "-s", "host", "sftp"]
+ "-s", "--", "host", "sftp"]
)

+ def test_openssh_command_tricked(self):
+ vendor = SSHCorpSubprocessVendor()
+ self.assertRaises(
+ StrangeHostname,
+ vendor._get_vendor_specific_argv,
+ "user", "-oProxyCommand=host", 100, command=["bzr"])
+
def test_sshcorp_command_arguments(self):
vendor = SSHCorpSubprocessVendor()
self.assertEqual(
@@ -209,6 +231,13 @@ class SubprocessVendorsTests(TestCase):
"-s", "sftp", "host"]
)

+ def test_lsh_command_tricked(self):
+ vendor = LSHSubprocessVendor()
+ self.assertRaises(
+ StrangeHostname,
+ vendor._get_vendor_specific_argv,
+ "user", "-oProxyCommand=host", 100, command=["bzr"])
+
def test_lsh_command_arguments(self):
vendor = LSHSubprocessVendor()
self.assertEqual(
@@ -231,6 +260,13 @@ class SubprocessVendorsTests(TestCase):
"--subsystem", "sftp", "host"]
)

+ def test_plink_command_tricked(self):
+ vendor = PLinkSubprocessVendor()
+ self.assertRaises(
+ StrangeHostname,
+ vendor._get_vendor_specific_argv,
+ "user", "-oProxyCommand=host", 100, command=["bzr"])
+
def test_plink_command_arguments(self):
vendor = PLinkSubprocessVendor()
self.assertEqual(
diff --git a/bzrlib/transport/ssh.py b/bzrlib/transport/ssh.py
index eecaa26..6f22341 100644
--- a/bzrlib/transport/ssh.py
+++ b/bzrlib/transport/ssh.py
@@ -46,6 +46,10 @@ else:
from paramiko.sftp_client import SFTPClient


+class StrangeHostname(errors.BzrError):
+ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
+
+
SYSTEM_HOSTKEYS = {}
BZR_HOSTKEYS = {}

@@ -360,6 +364,11 @@ class SubprocessVendor(SSHVendor):
# tests, but beware of using PIPE which may hang due to not being read.
_stderr_target = None

+ @staticmethod
+ def _check_hostname(arg):
+ if arg.startswith('-'):
+ raise StrangeHostname(hostname=arg)
+
def _connect(self, argv):
# Attempt to make a socketpair to use as stdin/stdout for the SSH
# subprocess. We prefer sockets to pipes because they support
@@ -424,9 +433,9 @@ class OpenSSHSubprocessVendor(SubprocessVendor):
if username is not None:
args.extend(['-l', username])
if subsystem is not None:
- args.extend(['-s', host, subsystem])
+ args.extend(['-s', '--', host, subsystem])
else:
- args.extend([host] + command)
+ args.extend(['--', host] + command)
return args

register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
@@ -439,6 +448,7 @@ class SSHCorpSubprocessVendor(SubprocessVendor):

def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
command=None):
+ self._check_hostname(host)
args = [self.executable_path, '-x']
if port is not None:
args.extend(['-p', str(port)])
@@ -460,6 +470,7 @@ class LSHSubprocessVendor(SubprocessVendor):

def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
command=None):
+ self._check_hostname(host)
args = [self.executable_path]
if port is not None:
args.extend(['-p', str(port)])
@@ -481,6 +492,7 @@ class PLinkSubprocessVendor(SubprocessVendor):

def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
command=None):
+ self._check_hostname(host)
args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
if port is not None:
args.extend(['-P', str(port)])
6 changes: 1 addition & 5 deletions pkgs/applications/version-management/bazaar/default.nix
View file
Original file line number Diff line number Diff line change
@@ -21,11 +21,7 @@ python2Packages.buildPythonApplication rec {
patches = [
# Bazaar can't find the certificates alone
./add_certificates.patch
(fetchpatch {
url = "https://bazaar.launchpad.net/~brz/brz/trunk/diff/6754?context=3";
sha256 = "1z1cj082lj6qkklhyza804y8bqy87vgmjb4xpybsb04ar0s7a1cx";
name = "CVE-2017-14176.patch";
})
./CVE-2017-14176.patch
];
postPatch = ''
substituteInPlace bzrlib/transport/http/_urllib2_wrappers.py \