This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2goclient. commit 2e90d7b33d563873b1221edb2eed756c5e186ebc Author: Mihai Moldovan <ionic@ionic.de> Date: Mon Mar 6 12:49:16 2017 +0100 src/sshmasterconnection.cpp: fix compile errors on pre-libssh-0.6.0 systems and add a TOCTU-race check to see if the file exists prior to calling privatekey_from_file () on such systems. Additionally fix a type issue. --- debian/changelog | 4 ++++ src/sshmasterconnection.cpp | 17 ++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index a1e1573..dc1fbbf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -132,6 +132,10 @@ x2goclient (4.1.0.1-0x2go1) UNRELEASED; urgency=medium - src/sshmasterconnection.cpp: use new PKI-based libssh API for public key authentication for libssh 0.6.0 and higher. Fixes: #1119. - src/sshmasterconnection.cpp: add YubiKey challenge auth prompt. + - src/sshmasterconnection.cpp: fix compile errors on pre-libssh-0.6.0 + systems and add a TOCTU-race check to see if the file exists prior to + calling privatekey_from_file () on such systems. Additionally fix a type + issue. [ Oleksandr Shneyder ] * New upstream version (4.1.0.1): diff --git a/src/sshmasterconnection.cpp b/src/sshmasterconnection.cpp index a97bbbf..8e620c2 100644 --- a/src/sshmasterconnection.cpp +++ b/src/sshmasterconnection.cpp @@ -1241,7 +1241,18 @@ bool SshMasterConnection::userAuthWithKey() priv_key = NULL; } #else - ssh_private_key priv_key = privatekey_from_file (my_ssh_session, tmp_ba.data (), NULL, NULL); + /* This is TOCTU, but forced upon us by libssh's legacy function. */ + { + QFile tmp_file (keyName); + if (tmp_file.open (QIODevice::ReadOnly)) { + tmp_file.close (); + } + else { + /* Don't pass invalid files to privatekey_from_file () - it crashes in this case. */ + return (false); + } + } + ssh_private_key priv_key = privatekey_from_file (my_ssh_session, tmp_ba.data (), 0, NULL); #endif int i=0; @@ -1288,7 +1299,7 @@ bool SshMasterConnection::userAuthWithKey() #if LIBSSH_VERSION_INT >= SSH_VERSION_INT (0, 6, 0) if (SSH_OK != rc) #else - if (!prkey) + if (!priv_key) #endif { #ifdef DEBUG @@ -1310,7 +1321,7 @@ bool SshMasterConnection::userAuthWithKey() #if LIBSSH_VERSION_INT >= SSH_VERSION_INT (0, 6, 0) if (SSH_OK != rc) #else - if (!pubkey) + if (!pub_key) #endif { #ifdef DEBUG -- Alioth's /srv/git/code.x2go.org/x2goclient.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goclient.git