This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch master in repository x2goclient. from 4d7104d Also commit the actual data... new 2e90d7b src/sshmasterconnection.cpp: fix compile errors on pre-libssh-0.6.0 systems and add a TOCTU-race check to see if the file exists prior to calling privatekey_from_file () on such systems. The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: debian/changelog | 4 ++++ src/sshmasterconnection.cpp | 17 ++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) -- Alioth's /srv/git/code.x2go.org/x2goclient.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goclient.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2goclient. commit 2e90d7b33d563873b1221edb2eed756c5e186ebc Author: Mihai Moldovan <ionic@ionic.de> Date: Mon Mar 6 12:49:16 2017 +0100 src/sshmasterconnection.cpp: fix compile errors on pre-libssh-0.6.0 systems and add a TOCTU-race check to see if the file exists prior to calling privatekey_from_file () on such systems. Additionally fix a type issue. --- debian/changelog | 4 ++++ src/sshmasterconnection.cpp | 17 ++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index a1e1573..dc1fbbf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -132,6 +132,10 @@ x2goclient (4.1.0.1-0x2go1) UNRELEASED; urgency=medium - src/sshmasterconnection.cpp: use new PKI-based libssh API for public key authentication for libssh 0.6.0 and higher. Fixes: #1119. - src/sshmasterconnection.cpp: add YubiKey challenge auth prompt. + - src/sshmasterconnection.cpp: fix compile errors on pre-libssh-0.6.0 + systems and add a TOCTU-race check to see if the file exists prior to + calling privatekey_from_file () on such systems. Additionally fix a type + issue. [ Oleksandr Shneyder ] * New upstream version (4.1.0.1): diff --git a/src/sshmasterconnection.cpp b/src/sshmasterconnection.cpp index a97bbbf..8e620c2 100644 --- a/src/sshmasterconnection.cpp +++ b/src/sshmasterconnection.cpp @@ -1241,7 +1241,18 @@ bool SshMasterConnection::userAuthWithKey() priv_key = NULL; } #else - ssh_private_key priv_key = privatekey_from_file (my_ssh_session, tmp_ba.data (), NULL, NULL); + /* This is TOCTU, but forced upon us by libssh's legacy function. */ + { + QFile tmp_file (keyName); + if (tmp_file.open (QIODevice::ReadOnly)) { + tmp_file.close (); + } + else { + /* Don't pass invalid files to privatekey_from_file () - it crashes in this case. */ + return (false); + } + } + ssh_private_key priv_key = privatekey_from_file (my_ssh_session, tmp_ba.data (), 0, NULL); #endif int i=0; @@ -1288,7 +1299,7 @@ bool SshMasterConnection::userAuthWithKey() #if LIBSSH_VERSION_INT >= SSH_VERSION_INT (0, 6, 0) if (SSH_OK != rc) #else - if (!prkey) + if (!priv_key) #endif { #ifdef DEBUG @@ -1310,7 +1321,7 @@ bool SshMasterConnection::userAuthWithKey() #if LIBSSH_VERSION_INT >= SSH_VERSION_INT (0, 6, 0) if (SSH_OK != rc) #else - if (!pubkey) + if (!pub_key) #endif { #ifdef DEBUG -- Alioth's /srv/git/code.x2go.org/x2goclient.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goclient.git
-
git-admin@x2go.org