ssh-host-config eval password bug

In the ssh package there is a bug in /usr/bin/ssh-host-config where if you
select a valid password spaces or punctuation that bash knows of, it will
fail and you could possibly shoot yourself in the foot due to evaling your
password. I don't know who is responsible, or what mailing list to post on,
but here is a patch.

- Ian Kelling

--- ssh-host-config.old 2009-05-29 22:35:16.244777500 -0700
+++ ssh-host-config 2009-05-29 22:40:31.234257500 -0700
@@ -323,12 +323,12 @@

  if [ -n "${csih_cygenv}" ]
  then
-  cygwin_env="-e CYGWIN=\"${csih_cygenv}\""
+  cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
  fi
  if [ -z "${password}" ]
  then
-  if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
-    -a "-D" -y tcpip ${cygwin_env}
+  if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
+    -a "-D" -y tcpip "${cygwin_env[@]}"
   then
     echo
     csih_inform "The sshd service has been installed under the LocalSystem"
@@ -337,8 +337,8 @@
     csih_inform "will start automatically after the next reboot."
   fi
  else
-  if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
-    -a "-D" -y tcpip ${cygwin_env} \
+  if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
+    -a "-D" -y tcpip "${cygwin_env[@]}" \
     -u "${run_service_as}" -w "${password}"
   then
     echo


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Ian Kelling on 7/5/2009 12:06 PM:
> In the ssh package there is a bug in /usr/bin/ssh-host-config where if
> you select a valid password spaces or punctuation that bash knows of, it
> will fail and you could possibly shoot yourself in the foot due to
> evaling your password. I don't know who is responsible, or what mailing
> list to post on, but here is a patch.

This is the right list.

> -      cygwin_env="-e CYGWIN=\"${csih_cygenv}\""
> +      cygwin_env=( -e "CYGWIN=${csih_cygenv}" )

I don't see why you need an array variable.

>      fi
>      if [ -z "${password}" ]
>      then
> -      if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
> -                -a "-D" -y tcpip ${cygwin_env}
> +      if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
> +                -a "-D" -y tcpip "${cygwin_env[@]}"

The eval is still reasonable, but with proper quoting:

if eval cygrunsrv ... -y tcpip "${cygwin_env}"

- --
Don't work too hard, make some time for fun as well!

Eric Blake             ebb9@...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpRIAoACgkQ84KuGfSFAYAAZQCghGoY51fmSiEpxbAP3iRdmVuj
hEAAn3VxdXV8mSpRKG8j++35F9QQH8+6
=FYJ6
-----END PGP SIGNATURE-----

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Eric Blake wrote:
> The eval is still reasonable, but with proper quoting:
>
> if eval cygrunsrv ... -y tcpip "${cygwin_env}"

No, thats not true. It is impossible to safely eval arbitrary user input.
Your simple quote doesn't help much:

# x="ok;ls"
# eval echo "{$x}"

For more in depth information, read this:
http://mywiki.wooledge.org/BashFAQ/048

- Ian Kelling


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

On Sun, Jul 05, 2009 at 03:50:02PM -0600, Eric Blake wrote:
How is eval better than an array environment variable?  The above use of
"${cygwin_env[@]}" seems to do exactly what you'd want without worrying
about the additional gotchas from an eval.

cgf

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

On Jul  5 11:06, Ian Kelling wrote:
> In the ssh package there is a bug in /usr/bin/ssh-host-config where if
> you select a valid password spaces or punctuation that bash knows of, it
> will fail and you could possibly shoot yourself in the foot due to
> evaling your password. I don't know who is responsible, or what mailing
> list to post on, but here is a patch.
>
> - Ian Kelling

Thanks for the patch.  I uploaded a new openssh-5.2p1-3 release for
Cygwin 1.7 with this patch.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple