From 4642520f044beb240350338ee00862f58a91200b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 31 Jan 2006 10:19:03 +0000 Subject: fix local arbitrary command execution vulnerability on local/local and remote/remote copies (CVE-2006-0225, bz #1094), patch by t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@ --- usr.bin/ssh/sftp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'usr.bin/ssh/sftp.c') diff --git a/usr.bin/ssh/sftp.c b/usr.bin/ssh/sftp.c index eb2b1941c97..52437f1f5be 100644 --- a/usr.bin/ssh/sftp.c +++ b/usr.bin/ssh/sftp.c @@ -16,7 +16,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.69 2005/12/06 22:38:27 reyk Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.70 2006/01/31 10:19:02 djm Exp $"); #include #include @@ -1433,8 +1433,9 @@ main(int argc, char **argv) /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); + memset(&args, '\0', sizeof(args)); args.list = NULL; - addargs(&args, "ssh"); /* overwritten with ssh_program */ + addargs(&args, ssh_program); addargs(&args, "-oForwardX11 no"); addargs(&args, "-oForwardAgent no"); addargs(&args, "-oPermitLocalCommand no"); @@ -1469,6 +1470,7 @@ main(int argc, char **argv) break; case 'S': ssh_program = optarg; + replacearg(&args, 0, "%s", ssh_program); break; case 'b': if (batchmode) @@ -1545,7 +1547,6 @@ main(int argc, char **argv) addargs(&args, "%s", host); addargs(&args, "%s", (sftp_server != NULL ? sftp_server : "sftp")); - args.list[0] = ssh_program; if (!batchmode) fprintf(stderr, "Connecting to %s...\n", host); @@ -1558,6 +1559,7 @@ main(int argc, char **argv) fprintf(stderr, "Attaching to %s...\n", sftp_direct); connect_to_server(sftp_direct, args.list, &in, &out); } + freeargs(&args); err = interactive_loop(in, out, file1, file2); -- cgit v1.2.3