On Fri, Nov 08, 2013 at 10:14:23AM -0500, Yaroslav Halchenko wrote:
> we have adjusted sshd filter upstream already to be
>
> ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?(:
> (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client
> user ".{0,100}", client host ".{0,100}")?))?\s*$
That has the very same injection vulnerability you were worried about
earlier in response to my initial suggestion. Consider:
Failed password for user from 1.2.3.4 port 20000 ssh1: ruser from 2.3.4.5
Your regex will incorrectly match the host as 2.3.4.5 from the
client-supplied string at the end.
As I say, I think it is unwise to put all these likely-to-change
alternatives in the regex, especially when doing so doesn't actually fix
the injection vulnerability. I think the suggestion in my previous
message is actually more robust:
> > ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?
Once we agree on this, it'd be great if you could upload a suitable
change to unstable so that I can set an appropriate Breaks field and
upload openssh >= 6.3 without further qualms.
Thanks,
--
Colin Watson [cjwat...@debian.org]
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
