bugzilla-daemon at mindrot.org
2025-Oct-22 16:27 UTC
[Bug 3884] New: The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884
Bug ID: 3884
Summary: The SSH_AUTH_SOCK variable is not quoted
Product: Portable OpenSSH
Version: 10.2p1
Hardware: ARM64
OS: Mac OS X
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at mindrot.org
Reporter: me+mindrot at drbeat.li
Created attachment 3916
--> https://bugzilla.mindrot.org/attachment.cgi?id=3916&action=edit
Patch
See Debian bug #1118288 here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118288
The Git test suite uses directory names with spaces to verify that the
code is safe to use in these directories.
The change that put the agent socket in $HOME/.ssh/agent instead of
$TMPDIR broke the Git tests.
The attached patch quotes the socket name when setting the environment
variable.
I'm not sure that my use of a struct sshbuf is correct here, but this
seems to be the automatically growing container in this project.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-22 18:33 UTC
[Bug 3884] The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884
Beat Bolli <me+mindrot at drbeat.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3916|0 |1
is patch| |
Attachment #3916|application/octet-stream |text/plain
mime type| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-22 18:35 UTC
[Bug 3884] The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884
Beat Bolli <me+mindrot at drbeat.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS|Mac OS X |All
Hardware|ARM64 |All
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-22 22:35 UTC
[Bug 3884] The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I think you could use misc.c:argv_assemble() to do the quoting with
less new code, e.g.
tmp = argv_assemble(1, &socket_name)
printf(format, SSH_AUTHSOCKET_ENV_NAME, tmp,
SSH_AUTHSOCKET_ENV_NAME);
free(tmp);
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-22 23:07 UTC
[Bug 3884] The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884 --- Comment #2 from Beat Bolli <me+mindrot at drbeat.li> --- (In reply to Damien Miller from comment #1)> I think you could use misc.c:argv_assemble() to do the quoting with > less new codeThanks for the hint, this makes the patch quite a bit smaller. But is it good enough? argv_assemble() does not protect against all shell metacharacters. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-23 00:12 UTC
[Bug 3884] The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884 --- Comment #3 from Damien Miller <djm at mindrot.org> --- Does it need to deal with other shell metacharacters? If we do need to care about them, then maybe ssh-agent should just check for their presence and either refuse to start or automatically use /tmp for the agent sockets. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-23 06:36 UTC
[Bug 3884] The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884 --- Comment #4 from Beat Bolli <me+mindrot at drbeat.li> --- (In reply to Damien Miller from comment #3)> Does it need to deal with other shell metacharacters? > > If we do need to care about them, then maybe ssh-agent should just > check for their presence and either refuse to start or automatically > use /tmp for the agent sockets.It boils down to whether we consider $HOME attacker-controlled or not. If an attacker can control $HOME, the user may have bigger security issues than ssh-agent... -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-23 11:54 UTC
[Bug 3884] The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884
Simon Josefsson <simon at josefsson.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |simon at josefsson.org
--- Comment #5 from Simon Josefsson <simon at josefsson.org> ---
I recall some other code that consider HOME potentially
attacker-controller and use `getpwent` to get a "trusted" path to the
user's home directory. This may be an option here?
Still, it is valid to have /etc/passwd home folders with SPC in the
name, so things shouldn't break on that.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-24 01:43 UTC
[Bug 3884] The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884
Sam James <sam at gentoo.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sam at gentoo.org
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-24 02:09 UTC
[Bug 3884] The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3916|0 |1
is obsolete| |
CC| |dtucker at dtucker.net
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
Attachment #3917| |ok?(dtucker at dtucker.net)
Flags| |
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Created attachment 3917
--> https://bugzilla.mindrot.org/attachment.cgi?id=3917&action=edit
Use argv_assemble to quote socket path
Here's a version that uses argv_assemble().
It doesn't try to deal with other shell metacharacters in $HOME. We've
never tried to deal with that case before, e.g. in $TMPDIR but we could
do it as a separate patch if there's a valid usecase.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-24 03:02 UTC
[Bug 3884] The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3917|ok?(dtucker at dtucker.net) |ok+
Flags| |
--- Comment #7 from Darren Tucker <dtucker at dtucker.net> ---
Comment on attachment 3917
--> https://bugzilla.mindrot.org/attachment.cgi?id=3917
Use argv_assemble to quote socket path
should you free socket_name ?
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Nov-07 04:41 UTC
[Bug 3884] The SSH_AUTH_SOCK variable is not quoted
https://bugzilla.mindrot.org/show_bug.cgi?id=3884
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Blocks| |3880
Status|NEW |RESOLVED
--- Comment #8 from Damien Miller <djm at mindrot.org> ---
(In reply to Darren Tucker from comment #7)> should you free socket_name ?
done
This has been committed and will be in OpenSSH 10.3
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3880
[Bug 3880] Tracking bug for openssh-10.3
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.