Hi, Shortly after completing the OpenSSH 7.6 release, I spotted a bug in sshd_config's PermitOpen directive: it ignores arguments beyond the second one. I'm pretty annoyed with myself for introducing it and for not catching it before release, but fortunately it only affects 7.6 and fails-closed so doesn't introduce a vulnerability. Below is a fix for distributors who package OpenSSH; I've also committed this to the V_7_6 branch (7c9613fac337). diff --git a/servconf.c b/servconf.c index 2c321a4a..95686295 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@xxxxxxxxx>, Espoo, Finland * All rights reserved @@ -1663,9 +1663,9 @@ process_server_config_line(ServerOptions *options, char *line, if (!arg || *arg == '\0') fatal("%s line %d: missing PermitOpen specification", filename, linenum); - i = options->num_permitted_opens; /* modified later */ + value = options->num_permitted_opens; /* modified later */ if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { - if (*activep && i == 0) { + if (*activep && value == 0) { options->num_permitted_opens = 1; options->permitted_opens = xcalloc(1, sizeof(*options->permitted_opens)); @@ -1683,7 +1683,7 @@ process_server_config_line(ServerOptions *options, char *line, if (arg == NULL || ((port = permitopen_port(arg)) < 0)) fatal("%s line %d: bad port number in " "PermitOpen", filename, linenum); - if (*activep && i == 0) { + if (*activep && value == 0) { options->permitted_opens = xrecallocarray( options->permitted_opens, options->num_permitted_opens, _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev