summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch62
1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch
new file mode 100644
index 0000000000..790ec808be
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch
@@ -0,0 +1,62 @@
+From dbf788b4d9d9490a5fff08a7b09888272bb10fcc Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@zip.com.au>
+Date: Thu, 21 Jul 2016 14:17:31 +1000
+Subject: [PATCH] Search users for one with a valid salt.
+
+If the root account is locked (eg password "!!" or "*LK*") keep looking
+until we find a user with a valid salt to use for crypting passwords of
+invalid users. ok djm@
+
+Upstream-Status: Backport
+CVE: CVE-2016-6210
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ openbsd-compat/xcrypt.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
+index 8913bb8..cf6a9b9 100644
+--- a/openbsd-compat/xcrypt.c
++++ b/openbsd-compat/xcrypt.c
+@@ -65,7 +65,9 @@
+
+ /*
+ * Pick an appropriate password encryption type and salt for the running
+- * system.
++ * system by searching through accounts until we find one that has a valid
++ * salt. Usually this will be root unless the root account is locked out.
++ * If we don't find one we return a traditional DES-based salt.
+ */
+ static const char *
+ pick_salt(void)
+@@ -78,14 +80,18 @@ pick_salt(void)
+ if (salt[0] != '\0')
+ return salt;
+ strlcpy(salt, "xx", sizeof(salt));
+- if ((pw = getpwuid(0)) == NULL)
+- return salt;
+- passwd = shadow_pw(pw);
+- if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
+- return salt; /* no $, DES */
+- typelen = p - passwd + 1;
+- strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+- explicit_bzero(passwd, strlen(passwd));
++ setpwent();
++ while ((pw = getpwent()) != NULL) {
++ passwd = shadow_pw(pw);
++ if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
++ typelen = p - passwd + 1;
++ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
++ explicit_bzero(passwd, strlen(passwd));
++ goto out;
++ }
++ }
++ out:
++ endpwent();
+ return salt;
+ }
+
+--
+2.7.4
+