From ddfe191355a042e6995f7b4b725b108c5bb4d36e Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Tue, 8 Sep 2015 17:22:26 -0700 Subject: openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565 three security fixes. CVE-2015-6563 (Low) openssh: Privilege separation weakness related to PAM support CVE-2015-6564 (medium) openssh: Use-after-free bug related to PAM support CVE-2015-6565 (High) openssh: Incorrectly set TTYs to be world-writable (From OE-Core rev: 259df232b513367a0a18b17e3e377260a770288f) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster Conflicts: meta/recipes-connectivity/openssh/openssh_6.6p1.bb --- .../openssh/openssh/CVE-2015-6563.patch | 36 ++++++++++++++++++++++ .../openssh/openssh/CVE-2015-6564.patch | 34 ++++++++++++++++++++ .../openssh/openssh/CVE-2015-6565.patch | 35 +++++++++++++++++++++ meta/recipes-connectivity/openssh/openssh_6.6p1.bb | 5 ++- 4 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch new file mode 100644 index 0000000000..19cea410dc --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch @@ -0,0 +1,36 @@ +CVE-2015-6563 + +Don't resend username to PAM; it already has it. +Pointed out by Moritz Jodeit; ok dtucker@ + +Upstream-Status: Backport +https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b + +Signed-off-by: Armin Kuster + +Index: openssh-6.7p1/monitor.c +=================================================================== +--- openssh-6.7p1.orig/monitor.c ++++ openssh-6.7p1/monitor.c +@@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device; + int + mm_answer_pam_init_ctx(int sock, Buffer *m) + { +- + debug3("%s", __func__); +- authctxt->user = buffer_get_string(m, NULL); + sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); + sshpam_authok = NULL; + buffer_clear(m); +Index: openssh-6.7p1/monitor_wrap.c +=================================================================== +--- openssh-6.7p1.orig/monitor_wrap.c ++++ openssh-6.7p1/monitor_wrap.c +@@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) + + debug3("%s", __func__); + buffer_init(&m); +- buffer_put_cstring(&m, authctxt->user); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch new file mode 100644 index 0000000000..588d42d766 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch @@ -0,0 +1,34 @@ +CVE-2015-6564 + + set sshpam_ctxt to NULL after free + + Avoids use-after-free in monitor when privsep child is compromised. + Reported by Moritz Jodeit; ok dtucker@ + +Upstream-Status: Backport +https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7 + +Signed-off-by: Armin Kuster + +Index: openssh-6.7p1/monitor.c +=================================================================== +--- openssh-6.7p1.orig/monitor.c ++++ openssh-6.7p1/monitor.c +@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer * + int + mm_answer_pam_free_ctx(int sock, Buffer *m) + { ++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; + + debug3("%s", __func__); + (sshpam_device.free_ctx)(sshpam_ctxt); ++ sshpam_ctxt = sshpam_authok = NULL; + buffer_clear(m); + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; +- return (sshpam_authok == sshpam_ctxt); ++ return r; + } + #endif + diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch new file mode 100644 index 0000000000..42667b05a0 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch @@ -0,0 +1,35 @@ +CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable + +fix pty permissions; patch from Nikolay Edigaryev; ok deraadt + +Upstream-Status: Backport + +merged two changes into one. +[1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2 +tighten permissions on pty when the "tty" group does not exist; pointed out by Corinna Vinschen; ok markus + +[2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941396b6835ad18018845f515b0c4fe20be21a +fix pty permissions; patch from Nikolay Edigaryev; ok deraadt + +Signed-off-by: Armin Kuster + +Index: openssh-6.7p1/sshpty.c +=================================================================== +--- openssh-6.7p1.orig/sshpty.c ++++ openssh-6.7p1/sshpty.c +@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch + + /* Determine the group to make the owner of the tty. */ + grp = getgrnam("tty"); +- if (grp) { +- gid = grp->gr_gid; +- mode = S_IRUSR | S_IWUSR | S_IWGRP; +- } else { +- gid = pw->pw_gid; +- mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH; +- } ++ gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; ++ mode = (grp != NULL) ? 0620 : 0600; + + /* + * Change owner and mode of the tty as required. diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb index f575665e4c..4b887048ee 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb @@ -25,7 +25,10 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. file://run-ptest \ file://openssh-CVE-2014-2532.patch \ file://openssh-CVE-2014-2653.patch \ - file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch" + file://CVE-2015-6563.patch \ + file://CVE-2015-6564.patch \ + file://CVE-2015-6565.patch \ + " PAM_SRC_URI = "file://sshd" -- cgit 1.2.3-korg