diff options
author | Haris Okanovic <haris.okanovic@ni.com> | 2015-10-30 15:12:56 -0500 |
---|---|---|
committer | Joshua Lock <joshua.lock@collabora.co.uk> | 2015-11-05 22:04:15 +0000 |
commit | 433f66ba6c79cf49e29251af0985baf5c4b79e23 (patch) | |
tree | 28e5e52ea490e24161faefc385635fe21a228238 /meta/recipes-connectivity | |
parent | 458d877590bcd39c7f05d31cc6e7600ca59de332 (diff) | |
download | openembedded-core-contrib-433f66ba6c79cf49e29251af0985baf5c4b79e23.tar.gz |
openssh: Backport CVE-2015-5600 fix
only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed
Source:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
Bug report:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5600
https://bugzilla.redhat.com/show_bug.cgi?id=1245969
Testing:
Built in Fido and installed to x86_64 test system.
Verified both 'keyboard-interactive' and 'publickey' logon works with
root and a regular user from an openssh 7.1p1-1 client on Arch.
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
Reviewed-by: Ken Sharp <ken.sharp@ni.com>
Natinst-ReviewBoard-ID: 115602
Natinst-CAR-ID: 541263
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch | 50 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh_6.7p1.bb | 1 |
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch new file mode 100644 index 0000000000..fa1c85e237 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch @@ -0,0 +1,50 @@ +From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Sat, 18 Jul 2015 07:57:14 +0000 +Subject: [PATCH] CVE-2015-5600 + +only query each keyboard-interactive device once per + authentication request regardless of how many times it is listed; ok markus@ + +Source: +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43 +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u + +Upstream-Status: Backport +--- + auth2-chall.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/auth2-chall.c b/auth2-chall.c +index ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78 100644 +--- a/auth2-chall.c ++++ b/auth2-chall.c +@@ -83,6 +83,7 @@ struct KbdintAuthctxt + void *ctxt; + KbdintDevice *device; + u_int nreq; ++ u_int devices_done; + }; + + #ifdef USE_PAM +@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) + if (len == 0) + break; + for (i = 0; devices[i]; i++) { +- if (!auth2_method_allowed(authctxt, ++ if ((kbdintctxt->devices_done & (1 << i)) != 0 || ++ !auth2_method_allowed(authctxt, + "keyboard-interactive", devices[i]->name)) + continue; +- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) ++ if (strncmp(kbdintctxt->devices, devices[i]->name, ++ len) == 0) { + kbdintctxt->device = devices[i]; ++ kbdintctxt->devices_done |= 1 << i; ++ } + } + t = kbdintctxt->devices; + kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; +-- +2.6.2 + diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb index aa71cc1ef4..9246284d14 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb @@ -25,6 +25,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. file://CVE-2015-6563.patch \ file://CVE-2015-6564.patch \ file://CVE-2015-6565.patch \ + file://CVE-2015-5600.patch \ " PAM_SRC_URI = "file://sshd" |