openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565

three security fixes.

CVE-2015-6563 (Low) openssh: Privilege separation weakness related to PAM support
CVE-2015-6564 (medium)  openssh: Use-after-free bug related to PAM support
CVE-2015-6565 (High)  openssh: Incorrectly set TTYs to be world-writable

(From OE-Core rev: 259df232b513367a0a18b17e3e377260a770288f)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>

Conflicts:
	meta/recipes-connectivity/openssh/openssh_6.6p1.bb

4 files changed, 109 insertions, 1 deletions

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
new file mode 100644
index 0000000000..19cea410dc
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
@@ -0,0 +1,36 @@
+CVE-2015-6563
+
+Don't resend username to PAM; it already has it. 
+Pointed out by Moritz Jodeit; ok dtucker@
+
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: openssh-6.7p1/monitor.c
+===================================================================
+--- openssh-6.7p1.orig/monitor.c
++++ openssh-6.7p1/monitor.c
+@@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+ 	debug3("%s", __func__);
+-	authctxt->user = buffer_get_string(m, NULL);
+ 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ 	sshpam_authok = NULL;
+ 	buffer_clear(m);
+Index: openssh-6.7p1/monitor_wrap.c
+===================================================================
+--- openssh-6.7p1.orig/monitor_wrap.c
++++ openssh-6.7p1/monitor_wrap.c
+@@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+ 
+ 	debug3("%s", __func__);
+ 	buffer_init(&m);
+-	buffer_put_cstring(&m, authctxt->user);
+ 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
new file mode 100644
index 0000000000..588d42d766
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
@@ -0,0 +1,34 @@
+CVE-2015-6564
+
+ set sshpam_ctxt to NULL after free
+
+ Avoids use-after-free in monitor when privsep child is compromised.
+ Reported by Moritz Jodeit; ok dtucker@
+
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: openssh-6.7p1/monitor.c
+===================================================================
+--- openssh-6.7p1.orig/monitor.c
++++ openssh-6.7p1/monitor.c
+@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
++    int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+ 
+ 	debug3("%s", __func__);
+ 	(sshpam_device.free_ctx)(sshpam_ctxt);
++    sshpam_ctxt = sshpam_authok = NULL;
+ 	buffer_clear(m);
+ 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ 	auth_method = "keyboard-interactive";
+ 	auth_submethod = "pam";
+-	return (sshpam_authok == sshpam_ctxt);
++	return r;
+ }
+ #endif
+ 
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
new file mode 100644
index 0000000000..42667b05a0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
@@ -0,0 +1,35 @@
+CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable
+
+fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
+
+Upstream-Status: Backport
+
+merged two changes into one.
+[1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2
+tighten permissions on pty when the "tty" group does not exist; pointed out by Corinna Vinschen; ok markus
+
+[2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941396b6835ad18018845f515b0c4fe20be21a
+fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: openssh-6.7p1/sshpty.c
+===================================================================
+--- openssh-6.7p1.orig/sshpty.c
++++ openssh-6.7p1/sshpty.c
+@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch
+ 
+ 	/* Determine the group to make the owner of the tty. */
+ 	grp = getgrnam("tty");
+-	if (grp) {
+-		gid = grp->gr_gid;
+-		mode = S_IRUSR | S_IWUSR | S_IWGRP;
+-	} else {
+-		gid = pw->pw_gid;
+-		mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
+-	}
++    gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
++    mode = (grp != NULL) ? 0620 : 0600;
+ 
+ 	/*
+ 	 * Change owner and mode of the tty as required.
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
index f575665e4c..4b887048ee 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -25,7 +25,10 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
            file://run-ptest \
            file://openssh-CVE-2014-2532.patch \
            file://openssh-CVE-2014-2653.patch \
-           file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
+           file://CVE-2015-6563.patch  \
+           file://CVE-2015-6564.patch \
+           file://CVE-2015-6565.patch \
+           "
 
 PAM_SRC_URI = "file://sshd"