[prev in list] [next in list] [prev in thread] [next in thread]
List: openembedded-core
Subject: [OE-core] [OE-Core] [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix
From: harisokn () gmail ! com (Haris Okanovic)
Date: 2015-11-30 15:43:10
Message-ID: 565C6E8E.6040706 () gmail ! com
[Download RAW message or body]
On 11/05/2015 04:00 PM, Joshua Lock wrote:
> Thanks, I've pushed this change to my joshuagl/fido-next branch of
> openembedded-core-contrib and am testing it now.
You can find instructions on testing the vulnerability at the following
URL. I forgot to include it in the change description.
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
> Regards,
>
> Joshua
>
> 1.
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next
>
>
> >
> > Signed-off-by: Haris Okanovic <haris.okanovic at ni.com>
> > Reviewed-by: Rich Tollerton <rich.tollerton at ni.com>
> > Reviewed-by: Ken Sharp <ken.sharp at ni.com>
> > Natinst-ReviewBoard-ID: 115602
> > Natinst-CAR-ID: 541263
> >
> > ---
> >
> > This patch only applies to Fido and earlier releases. Bug is already
> > fixed in Jethro which builds OpenSSH 7.1.
> > ---
> > .../openssh/openssh/CVE-2015-5600.patch | 50
> > ++++++++++++++++++++++
> > meta/recipes-connectivity/openssh/openssh_6.7p1.bb | 1 +
> > 2 files changed, 51 insertions(+)
> > create mode 100644
> > meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> >
> > diff --git
> > a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> > b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> > new file mode 100644
> > index 0000000..fa1c85e
> > --- /dev/null
> > +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> > @@ -0,0 +1,50 @@
> > +From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
> > +From: "djm at openbsd.org" <djm at openbsd.org>
> > +Date: Sat, 18 Jul 2015 07:57:14 +0000
> > +Subject: [PATCH] CVE-2015-5600
> > +
> > +only query each keyboard-interactive device once per
> > + authentication request regardless of how many times it is listed; ok
> > markus@
> > +
> > +Source:
> > +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
> >
> > +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
> >
> > +
> > +Upstream-Status: Backport
> > +---
> > + auth2-chall.c | 9 +++++++--
> > + 1 file changed, 7 insertions(+), 2 deletions(-)
> > +
> > +diff --git a/auth2-chall.c b/auth2-chall.c
> > +index
> > ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78
> > 100644
> > +--- a/auth2-chall.c
> > ++++ b/auth2-chall.c
> > +@@ -83,6 +83,7 @@ struct KbdintAuthctxt
> > + void *ctxt;
> > + KbdintDevice *device;
> > + u_int nreq;
> > ++ u_int devices_done;
> > + };
> > +
> > + #ifdef USE_PAM
> > +@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt,
> > KbdintAuthctxt *kbdintctxt)
> > + if (len == 0)
> > + break;
> > + for (i = 0; devices[i]; i++) {
> > +- if (!auth2_method_allowed(authctxt,
> > ++ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
> > ++ !auth2_method_allowed(authctxt,
> > + "keyboard-interactive", devices[i]->name))
> > + continue;
> > +- if (strncmp(kbdintctxt->devices, devices[i]->name, len)
> > == 0)
> > ++ if (strncmp(kbdintctxt->devices, devices[i]->name,
> > ++ len) == 0) {
> > + kbdintctxt->device = devices[i];
> > ++ kbdintctxt->devices_done |= 1 << i;
> > ++ }
> > + }
> > + t = kbdintctxt->devices;
> > + kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
> > +--
> > +2.6.2
> > +
> > diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> > b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> > index aa71cc1..9246284 100644
> > --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> > +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> > @@ -25,6 +25,7 @@ SRC_URI =
> > "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
> > file://CVE-2015-6563.patch \
> > file://CVE-2015-6564.patch \
> > file://CVE-2015-6565.patch \
> > + file://CVE-2015-5600.patch \
> > "
> >
> > PAM_SRC_URI = "file://sshd"
> >
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic