'[OE-core] [OE-Core] [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openembedded-core
Subject:    [OE-core] [OE-Core] [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix
From:       harisokn () gmail ! com (Haris Okanovic)
Date:       2015-11-30 15:43:10
Message-ID: 565C6E8E.6040706 () gmail ! com
[Download RAW message or body]

On 11/05/2015 04:00 PM, Joshua Lock wrote:
> Thanks, I've pushed this change to my joshuagl/fido-next branch of
> openembedded-core-contrib and am testing it now.

You can find instructions on testing the vulnerability at the following 
URL. I forgot to include it in the change description.

https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/


> Regards,
> 
> Joshua
> 
> 1.
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next
> 
> 
> > 
> > Signed-off-by: Haris Okanovic <haris.okanovic at ni.com>
> > Reviewed-by: Rich Tollerton <rich.tollerton at ni.com>
> > Reviewed-by: Ken Sharp <ken.sharp at ni.com>
> > Natinst-ReviewBoard-ID: 115602
> > Natinst-CAR-ID: 541263
> > 
> > ---
> > 
> > This patch only applies to Fido and earlier releases. Bug is already
> > fixed in Jethro which builds OpenSSH 7.1.
> > ---
> > .../openssh/openssh/CVE-2015-5600.patch            | 50
> > ++++++++++++++++++++++
> > meta/recipes-connectivity/openssh/openssh_6.7p1.bb |  1 +
> > 2 files changed, 51 insertions(+)
> > create mode 100644
> > meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> > 
> > diff --git
> > a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> > b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> > new file mode 100644
> > index 0000000..fa1c85e
> > --- /dev/null
> > +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> > @@ -0,0 +1,50 @@
> > +From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
> > +From: "djm at openbsd.org" <djm at openbsd.org>
> > +Date: Sat, 18 Jul 2015 07:57:14 +0000
> > +Subject: [PATCH] CVE-2015-5600
> > +
> > +only query each keyboard-interactive device once per
> > + authentication request regardless of how many times it is listed; ok
> > markus@
> > +
> > +Source:
> > +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
> >  
> > +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
> >  
> > +
> > +Upstream-Status: Backport
> > +---
> > + auth2-chall.c | 9 +++++++--
> > + 1 file changed, 7 insertions(+), 2 deletions(-)
> > +
> > +diff --git a/auth2-chall.c b/auth2-chall.c
> > +index
> > ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78
> >  100644
> > +--- a/auth2-chall.c
> > ++++ b/auth2-chall.c
> > +@@ -83,6 +83,7 @@ struct KbdintAuthctxt
> > +     void *ctxt;
> > +     KbdintDevice *device;
> > +     u_int nreq;
> > ++    u_int devices_done;
> > + };
> > +
> > + #ifdef USE_PAM
> > +@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt,
> > KbdintAuthctxt *kbdintctxt)
> > +         if (len == 0)
> > +             break;
> > +         for (i = 0; devices[i]; i++) {
> > +-            if (!auth2_method_allowed(authctxt,
> > ++            if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
> > ++                !auth2_method_allowed(authctxt,
> > +                 "keyboard-interactive", devices[i]->name))
> > +                 continue;
> > +-            if (strncmp(kbdintctxt->devices, devices[i]->name, len)
> > == 0)
> > ++            if (strncmp(kbdintctxt->devices, devices[i]->name,
> > ++                len) == 0) {
> > +                 kbdintctxt->device = devices[i];
> > ++                kbdintctxt->devices_done |= 1 << i;
> > ++            }
> > +         }
> > +         t = kbdintctxt->devices;
> > +         kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
> > +--
> > +2.6.2
> > +
> > diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> > b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> > index aa71cc1..9246284 100644
> > --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> > +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> > @@ -25,6 +25,7 @@ SRC_URI =
> > "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
> > file://CVE-2015-6563.patch  \
> > file://CVE-2015-6564.patch \
> > file://CVE-2015-6565.patch \
> > +           file://CVE-2015-5600.patch \
> > "
> > 
> > PAM_SRC_URI = "file://sshd"
> > 
> 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic