diff options
author | Armin Kuster <akuster@mvista.com> | 2015-09-08 17:22:26 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-01-30 12:03:13 +0000 |
commit | 73a04a266cb2bfc2bd5c7ed0155bf4204baf9072 (patch) | |
tree | ddbdeb88a7be165bba16bcd3c762536d53477fe5 | |
parent | b3269fc2e67e17a426564166f6c956086ad0f0f0 (diff) | |
download | poky-73a04a266cb2bfc2bd5c7ed0155bf4204baf9072.tar.gz |
openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
three security fixes.
CVE-2015-6563 (Low) openssh: Privilege separation weakness related to PAM support
CVE-2015-6564 (medium) openssh: Use-after-free bug related to PAM support
CVE-2015-6565 (High) openssh: Incorrectly set TTYs to be world-writable
(From OE-Core rev: 259df232b513367a0a18b17e3e377260a770288f)
(From OE-Core rev: ddfe191355a042e6995f7b4b725b108c5bb4d36e)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Conflicts:
meta/recipes-connectivity/openssh/openssh_6.6p1.bb
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
4 files changed, 109 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch new file mode 100644 index 0000000000..19cea410dc --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | CVE-2015-6563 | ||
2 | |||
3 | Don't resend username to PAM; it already has it. | ||
4 | Pointed out by Moritz Jodeit; ok dtucker@ | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b | ||
8 | |||
9 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
10 | |||
11 | Index: openssh-6.7p1/monitor.c | ||
12 | =================================================================== | ||
13 | --- openssh-6.7p1.orig/monitor.c | ||
14 | +++ openssh-6.7p1/monitor.c | ||
15 | @@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device; | ||
16 | int | ||
17 | mm_answer_pam_init_ctx(int sock, Buffer *m) | ||
18 | { | ||
19 | - | ||
20 | debug3("%s", __func__); | ||
21 | - authctxt->user = buffer_get_string(m, NULL); | ||
22 | sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); | ||
23 | sshpam_authok = NULL; | ||
24 | buffer_clear(m); | ||
25 | Index: openssh-6.7p1/monitor_wrap.c | ||
26 | =================================================================== | ||
27 | --- openssh-6.7p1.orig/monitor_wrap.c | ||
28 | +++ openssh-6.7p1/monitor_wrap.c | ||
29 | @@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) | ||
30 | |||
31 | debug3("%s", __func__); | ||
32 | buffer_init(&m); | ||
33 | - buffer_put_cstring(&m, authctxt->user); | ||
34 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); | ||
35 | debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); | ||
36 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch new file mode 100644 index 0000000000..588d42d766 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | CVE-2015-6564 | ||
2 | |||
3 | set sshpam_ctxt to NULL after free | ||
4 | |||
5 | Avoids use-after-free in monitor when privsep child is compromised. | ||
6 | Reported by Moritz Jodeit; ok dtucker@ | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7 | ||
10 | |||
11 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
12 | |||
13 | Index: openssh-6.7p1/monitor.c | ||
14 | =================================================================== | ||
15 | --- openssh-6.7p1.orig/monitor.c | ||
16 | +++ openssh-6.7p1/monitor.c | ||
17 | @@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer * | ||
18 | int | ||
19 | mm_answer_pam_free_ctx(int sock, Buffer *m) | ||
20 | { | ||
21 | + int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
22 | |||
23 | debug3("%s", __func__); | ||
24 | (sshpam_device.free_ctx)(sshpam_ctxt); | ||
25 | + sshpam_ctxt = sshpam_authok = NULL; | ||
26 | buffer_clear(m); | ||
27 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | ||
28 | auth_method = "keyboard-interactive"; | ||
29 | auth_submethod = "pam"; | ||
30 | - return (sshpam_authok == sshpam_ctxt); | ||
31 | + return r; | ||
32 | } | ||
33 | #endif | ||
34 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch new file mode 100644 index 0000000000..42667b05a0 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable | ||
2 | |||
3 | fix pty permissions; patch from Nikolay Edigaryev; ok deraadt | ||
4 | |||
5 | Upstream-Status: Backport | ||
6 | |||
7 | merged two changes into one. | ||
8 | [1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2 | ||
9 | tighten permissions on pty when the "tty" group does not exist; pointed out by Corinna Vinschen; ok markus | ||
10 | |||
11 | [2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941396b6835ad18018845f515b0c4fe20be21a | ||
12 | fix pty permissions; patch from Nikolay Edigaryev; ok deraadt | ||
13 | |||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | Index: openssh-6.7p1/sshpty.c | ||
17 | =================================================================== | ||
18 | --- openssh-6.7p1.orig/sshpty.c | ||
19 | +++ openssh-6.7p1/sshpty.c | ||
20 | @@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch | ||
21 | |||
22 | /* Determine the group to make the owner of the tty. */ | ||
23 | grp = getgrnam("tty"); | ||
24 | - if (grp) { | ||
25 | - gid = grp->gr_gid; | ||
26 | - mode = S_IRUSR | S_IWUSR | S_IWGRP; | ||
27 | - } else { | ||
28 | - gid = pw->pw_gid; | ||
29 | - mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH; | ||
30 | - } | ||
31 | + gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; | ||
32 | + mode = (grp != NULL) ? 0620 : 0600; | ||
33 | |||
34 | /* | ||
35 | * Change owner and mode of the tty as required. | ||
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb index f575665e4c..4b887048ee 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb | |||
@@ -25,7 +25,10 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. | |||
25 | file://run-ptest \ | 25 | file://run-ptest \ |
26 | file://openssh-CVE-2014-2532.patch \ | 26 | file://openssh-CVE-2014-2532.patch \ |
27 | file://openssh-CVE-2014-2653.patch \ | 27 | file://openssh-CVE-2014-2653.patch \ |
28 | file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch" | 28 | file://CVE-2015-6563.patch \ |
29 | file://CVE-2015-6564.patch \ | ||
30 | file://CVE-2015-6565.patch \ | ||
31 | " | ||
29 | 32 | ||
30 | PAM_SRC_URI = "file://sshd" | 33 | PAM_SRC_URI = "file://sshd" |
31 | 34 | ||