openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565

three security fixes. CVE-2015-6563 (Low) openssh: Privilege separation weakness related to PAM support CVE-2015-6564 (medium) openssh: Use-after-free bug related to PAM support CVE-2015-6565 (High) openssh: Incorrectly set TTYs to be world-writable (From OE-Core rev: 259df232b513367a0a18b17e3e377260a770288f) (From OE-Core rev: ddfe191355a042e6995f7b4b725b108c5bb4d36e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Conflicts: meta/recipes-connectivity/openssh/openssh_6.6p1.bb Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2015-09-08 17:22:26 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-01-30 12:03:13 +0000
commit: 73a04a266cb2bfc2bd5c7ed0155bf4204baf9072 (patch)
tree: ddbdeb88a7be165bba16bcd3c762536d53477fe5
parent: b3269fc2e67e17a426564166f6c956086ad0f0f0 (diff)
download: poky-73a04a266cb2bfc2bd5c7ed0155bf4204baf9072.tar.gz
4 files changed, 109 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
new file mode 100644
index 0000000000..19cea410dc
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
@@ -0,0 +1,36 @@
+CVE-2015-6563
+Don't resend username to PAM; it already has it. 
+Pointed out by Moritz Jodeit; ok dtucker@
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: openssh-6.7p1/monitor.c
+===================================================================
+--- openssh-6.7p1.orig/monitor.c
+++ openssh-6.7p1/monitor.c
+@@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+        debug3("%s", __func__);
+-       authctxt->user = buffer_get_string(m, NULL);
+        sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+        sshpam_authok = NULL;
+        buffer_clear(m);
+Index: openssh-6.7p1/monitor_wrap.c
+===================================================================
+--- openssh-6.7p1.orig/monitor_wrap.c
+++ openssh-6.7p1/monitor_wrap.c
+@@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+ 
+        debug3("%s", __func__);
+        buffer_init(&m);
+-       buffer_put_cstring(&m, authctxt->user);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+        debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
new file mode 100644
index 0000000000..588d42d766
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
@@ -0,0 +1,34 @@
+CVE-2015-6564
+ set sshpam_ctxt to NULL after free
+ Avoids use-after-free in monitor when privsep child is compromised.
+ Reported by Moritz Jodeit; ok dtucker@
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: openssh-6.7p1/monitor.c
+===================================================================
+--- openssh-6.7p1.orig/monitor.c
+++ openssh-6.7p1/monitor.c
+@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
+    int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+ 
+        debug3("%s", __func__);
+        (sshpam_device.free_ctx)(sshpam_ctxt);
+    sshpam_ctxt = sshpam_authok = NULL;
+        buffer_clear(m);
+        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+        auth_method = "keyboard-interactive";
+        auth_submethod = "pam";
+-       return (sshpam_authok == sshpam_ctxt);
+       return r;
+ }
+ #endif
+ 
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
new file mode 100644
index 0000000000..42667b05a0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
@@ -0,0 +1,35 @@
+CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable
+fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
+Upstream-Status: Backport
+merged two changes into one.
+[1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2
+tighten permissions on pty when the "tty" group does not exist; pointed out by Corinna Vinschen; ok markus
+[2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941396b6835ad18018845f515b0c4fe20be21a
+fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: openssh-6.7p1/sshpty.c
+===================================================================
+--- openssh-6.7p1.orig/sshpty.c
+++ openssh-6.7p1/sshpty.c
+@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch
+ 
+        /* Determine the group to make the owner of the tty. */
+        grp = getgrnam("tty");
+-       if (grp) {
+-               gid = grp->gr_gid;
+-               mode = S_IRUSR | S_IWUSR | S_IWGRP;
+-       } else {
+-               gid = pw->pw_gid;
+-               mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
+-       }
+    gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
+    mode = (grp != NULL) ? 0620 : 0600;
+ 
+        /*
+         * Change owner and mode of the tty as required.
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
index f575665e4c..4b887048ee 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -25,7 +25,10 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
           file://run-ptest \
           file://openssh-CVE-2014-2532.patch \
           file://openssh-CVE-2014-2653.patch \
-           file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
+           file://CVE-2015-6563.patch  \
+           file://CVE-2015-6564.patch \
+           file://CVE-2015-6565.patch \
+           "
 PAM_SRC_URI = "file://sshd"
author	Armin Kuster <akuster@mvista.com>	2015-09-08 17:22:26 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-01-30 12:03:13 +0000
commit	73a04a266cb2bfc2bd5c7ed0155bf4204baf9072 (patch)
tree	ddbdeb88a7be165bba16bcd3c762536d53477fe5
parent	b3269fc2e67e17a426564166f6c956086ad0f0f0 (diff)
download	poky-73a04a266cb2bfc2bd5c7ed0155bf4204baf9072.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch new file mode 100644 index 0000000000..19cea410dc --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
@@ -0,0 +1,36 @@
		1	CVE-2015-6563
		2
		3	Don't resend username to PAM; it already has it.
		4	Pointed out by Moritz Jodeit; ok dtucker@
		5
		6	Upstream-Status: Backport
		7	https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
		8
		9	Signed-off-by: Armin Kuster <akuster@mvista.com>
		10
		11	Index: openssh-6.7p1/monitor.c
		12	===================================================================
		13	--- openssh-6.7p1.orig/monitor.c
		14	+++ openssh-6.7p1/monitor.c
		15	@@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device;
		16	int
		17	mm_answer_pam_init_ctx(int sock, Buffer *m)
		18	{
		19	-
		20	debug3("%s", __func__);
		21	- authctxt->user = buffer_get_string(m, NULL);
		22	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
		23	sshpam_authok = NULL;
		24	buffer_clear(m);
		25	Index: openssh-6.7p1/monitor_wrap.c
		26	===================================================================
		27	--- openssh-6.7p1.orig/monitor_wrap.c
		28	+++ openssh-6.7p1/monitor_wrap.c
		29	@@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
		30
		31	debug3("%s", __func__);
		32	buffer_init(&m);
		33	- buffer_put_cstring(&m, authctxt->user);
		34	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
		35	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
		36	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);


diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch new file mode 100644 index 0000000000..588d42d766 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
@@ -0,0 +1,34 @@
		1	CVE-2015-6564
		2
		3	set sshpam_ctxt to NULL after free
		4
		5	Avoids use-after-free in monitor when privsep child is compromised.
		6	Reported by Moritz Jodeit; ok dtucker@
		7
		8	Upstream-Status: Backport
		9	https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
		10
		11	Signed-off-by: Armin Kuster <akuster@mvista.com>
		12
		13	Index: openssh-6.7p1/monitor.c
		14	===================================================================
		15	--- openssh-6.7p1.orig/monitor.c
		16	+++ openssh-6.7p1/monitor.c
		17	@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
		18	int
		19	mm_answer_pam_free_ctx(int sock, Buffer *m)
		20	{
		21	+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
		22
		23	debug3("%s", __func__);
		24	(sshpam_device.free_ctx)(sshpam_ctxt);
		25	+ sshpam_ctxt = sshpam_authok = NULL;
		26	buffer_clear(m);
		27	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
		28	auth_method = "keyboard-interactive";
		29	auth_submethod = "pam";
		30	- return (sshpam_authok == sshpam_ctxt);
		31	+ return r;
		32	}
		33	#endif
		34


diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch new file mode 100644 index 0000000000..42667b05a0 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
@@ -0,0 +1,35 @@
		1	CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable
		2
		3	fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
		4
		5	Upstream-Status: Backport
		6
		7	merged two changes into one.
		8	[1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2
		9	tighten permissions on pty when the "tty" group does not exist; pointed out by Corinna Vinschen; ok markus
		10
		11	[2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941396b6835ad18018845f515b0c4fe20be21a
		12	fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
		13
		14	Signed-off-by: Armin Kuster <akuster@mvista.com>
		15
		16	Index: openssh-6.7p1/sshpty.c
		17	===================================================================
		18	--- openssh-6.7p1.orig/sshpty.c
		19	+++ openssh-6.7p1/sshpty.c
		20	@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch
		21
		22	/* Determine the group to make the owner of the tty. */
		23	grp = getgrnam("tty");
		24	- if (grp) {
		25	- gid = grp->gr_gid;
		26	- mode = S_IRUSR \| S_IWUSR \| S_IWGRP;
		27	- } else {
		28	- gid = pw->pw_gid;
		29	- mode = S_IRUSR \| S_IWUSR \| S_IWGRP \| S_IWOTH;
		30	- }
		31	+ gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
		32	+ mode = (grp != NULL) ? 0620 : 0600;
		33
		34	/*
		35	* Change owner and mode of the tty as required.


diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb index f575665e4c..4b887048ee 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -25,7 +25,10 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
25	file://run-ptest \	25	file://run-ptest \
26	file://openssh-CVE-2014-2532.patch \	26	file://openssh-CVE-2014-2532.patch \
27	file://openssh-CVE-2014-2653.patch \	27	file://openssh-CVE-2014-2653.patch \
28	file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"	28	file://CVE-2015-6563.patch \
		29	file://CVE-2015-6564.patch \
		30	file://CVE-2015-6565.patch \
		31	"
29		32
30	PAM_SRC_URI = "file://sshd"	33	PAM_SRC_URI = "file://sshd"
31		34