diff options
author | Haris Okanovic <haris.okanovic@ni.com> | 2015-10-30 15:12:56 -0500 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-12-08 13:27:29 +0000 |
commit | afff53db2a3b8da2df89f4ba28a02f25e3b93a3f (patch) | |
tree | 589f5906d5a78d7f58382a8f4f8bdb305a370059 | |
parent | b8eb509ca53eed5f26642895a9078689de129a3f (diff) | |
download | poky-afff53db2a3b8da2df89f4ba28a02f25e3b93a3f.tar.gz |
openssh: Backport CVE-2015-5600 fix
only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed
Source:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
Bug report:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5600
https://bugzilla.redhat.com/show_bug.cgi?id=1245969
Testing:
Built in Fido and installed to x86_64 test system.
Verified both 'keyboard-interactive' and 'publickey' logon works with
root and a regular user from an openssh 7.1p1-1 client on Arch.
(From OE-Core rev: 433f66ba6c79cf49e29251af0985baf5c4b79e23)
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
Reviewed-by: Ken Sharp <ken.sharp@ni.com>
Natinst-ReviewBoard-ID: 115602
Natinst-CAR-ID: 541263
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch | 50 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh_6.7p1.bb | 1 |
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch new file mode 100644 index 0000000000..fa1c85e237 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Sat, 18 Jul 2015 07:57:14 +0000 | ||
4 | Subject: [PATCH] CVE-2015-5600 | ||
5 | |||
6 | only query each keyboard-interactive device once per | ||
7 | authentication request regardless of how many times it is listed; ok markus@ | ||
8 | |||
9 | Source: | ||
10 | http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43 | ||
11 | http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | --- | ||
15 | auth2-chall.c | 9 +++++++-- | ||
16 | 1 file changed, 7 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/auth2-chall.c b/auth2-chall.c | ||
19 | index ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78 100644 | ||
20 | --- a/auth2-chall.c | ||
21 | +++ b/auth2-chall.c | ||
22 | @@ -83,6 +83,7 @@ struct KbdintAuthctxt | ||
23 | void *ctxt; | ||
24 | KbdintDevice *device; | ||
25 | u_int nreq; | ||
26 | + u_int devices_done; | ||
27 | }; | ||
28 | |||
29 | #ifdef USE_PAM | ||
30 | @@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) | ||
31 | if (len == 0) | ||
32 | break; | ||
33 | for (i = 0; devices[i]; i++) { | ||
34 | - if (!auth2_method_allowed(authctxt, | ||
35 | + if ((kbdintctxt->devices_done & (1 << i)) != 0 || | ||
36 | + !auth2_method_allowed(authctxt, | ||
37 | "keyboard-interactive", devices[i]->name)) | ||
38 | continue; | ||
39 | - if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) | ||
40 | + if (strncmp(kbdintctxt->devices, devices[i]->name, | ||
41 | + len) == 0) { | ||
42 | kbdintctxt->device = devices[i]; | ||
43 | + kbdintctxt->devices_done |= 1 << i; | ||
44 | + } | ||
45 | } | ||
46 | t = kbdintctxt->devices; | ||
47 | kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; | ||
48 | -- | ||
49 | 2.6.2 | ||
50 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb index aa71cc1ef4..9246284d14 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb | |||
@@ -25,6 +25,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. | |||
25 | file://CVE-2015-6563.patch \ | 25 | file://CVE-2015-6563.patch \ |
26 | file://CVE-2015-6564.patch \ | 26 | file://CVE-2015-6564.patch \ |
27 | file://CVE-2015-6565.patch \ | 27 | file://CVE-2015-6565.patch \ |
28 | file://CVE-2015-5600.patch \ | ||
28 | " | 29 | " |
29 | 30 | ||
30 | PAM_SRC_URI = "file://sshd" | 31 | PAM_SRC_URI = "file://sshd" |