1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch
new file mode 100644
index 0000000000..790ec808be
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch
@@ -0,0 +1,62 @@
+From dbf788b4d9d9490a5fff08a7b09888272bb10fcc Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@zip.com.au>
+Date: Thu, 21 Jul 2016 14:17:31 +1000
+Subject: [PATCH] Search users for one with a valid salt.
+If the root account is locked (eg password "!!" or "*LK*") keep looking
+until we find a user with a valid salt to use for crypting passwords of
+invalid users.  ok djm@
+Upstream-Status: Backport
+CVE: CVE-2016-6210
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ openbsd-compat/xcrypt.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
+index 8913bb8..cf6a9b9 100644
+--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
+@@ -65,7 +65,9 @@
+ 
+ /*
+  * Pick an appropriate password encryption type and salt for the running
+- * system.
+ * system by searching through accounts until we find one that has a valid
+ * salt.  Usually this will be root unless the root account is locked out.
+ * If we don't find one we return a traditional DES-based salt.
+  */
+ static const char *
+ pick_salt(void)
+@@ -78,14 +80,18 @@ pick_salt(void)
+        if (salt[0] != '\0')
+                return salt;
+        strlcpy(salt, "xx", sizeof(salt));
+-       if ((pw = getpwuid(0)) == NULL)
+-               return salt;
+-       passwd = shadow_pw(pw);
+-       if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
+-               return salt;  /* no $, DES */
+-       typelen = p - passwd + 1;
+-       strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+-       explicit_bzero(passwd, strlen(passwd));
+       setpwent();
+       while ((pw = getpwent()) != NULL) {
+               passwd = shadow_pw(pw);
+               if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
+                       typelen = p - passwd + 1;
+                       strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+                       explicit_bzero(passwd, strlen(passwd));
+                       goto out;
+               }
+       }
+ out:
+       endpwent();
+        return salt;
+ }
+ 
+-- 
+2.7.4

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch new file mode 100644 index 0000000000..790ec808be --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch
@@ -0,0 +1,62 @@
	1	From dbf788b4d9d9490a5fff08a7b09888272bb10fcc Mon Sep 17 00:00:00 2001
	2	From: Darren Tucker <dtucker@zip.com.au>
	3	Date: Thu, 21 Jul 2016 14:17:31 +1000
	4	Subject: [PATCH] Search users for one with a valid salt.
	5
	6	If the root account is locked (eg password "!!" or "LK") keep looking
	7	until we find a user with a valid salt to use for crypting passwords of
	8	invalid users. ok djm@
	9
	10	Upstream-Status: Backport
	11	CVE: CVE-2016-6210
	12	Signed-off-by: Armin Kuster <akuster@mvista.com>
	13
	14	---
	15	openbsd-compat/xcrypt.c \| 24 +++++++++++++++---------
	16	1 file changed, 15 insertions(+), 9 deletions(-)
	17
	18	diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
	19	index 8913bb8..cf6a9b9 100644
	20	--- a/openbsd-compat/xcrypt.c
	21	+++ b/openbsd-compat/xcrypt.c
	22	@@ -65,7 +65,9 @@
	23
	24	/*
	25	* Pick an appropriate password encryption type and salt for the running
	26	- * system.
	27	+ * system by searching through accounts until we find one that has a valid
	28	+ * salt. Usually this will be root unless the root account is locked out.
	29	+ * If we don't find one we return a traditional DES-based salt.
	30	*/
	31	static const char *
	32	pick_salt(void)
	33	@@ -78,14 +80,18 @@ pick_salt(void)
	34	if (salt[0] != '\0')
	35	return salt;
	36	strlcpy(salt, "xx", sizeof(salt));
	37	- if ((pw = getpwuid(0)) == NULL)
	38	- return salt;
	39	- passwd = shadow_pw(pw);
	40	- if (passwd[0] != '$' \|\| (p = strrchr(passwd + 1, '$')) == NULL)
	41	- return salt; /* no $, DES */
	42	- typelen = p - passwd + 1;
	43	- strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
	44	- explicit_bzero(passwd, strlen(passwd));
	45	+ setpwent();
	46	+ while ((pw = getpwent()) != NULL) {
	47	+ passwd = shadow_pw(pw);
	48	+ if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
	49	+ typelen = p - passwd + 1;
	50	+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
	51	+ explicit_bzero(passwd, strlen(passwd));
	52	+ goto out;
	53	+ }
	54	+ }
	55	+ out:
	56	+ endpwent();
	57	return salt;
	58	}
	59
	60	--
	61	2.7.4
	62