summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssh')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch36
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch34
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch35
-rw-r--r--meta/recipes-connectivity/openssh/openssh_6.7p1.bb6
4 files changed, 110 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
new file mode 100644
index 0000000000..19cea410dc
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
@@ -0,0 +1,36 @@
1CVE-2015-6563
2
3Don't resend username to PAM; it already has it.
4Pointed out by Moritz Jodeit; ok dtucker@
5
6Upstream-Status: Backport
7https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
8
9Signed-off-by: Armin Kuster <akuster@mvista.com>
10
11Index: openssh-6.7p1/monitor.c
12===================================================================
13--- openssh-6.7p1.orig/monitor.c
14+++ openssh-6.7p1/monitor.c
15@@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device;
16 int
17 mm_answer_pam_init_ctx(int sock, Buffer *m)
18 {
19-
20 debug3("%s", __func__);
21- authctxt->user = buffer_get_string(m, NULL);
22 sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
23 sshpam_authok = NULL;
24 buffer_clear(m);
25Index: openssh-6.7p1/monitor_wrap.c
26===================================================================
27--- openssh-6.7p1.orig/monitor_wrap.c
28+++ openssh-6.7p1/monitor_wrap.c
29@@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
30
31 debug3("%s", __func__);
32 buffer_init(&m);
33- buffer_put_cstring(&m, authctxt->user);
34 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
35 debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
36 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
new file mode 100644
index 0000000000..588d42d766
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
@@ -0,0 +1,34 @@
1CVE-2015-6564
2
3 set sshpam_ctxt to NULL after free
4
5 Avoids use-after-free in monitor when privsep child is compromised.
6 Reported by Moritz Jodeit; ok dtucker@
7
8Upstream-Status: Backport
9https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
10
11Signed-off-by: Armin Kuster <akuster@mvista.com>
12
13Index: openssh-6.7p1/monitor.c
14===================================================================
15--- openssh-6.7p1.orig/monitor.c
16+++ openssh-6.7p1/monitor.c
17@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
18 int
19 mm_answer_pam_free_ctx(int sock, Buffer *m)
20 {
21+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
22
23 debug3("%s", __func__);
24 (sshpam_device.free_ctx)(sshpam_ctxt);
25+ sshpam_ctxt = sshpam_authok = NULL;
26 buffer_clear(m);
27 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
28 auth_method = "keyboard-interactive";
29 auth_submethod = "pam";
30- return (sshpam_authok == sshpam_ctxt);
31+ return r;
32 }
33 #endif
34
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
new file mode 100644
index 0000000000..42667b05a0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
@@ -0,0 +1,35 @@
1CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable
2
3fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
4
5Upstream-Status: Backport
6
7merged two changes into one.
8[1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2
9tighten permissions on pty when the "tty" group does not exist; pointed out by Corinna Vinschen; ok markus
10
11[2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941396b6835ad18018845f515b0c4fe20be21a
12fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
13
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16Index: openssh-6.7p1/sshpty.c
17===================================================================
18--- openssh-6.7p1.orig/sshpty.c
19+++ openssh-6.7p1/sshpty.c
20@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch
21
22 /* Determine the group to make the owner of the tty. */
23 grp = getgrnam("tty");
24- if (grp) {
25- gid = grp->gr_gid;
26- mode = S_IRUSR | S_IWUSR | S_IWGRP;
27- } else {
28- gid = pw->pw_gid;
29- mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
30- }
31+ gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
32+ mode = (grp != NULL) ? 0620 : 0600;
33
34 /*
35 * Change owner and mode of the tty as required.
diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
index a2726291fe..aa71cc1ef4 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
@@ -21,7 +21,11 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
21 file://volatiles.99_sshd \ 21 file://volatiles.99_sshd \
22 file://add-test-support-for-busybox.patch \ 22 file://add-test-support-for-busybox.patch \
23 file://run-ptest \ 23 file://run-ptest \
24 file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch" 24 file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch \
25 file://CVE-2015-6563.patch \
26 file://CVE-2015-6564.patch \
27 file://CVE-2015-6565.patch \
28 "
25 29
26PAM_SRC_URI = "file://sshd" 30PAM_SRC_URI = "file://sshd"
27 31