summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2015-09-09 00:22:26 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-01-30 12:03:13 (GMT)
commit73a04a266cb2bfc2bd5c7ed0155bf4204baf9072 (patch)
treeddbdeb88a7be165bba16bcd3c762536d53477fe5
parentb3269fc2e67e17a426564166f6c956086ad0f0f0 (diff)
downloadpoky-73a04a266cb2bfc2bd5c7ed0155bf4204baf9072.tar.gz
openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
three security fixes. CVE-2015-6563 (Low) openssh: Privilege separation weakness related to PAM support CVE-2015-6564 (medium) openssh: Use-after-free bug related to PAM support CVE-2015-6565 (High) openssh: Incorrectly set TTYs to be world-writable (From OE-Core rev: 259df232b513367a0a18b17e3e377260a770288f) (From OE-Core rev: ddfe191355a042e6995f7b4b725b108c5bb4d36e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Conflicts: meta/recipes-connectivity/openssh/openssh_6.6p1.bb Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch36
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch34
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch35
-rw-r--r--meta/recipes-connectivity/openssh/openssh_6.6p1.bb5
4 files changed, 109 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
new file mode 100644
index 0000000..19cea41
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
@@ -0,0 +1,36 @@
1CVE-2015-6563
2
3Don't resend username to PAM; it already has it.
4Pointed out by Moritz Jodeit; ok dtucker@
5
6Upstream-Status: Backport
7https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
8
9Signed-off-by: Armin Kuster <akuster@mvista.com>
10
11Index: openssh-6.7p1/monitor.c
12===================================================================
13--- openssh-6.7p1.orig/monitor.c
14+++ openssh-6.7p1/monitor.c
15@@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device;
16 int
17 mm_answer_pam_init_ctx(int sock, Buffer *m)
18 {
19-
20 debug3("%s", __func__);
21- authctxt->user = buffer_get_string(m, NULL);
22 sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
23 sshpam_authok = NULL;
24 buffer_clear(m);
25Index: openssh-6.7p1/monitor_wrap.c
26===================================================================
27--- openssh-6.7p1.orig/monitor_wrap.c
28+++ openssh-6.7p1/monitor_wrap.c
29@@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
30
31 debug3("%s", __func__);
32 buffer_init(&m);
33- buffer_put_cstring(&m, authctxt->user);
34 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
35 debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
36 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
new file mode 100644
index 0000000..588d42d
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
@@ -0,0 +1,34 @@
1CVE-2015-6564
2
3 set sshpam_ctxt to NULL after free
4
5 Avoids use-after-free in monitor when privsep child is compromised.
6 Reported by Moritz Jodeit; ok dtucker@
7
8Upstream-Status: Backport
9https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
10
11Signed-off-by: Armin Kuster <akuster@mvista.com>
12
13Index: openssh-6.7p1/monitor.c
14===================================================================
15--- openssh-6.7p1.orig/monitor.c
16+++ openssh-6.7p1/monitor.c
17@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
18 int
19 mm_answer_pam_free_ctx(int sock, Buffer *m)
20 {
21+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
22
23 debug3("%s", __func__);
24 (sshpam_device.free_ctx)(sshpam_ctxt);
25+ sshpam_ctxt = sshpam_authok = NULL;
26 buffer_clear(m);
27 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
28 auth_method = "keyboard-interactive";
29 auth_submethod = "pam";
30- return (sshpam_authok == sshpam_ctxt);
31+ return r;
32 }
33 #endif
34
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
new file mode 100644
index 0000000..42667b0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
@@ -0,0 +1,35 @@
1CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable
2
3fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
4
5Upstream-Status: Backport
6
7merged two changes into one.
8[1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2
9tighten permissions on pty when the "tty" group does not exist; pointed out by Corinna Vinschen; ok markus
10
11[2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941396b6835ad18018845f515b0c4fe20be21a
12fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
13
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16Index: openssh-6.7p1/sshpty.c
17===================================================================
18--- openssh-6.7p1.orig/sshpty.c
19+++ openssh-6.7p1/sshpty.c
20@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch
21
22 /* Determine the group to make the owner of the tty. */
23 grp = getgrnam("tty");
24- if (grp) {
25- gid = grp->gr_gid;
26- mode = S_IRUSR | S_IWUSR | S_IWGRP;
27- } else {
28- gid = pw->pw_gid;
29- mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
30- }
31+ gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
32+ mode = (grp != NULL) ? 0620 : 0600;
33
34 /*
35 * Change owner and mode of the tty as required.
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
index f575665..4b88704 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -25,7 +25,10 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
25 file://run-ptest \ 25 file://run-ptest \
26 file://openssh-CVE-2014-2532.patch \ 26 file://openssh-CVE-2014-2532.patch \
27 file://openssh-CVE-2014-2653.patch \ 27 file://openssh-CVE-2014-2653.patch \
28 file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch" 28 file://CVE-2015-6563.patch \
29 file://CVE-2015-6564.patch \
30 file://CVE-2015-6565.patch \
31 "
29 32
30PAM_SRC_URI = "file://sshd" 33PAM_SRC_URI = "file://sshd"
31 34