Browse code
openssh: Fix for CVE-2018-15473
Added a patch to fix CVE-2018-15473
* Ported the patch as it was not directly
getting applied
Change-Id: I4c299b3ab48fb0a4bdaebf67843da66b7d1ede7c
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6547
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Ankit Jain authored on 2019/01/22 03:01:25Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,151 @@ |
| 0 |
+From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: djm <djm@openbsd.org> |
|
| 2 |
+Date: Tue, 31 Jul 2018 03:10:27 +0000 |
|
| 3 |
+Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?= |
|
| 4 |
+ =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?= |
|
| 5 |
+ =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?= |
|
| 6 |
+ =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= |
|
| 7 |
+MIME-Version: 1.0 |
|
| 8 |
+Content-Type: text/plain; charset=UTF-8 |
|
| 9 |
+Content-Transfer-Encoding: 8bit |
|
| 10 |
+ |
|
| 11 |
+--- |
|
| 12 |
+ auth2-gss.c | 11 +++++++---- |
|
| 13 |
+ auth2-hostbased.c | 11 ++++++----- |
|
| 14 |
+ auth2-pubkey.c | 25 +++++++++++++++---------- |
|
| 15 |
+ 3 files changed, 28 insertions(+), 19 deletions(-) |
|
| 16 |
+ |
|
| 17 |
+diff --git a/auth2-gss.c b/auth2-gss.c |
|
| 18 |
+index 1ca8357..250e93d 100644 |
|
| 19 |
+--- a/auth2-gss.c |
|
| 20 |
+@@ -1,4 +1,4 @@ |
|
| 21 |
+-/* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */ |
|
| 22 |
++/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */ |
|
| 23 |
+ |
|
| 24 |
+ /* |
|
| 25 |
+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
|
| 26 |
+@@ -68,9 +68,6 @@ userauth_gssapi(Authctxt *authctxt) |
|
| 27 |
+ u_int len; |
|
| 28 |
+ u_char *doid = NULL; |
|
| 29 |
+ |
|
| 30 |
+- if (!authctxt->valid || authctxt->user == NULL) |
|
| 31 |
+- return (0); |
|
| 32 |
+- |
|
| 33 |
+ mechs = packet_get_int(); |
|
| 34 |
+ if (mechs == 0) {
|
|
| 35 |
+ debug("Mechanism negotiation is not supported");
|
|
| 36 |
+@@ -101,6 +98,12 @@ userauth_gssapi(Authctxt *authctxt) |
|
| 37 |
+ return (0); |
|
| 38 |
+ } |
|
| 39 |
+ |
|
| 40 |
++ if (!authctxt->valid || authctxt->user == NULL) {
|
|
| 41 |
++ debug2("%s: disabled because of invalid user", __func__);
|
|
| 42 |
++ free(doid); |
|
| 43 |
++ return (0); |
|
| 44 |
++ } |
|
| 45 |
++ |
|
| 46 |
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
|
|
| 47 |
+ if (ctxt != NULL) |
|
| 48 |
+ ssh_gssapi_delete_ctx(&ctxt); |
|
| 49 |
+diff --git a/auth2-hostbased.c b/auth2-hostbased.c |
|
| 50 |
+index 1b3c3b2..0076a34 100644 |
|
| 51 |
+--- a/auth2-hostbased.c |
|
| 52 |
+@@ -1,4 +1,4 @@ |
|
| 53 |
+-/* $OpenBSD: auth2-hostbased.c,v 1.26 2016/03/07 19:02:43 djm Exp $ */ |
|
| 54 |
++/* $OpenBSD: auth2-hostbased.c,v 1.36 2018/07/31 03:10:27 djm Exp $ */ |
|
| 55 |
+ /* |
|
| 56 |
+ * Copyright (c) 2000 Markus Friedl. All rights reserved. |
|
| 57 |
+ * |
|
| 58 |
+@@ -66,10 +66,6 @@ userauth_hostbased(Authctxt *authctxt) |
|
| 59 |
+ int pktype; |
|
| 60 |
+ int authenticated = 0; |
|
| 61 |
+ |
|
| 62 |
+- if (!authctxt->valid) {
|
|
| 63 |
+- debug2("userauth_hostbased: disabled because of invalid user");
|
|
| 64 |
+- return 0; |
|
| 65 |
+- } |
|
| 66 |
+ pkalg = packet_get_string(&alen); |
|
| 67 |
+ pkblob = packet_get_string(&blen); |
|
| 68 |
+ chost = packet_get_string(NULL); |
|
| 69 |
+@@ -115,6 +111,11 @@ userauth_hostbased(Authctxt *authctxt) |
|
| 70 |
+ goto done; |
|
| 71 |
+ } |
|
| 72 |
+ |
|
| 73 |
++ if (!authctxt->valid || authctxt->user == NULL) {
|
|
| 74 |
++ debug2("%s: disabled because of invalid user", __func__);
|
|
| 75 |
++ goto done; |
|
| 76 |
++ } |
|
| 77 |
++ |
|
| 78 |
+ service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : |
|
| 79 |
+ authctxt->service; |
|
| 80 |
+ buffer_init(&b); |
|
| 81 |
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c |
|
| 82 |
+index 3e5706f..301b17f 100644 |
|
| 83 |
+--- a/auth2-pubkey.c |
|
| 84 |
+@@ -1,4 +1,4 @@ |
|
| 85 |
+-/* $OpenBSD: auth2-pubkey.c,v 1.62 2017/01/30 01:03:00 djm Exp $ */ |
|
| 86 |
++/* $OpenBSD: auth2-pubkey.c,v 1.83 2018/07/31 03:10:27 djm Exp $ */ |
|
| 87 |
+ /* |
|
| 88 |
+ * Copyright (c) 2000 Markus Friedl. All rights reserved. |
|
| 89 |
+ * |
|
| 90 |
+@@ -79,16 +79,12 @@ userauth_pubkey(Authctxt *authctxt) |
|
| 91 |
+ {
|
|
| 92 |
+ Buffer b; |
|
| 93 |
+ Key *key = NULL; |
|
| 94 |
+- char *pkalg, *userstyle, *fp = NULL; |
|
| 95 |
+- u_char *pkblob, *sig; |
|
| 96 |
++ char *pkalg = NULL, *userstyle = NULL, *fp = NULL; |
|
| 97 |
++ u_char *pkblob = NULL, *sig = NULL; |
|
| 98 |
+ u_int alen, blen, slen; |
|
| 99 |
+ int have_sig, pktype; |
|
| 100 |
+ int authenticated = 0; |
|
| 101 |
+ |
|
| 102 |
+- if (!authctxt->valid) {
|
|
| 103 |
+- debug2("%s: disabled because of invalid user", __func__);
|
|
| 104 |
+- return 0; |
|
| 105 |
+- } |
|
| 106 |
+ have_sig = packet_get_char(); |
|
| 107 |
+ if (datafellows & SSH_BUG_PKAUTH) {
|
|
| 108 |
+ debug2("%s: SSH_BUG_PKAUTH", __func__);
|
|
| 109 |
+@@ -149,6 +145,11 @@ userauth_pubkey(Authctxt *authctxt) |
|
| 110 |
+ } else {
|
|
| 111 |
+ buffer_put_string(&b, session_id2, session_id2_len); |
|
| 112 |
+ } |
|
| 113 |
++ if (!authctxt->valid || authctxt->user == NULL) {
|
|
| 114 |
++ debug2("%s: disabled because of invalid user",
|
|
| 115 |
++ __func__); |
|
| 116 |
++ goto done; |
|
| 117 |
++ } |
|
| 118 |
+ /* reconstruct packet */ |
|
| 119 |
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); |
|
| 120 |
+ xasprintf(&userstyle, "%s%s%s", authctxt->user, |
|
| 121 |
+@@ -184,12 +185,17 @@ userauth_pubkey(Authctxt *authctxt) |
|
| 122 |
+ key = NULL; /* Don't free below */ |
|
| 123 |
+ } |
|
| 124 |
+ buffer_free(&b); |
|
| 125 |
+- free(sig); |
|
| 126 |
+ } else {
|
|
| 127 |
+ debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
|
|
| 128 |
+ __func__, sshkey_type(key), fp); |
|
| 129 |
+ packet_check_eom(); |
|
| 130 |
+ |
|
| 131 |
++ if (!authctxt->valid || authctxt->user == NULL) {
|
|
| 132 |
++ debug2("%s: disabled because of invalid user",
|
|
| 133 |
++ __func__); |
|
| 134 |
++ goto done; |
|
| 135 |
++ } |
|
| 136 |
++ |
|
| 137 |
+ /* XXX fake reply and always send PK_OK ? */ |
|
| 138 |
+ /* |
|
| 139 |
+ * XXX this allows testing whether a user is allowed |
|
| 140 |
+@@ -216,6 +222,7 @@ done: |
|
| 141 |
+ free(pkalg); |
|
| 142 |
+ free(pkblob); |
|
| 143 |
+ free(fp); |
|
| 144 |
++ free(sig); |
|
| 145 |
+ return authenticated; |
|
| 146 |
+ } |
|
| 147 |
+ |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Free version of the SSH connectivity tools |
| 2 | 2 |
Name: openssh |
| 3 | 3 |
Version: 7.5p1 |
| 4 |
-Release: 10%{?dist}
|
|
| 4 |
+Release: 11%{?dist}
|
|
| 5 | 5 |
License: BSD |
| 6 | 6 |
URL: https://www.openssh.com/ |
| 7 | 7 |
Group: System Environment/Security |
| ... | ... |
@@ -17,6 +17,7 @@ Patch0: blfs_systemd_fixes.patch |
| 17 | 17 |
Patch1: openssh-7.5p1-fips.patch |
| 18 | 18 |
Patch2: openssh-7.5p1-configure-fips.patch |
| 19 | 19 |
Patch3: openssh-CVE-2017-15906.patch |
| 20 |
+Patch4: openssh-CVE-2018-15473.patch |
|
| 20 | 21 |
BuildRequires: openssl-devel |
| 21 | 22 |
BuildRequires: Linux-PAM-devel |
| 22 | 23 |
BuildRequires: krb5-devel |
| ... | ... |
@@ -53,6 +54,7 @@ tar xf %{SOURCE1} --no-same-owner
|
| 53 | 53 |
%patch1 -p1 |
| 54 | 54 |
%patch2 -p1 |
| 55 | 55 |
%patch3 -p3 |
| 56 |
+%patch4 -p1 |
|
| 56 | 57 |
%build |
| 57 | 58 |
./configure \ |
| 58 | 59 |
CFLAGS="%{optflags}" \
|
| ... | ... |
@@ -180,6 +182,8 @@ rm -rf %{buildroot}/*
|
| 180 | 180 |
%{_mandir}/man8/ssh-pkcs11-helper.8.gz
|
| 181 | 181 |
|
| 182 | 182 |
%changelog |
| 183 |
+* Tue Jan 22 2019 Ankit Jain <ankitja@vmware.comm> 7.5p1-11 |
|
| 184 |
+- Fix CVE-2018-15473. |
|
| 183 | 185 |
* Tue Nov 28 2017 Xiaolin Li <xiaolinl@vmware.comm> 7.5p1-10 |
| 184 | 186 |
- Fix CVE-2017-15906. |
| 185 | 187 |
* Tue Nov 14 2017 Anish Swaminathan <anishs@vmware.com> 7.5p1-9 |