main/openssh: security fix for CVE-2014-2653

fixes #2859
author: Timo Teräs <timo.teras@iki.fi> 2014-04-21 10:34:59 +0000
committer: Timo Teräs <timo.teras@iki.fi> 2014-04-21 10:34:59 +0000
commit: 71bd4159f75887e3fa43dc15fb4f42a81feb0467 (patch)
tree: 425f7542adc4ddf43514a970d7b82d2fe393bf89 /main/openssh
parent: 3f507d9733ce2f29853c26ae0746e3ac2c16c90e (diff)
download: aports-71bd4159f75887e3fa43dc15fb4f42a81feb0467.tar.bz2
aports-71bd4159f75887e3fa43dc15fb4f42a81feb0467.tar.xz
2 files changed, 87 insertions, 8 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index 2c6106617a..14fa9b1064 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=openssh
 pkgver=6.2_p2
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=2
+pkgrel=3
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
@@ -14,9 +14,11 @@ source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.
 	openssh-peaktput.diff
 	openssh-hmac-accel.diff
 	CVE-2013-4548.patch
+	CVE-2014-2532.patch
+	CVE-2014-2653.patch
+
 	sshd.initd
 	sshd.confd
-	CVE-2014-2532.patch
 	"
 #       openssh-dynwindow_noneswitch.diff
 
@@ -99,20 +101,23 @@ md5sums="be46174dcbb77ebb4ea88ef140685de1  openssh-6.2p2.tar.gz
 949ff348573438163240c60d6c3618eb  openssh-peaktput.diff
 c65d454dc5b149647273485fc184636d  openssh-hmac-accel.diff
 e71e89af4bb76c8b7129c40364fbeb6e  CVE-2013-4548.patch
+e4cf579145106ce3d4465453b70ea50d  CVE-2014-2532.patch
+82a3a5b6f1eda13b7957ed391964730b  CVE-2014-2653.patch
 cb0dd08c413fad346f0c594107b4a2e0  sshd.initd
-b35e9f3829f4cfca07168fcba98749c7  sshd.confd
-e4cf579145106ce3d4465453b70ea50d  CVE-2014-2532.patch"
+b35e9f3829f4cfca07168fcba98749c7  sshd.confd"
 sha256sums="7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b  openssh-6.2p2.tar.gz
 dab18c1fd1496c1ba4a4fe08c6c6b8cf3347fc82878d85498202f50168161f6b  openssh-peaktput.diff
 902ea83a9ef726f32b096280da0f1b722f4372886c65c4e28985ee57e725d95c  openssh-hmac-accel.diff
 96ad041fba62cf5ed0297063c05a2507f82ffbf0f0f6ec4d26f862f358606204  CVE-2013-4548.patch
+323d1a7a0ff72143580ac1b0ce2a28b9640f956368bc6629890c22c79af28aaa  CVE-2014-2532.patch
+f5c03b6b70f247b026706116ef08f5e7120dc92e70d46a23dcff445969cf7542  CVE-2014-2653.patch
 3fa062fd4bfac64abf21f3c1d0548f1dfcf3c6e56e84ece14c848f53a293024e  sshd.initd
-29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41  sshd.confd
-323d1a7a0ff72143580ac1b0ce2a28b9640f956368bc6629890c22c79af28aaa  CVE-2014-2532.patch"
+29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41  sshd.confd"
 sha512sums="80c8fb6bb25e86e8261cc7c6671773cdc0d9b0da9c9ebca33b3d5278c44197734fe32e878e1f444b693c4b49b0a525458aa07e57c231cefafc23a9c6975b05df  openssh-6.2p2.tar.gz
 64f2c94f41225c76428440d778b0bf5657408123d1cd7d6cb4bdf5000bfba8ad80ec5e57acd0880adc7a8ea7e2f1a64e329b83cf8be630b9aaebff6ab138d025  openssh-peaktput.diff
 aaa128126400171d0755038a846672aa7b1e87340edf73a672962d403abf404ef1821466b17da51dde25f04ec7533ae4a653399ccc912ea9c4a7b1a14032e76f  openssh-hmac-accel.diff
 a61c91b0addb2308cf6c6747451d66eb9c07eeec1dcb5fcd4b2204688b4a158b3f3c8222298f904383c651798c57e24babd3b6e949a6319d7ef37d5f24b01114  CVE-2013-4548.patch
+4521052ef55b77a2932484fa52f4a7688e8dbd4e6aa1e210ce24a59b8501775ca7e844108e36c06a9e3a47b70cd8d59007c12ca7a7bb8af27ae1e31e7b0de34d  CVE-2014-2532.patch
+62bc046b275192433bda2f5341c7061cea51429fcf66a6b93a36d2b7420ed783f62747b173b3dc524e12090cdb93cf332800514a7644437b8dcb19c7f30b18d9  CVE-2014-2653.patch
 1483e2bcd700da9b02f04508d490b472c816344787bf1675fef2f7e27f72b91e4323e4e8c1db701e47d81d37d6d4b0623eaeac46b2cf589ae5ad69f363baa594  sshd.initd
-b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81  sshd.confd
-4521052ef55b77a2932484fa52f4a7688e8dbd4e6aa1e210ce24a59b8501775ca7e844108e36c06a9e3a47b70cd8d59007c12ca7a7bb8af27ae1e31e7b0de34d  CVE-2014-2532.patch"
+b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81  sshd.confd"
diff --git a/main/openssh/CVE-2014-2653.patch b/main/openssh/CVE-2014-2653.patch
new file mode 100644
index 0000000000..2bf858ada4
--- /dev/null
+++ b/main/openssh/CVE-2014-2653.patch
@@ -0,0 +1,74 @@
+Description: Attempt SSHFP lookup even if server presents a certificate
+ If an ssh server presents a certificate to the client, then the client does
+ not check the DNS for SSHFP records. This means that a malicious server can
+ essentially disable DNS-host-key-checking, which means the client will fall
+ back to asking the user (who will just say "yes" to the fingerprint,
+ sadly).
+ .
+ This is CVE-2014-2653.
+Author: Damien Miller <djm@mindrot.org>
+Reviewed-by: Matthew Vernon <matthew@debian.org>
+Bug-Debian: http://bugs.debian.org/742513
+Forwarded: not-needed
+Last-Update: 2014-04-03
+
+Index: b/sshconnect.c
+===================================================================
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -1110,29 +1110,39 @@
+ {
+ 	int flags = 0;
+ 	char *fp;
++	Key *plain = NULL;
+ 
+ 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ 	debug("Server host key: %s %s", key_type(host_key), fp);
+ 	xfree(fp);
+ 
+-	/* XXX certs are not yet supported for DNS */
+-	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+-		if (flags & DNS_VERIFY_FOUND) {
+-
+-			if (options.verify_host_key_dns == 1 &&
+-			    flags & DNS_VERIFY_MATCH &&
+-			    flags & DNS_VERIFY_SECURE)
+-				return 0;
+-
+-			if (flags & DNS_VERIFY_MATCH) {
+-				matching_host_key_dns = 1;
+-			} else {
+-				warn_changed_key(host_key);
+-				error("Update the SSHFP RR in DNS with the new "
+-				    "host key to get rid of this message.");
++	if (options.verify_host_key_dns) {
++		/*
++		 * XXX certs are not yet supported for DNS, so downgrade
++		 * them and try the plain key.
++		 */
++		plain = key_from_private(host_key);
++		if (key_is_cert(plain))
++			key_drop_cert(plain);
++		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
++			if (flags & DNS_VERIFY_FOUND) {
++				if (options.verify_host_key_dns == 1 &&
++				    flags & DNS_VERIFY_MATCH &&
++				    flags & DNS_VERIFY_SECURE) {
++					key_free(plain);
++					return 0;
++				}
++				if (flags & DNS_VERIFY_MATCH) {
++					matching_host_key_dns = 1;
++				} else {
++					warn_changed_key(plain);
++					error("Update the SSHFP RR in DNS "
++					    "with the new host key to get rid "
++					    "of this message.");
++				}
+ 			}
+ 		}
++		key_free(plain);
+ 	}
+ 
+ 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
author	Timo Teräs <timo.teras@iki.fi>	2014-04-21 10:34:59 +0000
committer	Timo Teräs <timo.teras@iki.fi>	2014-04-21 10:34:59 +0000
commit	71bd4159f75887e3fa43dc15fb4f42a81feb0467 (patch)
tree	425f7542adc4ddf43514a970d7b82d2fe393bf89 /main/openssh
parent	3f507d9733ce2f29853c26ae0746e3ac2c16c90e (diff)
download	aports-71bd4159f75887e3fa43dc15fb4f42a81feb0467.tar.bz2 aports-71bd4159f75887e3fa43dc15fb4f42a81feb0467.tar.xz