diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-08-26 11:28:34 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-08-26 10:06:26 +0000 |
commit | 9f54596949dd38f889aab1798292ffe1c3bc7ed3 (patch) | |
tree | 2f3adc5c6a870267be1dc68ce4901a79983f924e /main/openssh | |
parent | 3258276769d93b7859db17fb0ed1e7e3a33b8d1c (diff) | |
download | aports-9f54596949dd38f889aab1798292ffe1c3bc7ed3.tar.bz2 aports-9f54596949dd38f889aab1798292ffe1c3bc7ed3.tar.xz |
main/openssh: security fixes from upstream
fixes #4579
CVE-2015-6563:
sshd(8): Portable OpenSSH only: Fixed a privilege separation
weakness related to PAM support. Attackers who could successfully
compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could
impersonate other users. Reported by Moritz Jodeit.
CVE-2015-6564:
sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to
PAM support that was reachable by attackers who could compromise the
pre-authentication process for remote code execution. Also reported by
Moritz Jodeit.
CVE-2015-6565:
sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
writable. Local attackers may be able to write arbitrary messages
to logged-in users, including terminal escape sequences.
Reported by Nikolay Edigaryev.
(cherry picked from commit 26c30cf5be4151eee04678ad118d056de0601833)
Diffstat (limited to 'main/openssh')
-rw-r--r-- | main/openssh/APKBUILD | 20 | ||||
-rw-r--r-- | main/openssh/CVE-2015-6563.patch | 37 | ||||
-rw-r--r-- | main/openssh/CVE-2015-6564.patch | 33 | ||||
-rw-r--r-- | main/openssh/CVE-2015-6565.patch | 72 |
4 files changed, 158 insertions, 4 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD index 6ba8ebe756..337e696d9e 100644 --- a/main/openssh/APKBUILD +++ b/main/openssh/APKBUILD @@ -2,7 +2,7 @@ pkgname=openssh pkgver=6.4_p1 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=3 +pkgrel=4 pkgdesc="Port of OpenBSD's free SSH release" url="http://www.openssh.org/portable.html" arch="all" @@ -21,6 +21,9 @@ source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar. CVE-2014-2532.patch CVE-2014-2653.patch CVE-2015-5600.patch + CVE-2015-6563.patch + CVE-2015-6564.patch + CVE-2015-6565.patch " # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh @@ -114,7 +117,10 @@ cb0dd08c413fad346f0c594107b4a2e0 sshd.initd b35e9f3829f4cfca07168fcba98749c7 sshd.confd e4cf579145106ce3d4465453b70ea50d CVE-2014-2532.patch 02a7de5652d9769576e3b252d768cd0f CVE-2014-2653.patch -188d255048996a0f2dce35031a9fdb07 CVE-2015-5600.patch" +188d255048996a0f2dce35031a9fdb07 CVE-2015-5600.patch +ae3ac6c890f3172327118f3b793e7f05 CVE-2015-6563.patch +9e107e2636250f33199ba47550ceca1e CVE-2015-6564.patch +48b16c12877d665d9701809fdc6f4bc6 CVE-2015-6565.patch" sha256sums="5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2 openssh-6.4p1.tar.gz 4f78f16807c6b6a3a3773c000b85df0c56ea8a93dc35eaa6bbdffe6e30328e58 openssh6.2-dynwindows.diff 6e803be3b3569eedfe69d9e9aeabef2e3fec2ed28f75bc456dfd69c2ef2c8198 openssh-peaktput.diff @@ -125,7 +131,10 @@ f2748da45d0bc31055727f8c80d93e1872cc043ced3202e2f6d150aca3c08dde openssh-fix-ut 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 sshd.confd 323d1a7a0ff72143580ac1b0ce2a28b9640f956368bc6629890c22c79af28aaa CVE-2014-2532.patch 03826427d72f86c68f079acab6c9c86e8f27f7514b66428f404c2f235fd0c0bd CVE-2014-2653.patch -d7bc0d62a9741775ab618725c63c9bdda915e5c6d2e8a4c6995ebe1fa8b3224f CVE-2015-5600.patch" +d7bc0d62a9741775ab618725c63c9bdda915e5c6d2e8a4c6995ebe1fa8b3224f CVE-2015-5600.patch +044c3ceeb69c4812414bc605d3fd1f49e48623fe75b958f130420c9a3a3d3914 CVE-2015-6563.patch +0f4db4d65edbbef21862ac10714bdd4f8911cf9f9b6eb220f94663be0c4872c8 CVE-2015-6564.patch +e42adee1f712850efcce272b556909fd3daf688c1f6059d86bfcc064cea09e87 CVE-2015-6565.patch" sha512sums="f87b3e1d3110b87c1dfff729459ff26024863480c8eb4449b9e3b0b750d187acdfedb199ca4ea133b5dfa436bed0e2eea7607392d451b18c626c4dc1d38bb52a openssh-6.4p1.tar.gz 773cc0629e17a8f78e82be56e579855ea9b3ca8fd26360964aee854d717a7cfc2c9d4d654cf0fda5723c3aabe96e48ee2cfe6d1fd64b5717f0ef5eb997d00293 openssh6.2-dynwindows.diff 64f5aff3fc1a0d2f7c65ea875d1c2c4d98a3d305ff2677d9d4ca82f20778df9e317b1bfc428cee2b0df1bfa01a65dfcf83b68435a227a23a2cf3400fef35d656 openssh-peaktput.diff @@ -136,4 +145,7 @@ cc909f68d9da1b264926973b96d36162b5c588299c98d62f526faf2ef1273d98bb8d8dea4d482770 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 sshd.confd 4521052ef55b77a2932484fa52f4a7688e8dbd4e6aa1e210ce24a59b8501775ca7e844108e36c06a9e3a47b70cd8d59007c12ca7a7bb8af27ae1e31e7b0de34d CVE-2014-2532.patch be48059ae1715669f970a19acde14f262588172c5a8d8d1c84159bc69a60c5750b21c98f39f65df72ae071f7f918046000a2499b9ef16ba2cb4bcd8399bc8e40 CVE-2014-2653.patch -c53410eb119fdba313661bdffbbbc0e19970c2321fdf24cb086d1946d0f99c8fb06c65b7edc52a746024caa1c6cf87dfc19758e28ff2935a555ac04c9437827a CVE-2015-5600.patch" +c53410eb119fdba313661bdffbbbc0e19970c2321fdf24cb086d1946d0f99c8fb06c65b7edc52a746024caa1c6cf87dfc19758e28ff2935a555ac04c9437827a CVE-2015-5600.patch +7ab16c39dc02d38c2b8498a187c43637f6e8a06dc9786d1746010d2d416d979c34103bd6f95365664a143641d85d6985f73bcf055f5eb481ec34ad2a7ee2e939 CVE-2015-6563.patch +e5a7d536837aefb07260b01c2863f96d0db2521d7739ded69f92490fad4c8537c853320458cdbc3a86cd90805d54fc87e081ece1dd4cb19392599888f9078e26 CVE-2015-6564.patch +2f74906d7bfc2ca48f001470606a055ade36b44c17d386ed89e44507c8821f1c7b48eed022be729459185d5b6f848fd5763f7b711e106fbc20fb18c10bb688bd CVE-2015-6565.patch" diff --git a/main/openssh/CVE-2015-6563.patch b/main/openssh/CVE-2015-6563.patch new file mode 100644 index 0000000000..d3bdcac132 --- /dev/null +++ b/main/openssh/CVE-2015-6563.patch @@ -0,0 +1,37 @@ +From d4697fe9a28dab7255c60433e4dd23cf7fce8a8b Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Tue, 11 Aug 2015 13:33:24 +1000 +Subject: [PATCH] Don't resend username to PAM; it already has it. + +Pointed out by Moritz Jodeit; ok dtucker@ +--- + monitor.c | 2 -- + monitor_wrap.c | 1 - + 2 files changed, 3 deletions(-) + +diff --git a/monitor.c b/monitor.c +index b410965..f1b873d 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device; + int + mm_answer_pam_init_ctx(int sock, Buffer *m) + { +- + debug3("%s", __func__); +- authctxt->user = buffer_get_string(m, NULL); + sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); + sshpam_authok = NULL; + buffer_clear(m); +diff --git a/monitor_wrap.c b/monitor_wrap.c +index e6217b3..eac421b 100644 +--- a/monitor_wrap.c ++++ b/monitor_wrap.c +@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) + + debug3("%s", __func__); + buffer_init(&m); +- buffer_put_cstring(&m, authctxt->user); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); diff --git a/main/openssh/CVE-2015-6564.patch b/main/openssh/CVE-2015-6564.patch new file mode 100644 index 0000000000..e278dd7414 --- /dev/null +++ b/main/openssh/CVE-2015-6564.patch @@ -0,0 +1,33 @@ +From 5e75f5198769056089fb06c4d738ab0e5abc66f7 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Tue, 11 Aug 2015 13:34:12 +1000 +Subject: [PATCH] set sshpam_ctxt to NULL after free + +Avoids use-after-free in monitor when privsep child is compromised. +Reported by Moritz Jodeit; ok dtucker@ +--- + monitor.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/monitor.c b/monitor.c +index f1b873d..a914209 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) + int + mm_answer_pam_free_ctx(int sock, Buffer *m) + { ++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; + + debug3("%s", __func__); + (sshpam_device.free_ctx)(sshpam_ctxt); ++ sshpam_ctxt = sshpam_authok = NULL; + buffer_clear(m); + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; +- return (sshpam_authok == sshpam_ctxt); ++ return r; + } + #endif + diff --git a/main/openssh/CVE-2015-6565.patch b/main/openssh/CVE-2015-6565.patch new file mode 100644 index 0000000000..40fe7779ac --- /dev/null +++ b/main/openssh/CVE-2015-6565.patch @@ -0,0 +1,72 @@ +From a5883d4eccb94b16c355987f58f86a7dee17a0c2 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 3 Sep 2014 18:55:07 +0000 +Subject: [PATCH] upstream commit + +tighten permissions on pty when the "tty" group does + not exist; pointed out by Corinna Vinschen; ok markus +--- + sshpty.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/sshpty.c b/sshpty.c +index a2059b7..d2ff8c1 100644 +--- a/sshpty.c ++++ b/sshpty.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshpty.c,v 1.28 2007/09/11 23:49:09 stevesk Exp $ */ ++/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const char *tty) + + /* Determine the group to make the owner of the tty. */ + grp = getgrnam("tty"); +- if (grp) { +- gid = grp->gr_gid; +- mode = S_IRUSR | S_IWUSR | S_IWGRP; +- } else { +- gid = pw->pw_gid; +- mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH; +- } ++ gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; ++ mode = (grp != NULL) ? 0622 : 0600; + + /* + * Change owner and mode of the tty as required. +From 6f941396b6835ad18018845f515b0c4fe20be21a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 30 Jul 2015 23:09:15 +0000 +Subject: upstream commit + +fix pty permissions; patch from Nikolay Edigaryev; ok + deraadt + +Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550 +--- + sshpty.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sshpty.c b/sshpty.c +index 7bb7641..15da8c6 100644 +--- a/sshpty.c ++++ b/sshpty.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */ ++/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty) + /* Determine the group to make the owner of the tty. */ + grp = getgrnam("tty"); + gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; +- mode = (grp != NULL) ? 0622 : 0600; ++ mode = (grp != NULL) ? 0620 : 0600; + + /* + * Change owner and mode of the tty as required. +-- +cgit v0.11.2 + |