diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-22 08:56:21 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-22 08:56:21 +0000 |
commit | c314d18b4e1c932d8670c49f265f919242b7a17b (patch) | |
tree | 6a63d1d4323db9d3e1e64e79fc7964eaedc3124a /main/openssh | |
parent | 778979325b80c0140f80ecb4558828ed3e8544f4 (diff) | |
download | aports-c314d18b4e1c932d8670c49f265f919242b7a17b.tar.bz2 aports-c314d18b4e1c932d8670c49f265f919242b7a17b.tar.xz |
main/openssh: backport security fix (CVE-2018-15473)
fixes #9317
Diffstat (limited to 'main/openssh')
-rw-r--r-- | main/openssh/APKBUILD | 6 | ||||
-rw-r--r-- | main/openssh/CVE-2018-15473.patch | 146 |
2 files changed, 151 insertions, 1 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD index 758157e31d..4242bf210f 100644 --- a/main/openssh/APKBUILD +++ b/main/openssh/APKBUILD @@ -4,7 +4,7 @@ pkgname=openssh pkgver=7.7_p1 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=3 +pkgrel=4 pkgdesc="Port of OpenBSD's free SSH release" url="http://www.openssh.org/portable.html" arch="all" @@ -35,10 +35,13 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar bsd-compatible-realpath.patch sftp-interactive.patch disable-forwarding-by-default.patch + CVE-2018-15473.patch sshd.initd sshd.confd " # secfixes: +# 7.7_p1-r4: +# - CVE-2018-15473 # 7.5_p1-r8: # - CVE-2017-15906 # 7.4_p1-r0: @@ -199,5 +202,6 @@ f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b33894 f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch 8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch +3f8d0b8547965c47ac8980d45a55f48472a60a2cbba3d552cb3a8c383455830e309b2df4e0afd4b01a53b7e45197fc172760e41302c10fdd0b55dbb85a6d9d87 CVE-2018-15473.patch bcd56bebe37acb69986abd247d6b74daf7dde1712f30640244a1dd70c505a6a536c5536bef11345e128b6785e1c8ff9736627556e702218805fb14b23bd7047c sshd.initd ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc sshd.confd" diff --git a/main/openssh/CVE-2018-15473.patch b/main/openssh/CVE-2018-15473.patch new file mode 100644 index 0000000000..77e71727aa --- /dev/null +++ b/main/openssh/CVE-2018-15473.patch @@ -0,0 +1,146 @@ +From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001 +From: djm <djm@openbsd.org> +Date: Tue, 31 Jul 2018 03:10:27 +0000 +Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?= + =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?= + =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?= + =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + usr.bin/ssh/auth2-gss.c | 11 +++++++---- + usr.bin/ssh/auth2-hostbased.c | 11 ++++++----- + usr.bin/ssh/auth2-pubkey.c | 25 +++++++++++++++---------- + 3 files changed, 28 insertions(+), 19 deletions(-) + +diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c +index 649c830916a..c919ef4c353 100644 +--- a/auth2-gss.c ++++ b/auth2-gss.c +@@ -69,9 +69,6 @@ userauth_gssapi(struct ssh *ssh) + u_int len; + u_char *doid = NULL; + +- if (!authctxt->valid || authctxt->user == NULL) +- return (0); +- + mechs = packet_get_int(); + if (mechs == 0) { + debug("Mechanism negotiation is not supported"); +@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh) + return (0); + } + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", __func__); ++ free(doid); ++ return (0); ++ } ++ + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { + if (ctxt != NULL) + ssh_gssapi_delete_ctx(&ctxt); +diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c +index ad335555934..fb5e5f42272 100644 +--- a/auth2-hostbased.c ++++ b/auth2-hostbased.c +@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh) + size_t alen, blen, slen; + int r, pktype, authenticated = 0; + +- if (!authctxt->valid) { +- debug2("%s: disabled because of invalid user", __func__); +- return 0; +- } + /* XXX use sshkey_froms() */ + if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || + (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || +@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh) + goto done; + } + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", __func__); ++ goto done; ++ } ++ + if ((b = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + /* reconstruct packet */ +diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c +index 195da5e2111..af9e5f04c45 100644 +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c +@@ -86,19 +86,15 @@ userauth_pubkey(struct ssh *ssh) + { + Authctxt *authctxt = ssh->authctxt; + struct passwd *pw = authctxt->pw; +- struct sshbuf *b; ++ struct sshbuf *b = NULL; + struct sshkey *key = NULL; +- char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; +- u_char *pkblob, *sig, have_sig; ++ char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; ++ u_char *pkblob = NULL, *sig = NULL, have_sig; + size_t blen, slen; + int r, pktype; + int authenticated = 0; + struct sshauthopt *authopts = NULL; + +- if (!authctxt->valid) { +- debug2("%s: disabled because of invalid user", __func__); +- return 0; +- } + if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || + (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || + (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) +@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh) + fatal("%s: sshbuf_put_string session id: %s", + __func__, ssh_err(r)); + } ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", ++ __func__); ++ goto done; ++ } + /* reconstruct packet */ + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", +@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh) + #ifdef DEBUG_PK + sshbuf_dump(b, stderr); + #endif +- + /* test for correct signature */ + authenticated = 0; + if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && +@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh) + authenticated = 1; + } + sshbuf_free(b); +- free(sig); + auth2_record_key(authctxt, authenticated, key); + } else { + debug("%s: test pkalg %s pkblob %s%s%s", +@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh) + if ((r = sshpkt_get_end(ssh)) != 0) + fatal("%s: %s", __func__, ssh_err(r)); + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", ++ __func__); ++ goto done; ++ } + /* XXX fake reply and always send PK_OK ? */ + /* + * XXX this allows testing whether a user is allowed +@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh) + free(pkblob); + free(key_s); + free(ca_s); ++ free(sig); + return authenticated; + } + |