1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
diff -Naur -x '*~' -x '*.orig' -x '*.rej' openssh-7.5p1/auth2-gss.c openssh-7.5p1-CVE-2018-15473/auth2-gss.c
--- openssh-7.5p1/auth2-gss.c 2018-08-22 19:17:35.750907742 +0200
+++ openssh-7.5p1-CVE-2018-15473/auth2-gss.c 2018-08-22 19:18:29.481548784 +0200
@@ -103,9 +103,6 @@
u_int len;
u_char *doid = NULL;
- if (!authctxt->valid || authctxt->user == NULL)
- return (0);
-
mechs = packet_get_int();
if (mechs == 0) {
debug("Mechanism negotiation is not supported");
@@ -136,6 +133,12 @@
return (0);
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user", __func__);
+ free(doid);
+ return (0);
+ }
+
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
if (ctxt != NULL)
ssh_gssapi_delete_ctx(&ctxt);
diff -Naur -x '*~' -x '*.orig' -x '*.rej' openssh-7.5p1/auth2-hostbased.c openssh-7.5p1-CVE-2018-15473/auth2-hostbased.c
--- openssh-7.5p1/auth2-hostbased.c 2018-08-22 19:17:35.751907735 +0200
+++ openssh-7.5p1-CVE-2018-15473/auth2-hostbased.c 2018-08-22 19:18:45.138444637 +0200
@@ -66,10 +66,6 @@
int pktype;
int authenticated = 0;
- if (!authctxt->valid) {
- debug2("userauth_hostbased: disabled because of invalid user");
- return 0;
- }
pkalg = packet_get_string(&alen);
pkblob = packet_get_string(&blen);
chost = packet_get_string(NULL);
@@ -115,6 +111,11 @@
goto done;
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user", __func__);
+ goto done;
+ }
+
service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
authctxt->service;
buffer_init(&b);
--- ./auth2-pubkey.c.orig
+++ ./auth2-pubkey.c
@@ -79,16 +79,12 @@
{
Buffer b;
Key *key = NULL;
- char *pkalg, *userstyle, *fp = NULL;
- u_char *pkblob, *sig;
+ char *pkalg = NULL, *userstyle = NULL, *fp = NULL;
+ u_char *pkblob = NULL, *sig = NULL;
u_int alen, blen, slen;
int have_sig, pktype;
int authenticated = 0;
- if (!authctxt->valid) {
- debug2("%s: disabled because of invalid user", __func__);
- return 0;
- }
have_sig = packet_get_char();
if (datafellows & SSH_BUG_PKAUTH) {
debug2("%s: SSH_BUG_PKAUTH", __func__);
@@ -149,6 +145,12 @@
} else {
buffer_put_string(&b, session_id2, session_id2_len);
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user",
+ __func__);
+ buffer_free(&b);
+ goto done;
+ }
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
xasprintf(&userstyle, "%s%s%s", authctxt->user,
@@ -184,12 +186,16 @@
key = NULL; /* Don't free below */
}
buffer_free(&b);
- free(sig);
} else {
debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
__func__, sshkey_type(key), fp);
packet_check_eom();
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user",
+ __func__);
+ goto done;
+ }
/* XXX fake reply and always send PK_OK ? */
/*
* XXX this allows testing whether a user is allowed
@@ -216,6 +222,7 @@
free(pkalg);
free(pkblob);
free(fp);
+ free(sig);
return authenticated;
}
|
