diff options
| author | Colin Watson <cjwatson@debian.org> | 2015-08-19 18:44:47 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2015-08-19 18:45:49 +0100 |
| commit | 6461fa1951314cf8c8ee9a7999f987b8003f4ff6 (patch) | |
| tree | bcbcccfa77e1754cbc711f42b67f3c5a4105bc28 | |
| parent | d2d9171e73cd2db10fabf9dd4924d3dcd5f13c7a (diff) | |
| parent | ba9e0b1d4edf5876b289affd9d31bab493f0d0a4 (diff) | |
CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using keyboard-interactive authentication (closes: #793616).
| -rw-r--r-- | auth2-chall.c | 11 | ||||
| -rw-r--r-- | debian/.git-dpm | 4 | ||||
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | debian/patches/backport-kbdint-duplicates.patch | 53 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
5 files changed, 71 insertions, 5 deletions
diff --git a/auth2-chall.c b/auth2-chall.c index ddabe1a90..4aff09d80 100644 --- a/auth2-chall.c +++ b/auth2-chall.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */ | 1 | /* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2001 Per Allansson. All rights reserved. | 4 | * Copyright (c) 2001 Per Allansson. All rights reserved. |
| @@ -83,6 +83,7 @@ struct KbdintAuthctxt | |||
| 83 | void *ctxt; | 83 | void *ctxt; |
| 84 | KbdintDevice *device; | 84 | KbdintDevice *device; |
| 85 | u_int nreq; | 85 | u_int nreq; |
| 86 | u_int devices_done; | ||
| 86 | }; | 87 | }; |
| 87 | 88 | ||
| 88 | #ifdef USE_PAM | 89 | #ifdef USE_PAM |
| @@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) | |||
| 169 | if (len == 0) | 170 | if (len == 0) |
| 170 | break; | 171 | break; |
| 171 | for (i = 0; devices[i]; i++) { | 172 | for (i = 0; devices[i]; i++) { |
| 172 | if (!auth2_method_allowed(authctxt, | 173 | if ((kbdintctxt->devices_done & (1 << i)) != 0 || |
| 174 | !auth2_method_allowed(authctxt, | ||
| 173 | "keyboard-interactive", devices[i]->name)) | 175 | "keyboard-interactive", devices[i]->name)) |
| 174 | continue; | 176 | continue; |
| 175 | if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) | 177 | if (strncmp(kbdintctxt->devices, devices[i]->name, |
| 178 | len) == 0) { | ||
| 176 | kbdintctxt->device = devices[i]; | 179 | kbdintctxt->device = devices[i]; |
| 180 | kbdintctxt->devices_done |= 1 << i; | ||
| 181 | } | ||
| 177 | } | 182 | } |
| 178 | t = kbdintctxt->devices; | 183 | t = kbdintctxt->devices; |
| 179 | kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; | 184 | kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; |
diff --git a/debian/.git-dpm b/debian/.git-dpm index 13b023289..f64723622 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
| 2 | c0ec3def4bec4afe1cad9e99081e658200b13a02 | 2 | ba9e0b1d4edf5876b289affd9d31bab493f0d0a4 |
| 3 | c0ec3def4bec4afe1cad9e99081e658200b13a02 | 3 | ba9e0b1d4edf5876b289affd9d31bab493f0d0a4 |
| 4 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 | 4 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 |
| 5 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 | 5 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 |
| 6 | openssh_6.9p1.orig.tar.gz | 6 | openssh_6.9p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index 8e8e9d778..252bc394f 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -144,6 +144,13 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium | |||
| 144 | reachable by attackers who could compromise the pre-authentication | 144 | reachable by attackers who could compromise the pre-authentication |
| 145 | process for remote code execution (closes: #795711). Also reported by | 145 | process for remote code execution (closes: #795711). Also reported by |
| 146 | Moritz Jodeit. | 146 | Moritz Jodeit. |
| 147 | - CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using | ||
| 148 | keyboard-interactive authentication (closes: #793616). By specifying | ||
| 149 | a long, repeating keyboard-interactive "devices" string, an attacker | ||
| 150 | could request the same authentication method be tried thousands of | ||
| 151 | times in a single pass. The LoginGraceTime timeout in sshd(8) and any | ||
| 152 | authentication failure delays implemented by the authentication | ||
| 153 | mechanism itself were still applied. Found by Kingcope. | ||
| 147 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the | 154 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the |
| 148 | GSSAPI key exchange patch. | 155 | GSSAPI key exchange patch. |
| 149 | 156 | ||
diff --git a/debian/patches/backport-kbdint-duplicates.patch b/debian/patches/backport-kbdint-duplicates.patch new file mode 100644 index 000000000..0973503c9 --- /dev/null +++ b/debian/patches/backport-kbdint-duplicates.patch | |||
| @@ -0,0 +1,53 @@ | |||
| 1 | From ba9e0b1d4edf5876b289affd9d31bab493f0d0a4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
| 3 | Date: Sat, 18 Jul 2015 07:57:14 +0000 | ||
| 4 | Subject: only query each keyboard-interactive device once per authentication | ||
| 5 | request regardless of how many times it is listed | ||
| 6 | |||
| 7 | ok markus@ | ||
| 8 | |||
| 9 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5b64f85bb811246c59ebab70aed331f26ba37b18 | ||
| 10 | Forwarded: not-needed | ||
| 11 | Last-Update: 2015-08-19 | ||
| 12 | |||
| 13 | Patch-Name: backport-kbdint-duplicates.patch | ||
| 14 | --- | ||
| 15 | auth2-chall.c | 11 ++++++++--- | ||
| 16 | 1 file changed, 8 insertions(+), 3 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/auth2-chall.c b/auth2-chall.c | ||
| 19 | index ddabe1a..4aff09d 100644 | ||
| 20 | --- a/auth2-chall.c | ||
| 21 | +++ b/auth2-chall.c | ||
| 22 | @@ -1,4 +1,4 @@ | ||
| 23 | -/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */ | ||
| 24 | +/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */ | ||
| 25 | /* | ||
| 26 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | ||
| 27 | * Copyright (c) 2001 Per Allansson. All rights reserved. | ||
| 28 | @@ -83,6 +83,7 @@ struct KbdintAuthctxt | ||
| 29 | void *ctxt; | ||
| 30 | KbdintDevice *device; | ||
| 31 | u_int nreq; | ||
| 32 | + u_int devices_done; | ||
| 33 | }; | ||
| 34 | |||
| 35 | #ifdef USE_PAM | ||
| 36 | @@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) | ||
| 37 | if (len == 0) | ||
| 38 | break; | ||
| 39 | for (i = 0; devices[i]; i++) { | ||
| 40 | - if (!auth2_method_allowed(authctxt, | ||
| 41 | + if ((kbdintctxt->devices_done & (1 << i)) != 0 || | ||
| 42 | + !auth2_method_allowed(authctxt, | ||
| 43 | "keyboard-interactive", devices[i]->name)) | ||
| 44 | continue; | ||
| 45 | - if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) | ||
| 46 | + if (strncmp(kbdintctxt->devices, devices[i]->name, | ||
| 47 | + len) == 0) { | ||
| 48 | kbdintctxt->device = devices[i]; | ||
| 49 | + kbdintctxt->devices_done |= 1 << i; | ||
| 50 | + } | ||
| 51 | } | ||
| 52 | t = kbdintctxt->devices; | ||
| 53 | kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; | ||
diff --git a/debian/patches/series b/debian/patches/series index 1a843eac8..188ec8abc 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
| @@ -30,3 +30,4 @@ debian-config.patch | |||
| 30 | backport-fix-pty-permissions.patch | 30 | backport-fix-pty-permissions.patch |
| 31 | backport-do-not-resend-username-to-pam.patch | 31 | backport-do-not-resend-username-to-pam.patch |
| 32 | backport-pam-use-after-free.patch | 32 | backport-pam-use-after-free.patch |
| 33 | backport-kbdint-duplicates.patch | ||