diff options
| author | Colin Watson <cjwatson@debian.org> | 2006-09-29 11:36:40 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2006-09-29 11:36:40 +0000 |
| commit | b9438bbc073e792547318c8e343923748536529c (patch) | |
| tree | 267f9815b8386617219421d862be309b73758c6b | |
| parent | 0b228013734983ec12ddaa535d42704b5e4cee90 (diff) | |
- CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The
signal handler was vulnerable to a race condition that could be
exploited to perform a pre-authentication denial of service. On
portable OpenSSH, this vulnerability could theoretically lead to
pre-authentication remote code execution if GSSAPI authentication is
enabled, but the likelihood of successful exploitation appears remote.
| -rw-r--r-- | auth.h | 1 | ||||
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | log.c | 12 | ||||
| -rw-r--r-- | log.h | 1 | ||||
| -rw-r--r-- | session.c | 2 | ||||
| -rw-r--r-- | sshd.c | 5 |
6 files changed, 23 insertions, 4 deletions
| @@ -49,6 +49,7 @@ typedef struct KbdintDevice KbdintDevice; | |||
| 49 | 49 | ||
| 50 | struct Authctxt { | 50 | struct Authctxt { |
| 51 | int success; | 51 | int success; |
| 52 | int authenticated; /* authenticated and alarms cancelled */ | ||
| 52 | int postponed; /* authentication needs another step */ | 53 | int postponed; /* authentication needs another step */ |
| 53 | int valid; /* user exists and is allowed to login */ | 54 | int valid; /* user exists and is allowed to login */ |
| 54 | int attempt; | 55 | int attempt; |
diff --git a/debian/changelog b/debian/changelog index 705a61580..6007a9d7b 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -5,6 +5,12 @@ openssh (1:4.3p2-4) UNRELEASED; urgency=high | |||
| 5 | - CVE-2006-4924: Fix a pre-authentication denial of service found by | 5 | - CVE-2006-4924: Fix a pre-authentication denial of service found by |
| 6 | Tavis Ormandy, that would cause sshd(8) to spin until the login grace | 6 | Tavis Ormandy, that would cause sshd(8) to spin until the login grace |
| 7 | time expired (closes: #389995). | 7 | time expired (closes: #389995). |
| 8 | - CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The | ||
| 9 | signal handler was vulnerable to a race condition that could be | ||
| 10 | exploited to perform a pre-authentication denial of service. On | ||
| 11 | portable OpenSSH, this vulnerability could theoretically lead to | ||
| 12 | pre-authentication remote code execution if GSSAPI authentication is | ||
| 13 | enabled, but the likelihood of successful exploitation appears remote. | ||
| 8 | 14 | ||
| 9 | * Read /etc/default/locale as well as /etc/environment (thanks, Raphaël | 15 | * Read /etc/default/locale as well as /etc/environment (thanks, Raphaël |
| 10 | Hertzog; closes: #369395). | 16 | Hertzog; closes: #369395). |
| @@ -131,6 +131,18 @@ error(const char *fmt,...) | |||
| 131 | va_end(args); | 131 | va_end(args); |
| 132 | } | 132 | } |
| 133 | 133 | ||
| 134 | void | ||
| 135 | sigdie(const char *fmt,...) | ||
| 136 | { | ||
| 137 | va_list args; | ||
| 138 | |||
| 139 | va_start(args, fmt); | ||
| 140 | do_log(SYSLOG_LEVEL_FATAL, fmt, args); | ||
| 141 | va_end(args); | ||
| 142 | _exit(1); | ||
| 143 | } | ||
| 144 | |||
| 145 | |||
| 134 | /* Log this message (information that usually should go to the log). */ | 146 | /* Log this message (information that usually should go to the log). */ |
| 135 | 147 | ||
| 136 | void | 148 | void |
| @@ -56,6 +56,7 @@ LogLevel log_level_number(char *); | |||
| 56 | 56 | ||
| 57 | void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2))); | 57 | void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2))); |
| 58 | void error(const char *, ...) __attribute__((format(printf, 1, 2))); | 58 | void error(const char *, ...) __attribute__((format(printf, 1, 2))); |
| 59 | void sigdie(const char *, ...) __attribute__((format(printf, 1, 2))); | ||
| 59 | void logit(const char *, ...) __attribute__((format(printf, 1, 2))); | 60 | void logit(const char *, ...) __attribute__((format(printf, 1, 2))); |
| 60 | void verbose(const char *, ...) __attribute__((format(printf, 1, 2))); | 61 | void verbose(const char *, ...) __attribute__((format(printf, 1, 2))); |
| 61 | void debug(const char *, ...) __attribute__((format(printf, 1, 2))); | 62 | void debug(const char *, ...) __attribute__((format(printf, 1, 2))); |
| @@ -2440,7 +2440,7 @@ do_cleanup(Authctxt *authctxt) | |||
| 2440 | return; | 2440 | return; |
| 2441 | called = 1; | 2441 | called = 1; |
| 2442 | 2442 | ||
| 2443 | if (authctxt == NULL) | 2443 | if (authctxt == NULL || !authctxt->authenticated) |
| 2444 | return; | 2444 | return; |
| 2445 | #ifdef KRB5 | 2445 | #ifdef KRB5 |
| 2446 | if (options.kerberos_ticket_cleanup && | 2446 | if (options.kerberos_ticket_cleanup && |
| @@ -310,13 +310,11 @@ main_sigchld_handler(int sig) | |||
| 310 | static void | 310 | static void |
| 311 | grace_alarm_handler(int sig) | 311 | grace_alarm_handler(int sig) |
| 312 | { | 312 | { |
| 313 | /* XXX no idea how fix this signal handler */ | ||
| 314 | |||
| 315 | if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) | 313 | if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) |
| 316 | kill(pmonitor->m_pid, SIGALRM); | 314 | kill(pmonitor->m_pid, SIGALRM); |
| 317 | 315 | ||
| 318 | /* Log error and exit. */ | 316 | /* Log error and exit. */ |
| 319 | fatal("Timeout before authentication for %s", get_remote_ipaddr()); | 317 | sigdie("Timeout before authentication for %s", get_remote_ipaddr()); |
| 320 | } | 318 | } |
| 321 | 319 | ||
| 322 | /* | 320 | /* |
| @@ -1797,6 +1795,7 @@ main(int ac, char **av) | |||
| 1797 | */ | 1795 | */ |
| 1798 | alarm(0); | 1796 | alarm(0); |
| 1799 | signal(SIGALRM, SIG_DFL); | 1797 | signal(SIGALRM, SIG_DFL); |
| 1798 | authctxt->authenticated = 1; | ||
| 1800 | if (startup_pipe != -1) { | 1799 | if (startup_pipe != -1) { |
| 1801 | close(startup_pipe); | 1800 | close(startup_pipe); |
| 1802 | startup_pipe = -1; | 1801 | startup_pipe = -1; |