CVE-2016-6210: Mitigate user enumeration via covert timing channel.

author: Colin Watson <cjwatson@debian.org> 2016-07-22 14:09:29 +0100
committer: Colin Watson <cjwatson@debian.org> 2016-07-22 14:11:33 +0100
commit: 5ebf9c1d19aa0d9d20781bab05e9d73d8addecb3 (patch)
tree: 7d48ac2d5442eff8ca63a0dd6938651e05b9c7c3 /debian/patches/CVE-2016-6210-3.patch
parent: 79139a04a0183cd47f3e837fa76fe5d51e62fcc9 (diff)
parent: abde8dda29c2db2405d6fbca2fe022430e2c1177 (diff)
1 files changed, 60 insertions, 0 deletions
diff --git a/debian/patches/CVE-2016-6210-3.patch b/debian/patches/CVE-2016-6210-3.patch
new file mode 100644
index 000000000..303c34ee1
--- /dev/null
+++ b/debian/patches/CVE-2016-6210-3.patch
@@ -0,0 +1,60 @@
+From abde8dda29c2db2405d6fbca2fe022430e2c1177 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@zip.com.au>
+Date: Thu, 21 Jul 2016 14:17:31 +1000
+Subject: Search users for one with a valid salt.
+If the root account is locked (eg password "!!" or "*LK*") keep looking
+until we find a user with a valid salt to use for crypting passwords of
+invalid users.  ok djm@
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=dbf788b4d9d9490a5fff08a7b09888272bb10fcc
+Bug-Debian: https://bugs.debian.org/831902
+Last-Update: 2016-07-22
+Patch-Name: CVE-2016-6210-3.patch
+---
+ openbsd-compat/xcrypt.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
+index 8913bb8..cf6a9b9 100644
+--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
+@@ -65,7 +65,9 @@
+ 
+ /*
+  * Pick an appropriate password encryption type and salt for the running
+- * system.
+ * system by searching through accounts until we find one that has a valid
+ * salt.  Usually this will be root unless the root account is locked out.
+ * If we don't find one we return a traditional DES-based salt.
+  */
+ static const char *
+ pick_salt(void)
+@@ -78,14 +80,18 @@ pick_salt(void)
+        if (salt[0] != '\0')
+                return salt;
+        strlcpy(salt, "xx", sizeof(salt));
+-       if ((pw = getpwuid(0)) == NULL)
+-               return salt;
+-       passwd = shadow_pw(pw);
+-       if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
+-               return salt;  /* no $, DES */
+-       typelen = p - passwd + 1;
+-       strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+-       explicit_bzero(passwd, strlen(passwd));
+       setpwent();
+       while ((pw = getpwent()) != NULL) {
+               passwd = shadow_pw(pw);
+               if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
+                       typelen = p - passwd + 1;
+                       strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+                       explicit_bzero(passwd, strlen(passwd));
+                       goto out;
+               }
+       }
+ out:
+       endpwent();
+        return salt;
+ }
+
author	Colin Watson <cjwatson@debian.org>	2016-07-22 14:09:29 +0100
committer	Colin Watson <cjwatson@debian.org>	2016-07-22 14:11:33 +0100
commit	5ebf9c1d19aa0d9d20781bab05e9d73d8addecb3 (patch)
tree	7d48ac2d5442eff8ca63a0dd6938651e05b9c7c3 /debian/patches/CVE-2016-6210-3.patch
parent	79139a04a0183cd47f3e837fa76fe5d51e62fcc9 (diff)
parent	abde8dda29c2db2405d6fbca2fe022430e2c1177 (diff)

diff --git a/debian/patches/CVE-2016-6210-3.patch b/debian/patches/CVE-2016-6210-3.patch new file mode 100644 index 000000000..303c34ee1 --- /dev/null +++ b/debian/patches/CVE-2016-6210-3.patch
@@ -0,0 +1,60 @@
	1	From abde8dda29c2db2405d6fbca2fe022430e2c1177 Mon Sep 17 00:00:00 2001
	2	From: Darren Tucker <dtucker@zip.com.au>
	3	Date: Thu, 21 Jul 2016 14:17:31 +1000
	4	Subject: Search users for one with a valid salt.
	5
	6	If the root account is locked (eg password "!!" or "LK") keep looking
	7	until we find a user with a valid salt to use for crypting passwords of
	8	invalid users. ok djm@
	9
	10	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=dbf788b4d9d9490a5fff08a7b09888272bb10fcc
	11	Bug-Debian: https://bugs.debian.org/831902
	12	Last-Update: 2016-07-22
	13
	14	Patch-Name: CVE-2016-6210-3.patch
	15	---
	16	openbsd-compat/xcrypt.c \| 24 +++++++++++++++---------
	17	1 file changed, 15 insertions(+), 9 deletions(-)
	18
	19	diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
	20	index 8913bb8..cf6a9b9 100644
	21	--- a/openbsd-compat/xcrypt.c
	22	+++ b/openbsd-compat/xcrypt.c
	23	@@ -65,7 +65,9 @@
	24
	25	/*
	26	* Pick an appropriate password encryption type and salt for the running
	27	- * system.
	28	+ * system by searching through accounts until we find one that has a valid
	29	+ * salt. Usually this will be root unless the root account is locked out.
	30	+ * If we don't find one we return a traditional DES-based salt.
	31	*/
	32	static const char *
	33	pick_salt(void)
	34	@@ -78,14 +80,18 @@ pick_salt(void)
	35	if (salt[0] != '\0')
	36	return salt;
	37	strlcpy(salt, "xx", sizeof(salt));
	38	- if ((pw = getpwuid(0)) == NULL)
	39	- return salt;
	40	- passwd = shadow_pw(pw);
	41	- if (passwd[0] != '$' \|\| (p = strrchr(passwd + 1, '$')) == NULL)
	42	- return salt; /* no $, DES */
	43	- typelen = p - passwd + 1;
	44	- strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
	45	- explicit_bzero(passwd, strlen(passwd));
	46	+ setpwent();
	47	+ while ((pw = getpwent()) != NULL) {
	48	+ passwd = shadow_pw(pw);
	49	+ if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
	50	+ typelen = p - passwd + 1;
	51	+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
	52	+ explicit_bzero(passwd, strlen(passwd));
	53	+ goto out;
	54	+ }
	55	+ }
	56	+ out:
	57	+ endpwent();
	58	return salt;
	59	}
	60