diff options
author | Colin Watson <cjwatson@debian.org> | 2015-08-19 18:44:47 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-08-19 18:45:49 +0100 |
commit | 6461fa1951314cf8c8ee9a7999f987b8003f4ff6 (patch) | |
tree | bcbcccfa77e1754cbc711f42b67f3c5a4105bc28 /debian/patches | |
parent | d2d9171e73cd2db10fabf9dd4924d3dcd5f13c7a (diff) | |
parent | ba9e0b1d4edf5876b289affd9d31bab493f0d0a4 (diff) |
CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using keyboard-interactive authentication (closes: #793616).
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/backport-kbdint-duplicates.patch | 53 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 54 insertions, 0 deletions
diff --git a/debian/patches/backport-kbdint-duplicates.patch b/debian/patches/backport-kbdint-duplicates.patch new file mode 100644 index 000000000..0973503c9 --- /dev/null +++ b/debian/patches/backport-kbdint-duplicates.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From ba9e0b1d4edf5876b289affd9d31bab493f0d0a4 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Sat, 18 Jul 2015 07:57:14 +0000 | ||
4 | Subject: only query each keyboard-interactive device once per authentication | ||
5 | request regardless of how many times it is listed | ||
6 | |||
7 | ok markus@ | ||
8 | |||
9 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5b64f85bb811246c59ebab70aed331f26ba37b18 | ||
10 | Forwarded: not-needed | ||
11 | Last-Update: 2015-08-19 | ||
12 | |||
13 | Patch-Name: backport-kbdint-duplicates.patch | ||
14 | --- | ||
15 | auth2-chall.c | 11 ++++++++--- | ||
16 | 1 file changed, 8 insertions(+), 3 deletions(-) | ||
17 | |||
18 | diff --git a/auth2-chall.c b/auth2-chall.c | ||
19 | index ddabe1a..4aff09d 100644 | ||
20 | --- a/auth2-chall.c | ||
21 | +++ b/auth2-chall.c | ||
22 | @@ -1,4 +1,4 @@ | ||
23 | -/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */ | ||
24 | +/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */ | ||
25 | /* | ||
26 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | ||
27 | * Copyright (c) 2001 Per Allansson. All rights reserved. | ||
28 | @@ -83,6 +83,7 @@ struct KbdintAuthctxt | ||
29 | void *ctxt; | ||
30 | KbdintDevice *device; | ||
31 | u_int nreq; | ||
32 | + u_int devices_done; | ||
33 | }; | ||
34 | |||
35 | #ifdef USE_PAM | ||
36 | @@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) | ||
37 | if (len == 0) | ||
38 | break; | ||
39 | for (i = 0; devices[i]; i++) { | ||
40 | - if (!auth2_method_allowed(authctxt, | ||
41 | + if ((kbdintctxt->devices_done & (1 << i)) != 0 || | ||
42 | + !auth2_method_allowed(authctxt, | ||
43 | "keyboard-interactive", devices[i]->name)) | ||
44 | continue; | ||
45 | - if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) | ||
46 | + if (strncmp(kbdintctxt->devices, devices[i]->name, | ||
47 | + len) == 0) { | ||
48 | kbdintctxt->device = devices[i]; | ||
49 | + kbdintctxt->devices_done |= 1 << i; | ||
50 | + } | ||
51 | } | ||
52 | t = kbdintctxt->devices; | ||
53 | kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; | ||
diff --git a/debian/patches/series b/debian/patches/series index 1a843eac8..188ec8abc 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -30,3 +30,4 @@ debian-config.patch | |||
30 | backport-fix-pty-permissions.patch | 30 | backport-fix-pty-permissions.patch |
31 | backport-do-not-resend-username-to-pam.patch | 31 | backport-do-not-resend-username-to-pam.patch |
32 | backport-pam-use-after-free.patch | 32 | backport-pam-use-after-free.patch |
33 | backport-kbdint-duplicates.patch | ||