diff options
| author | Colin Watson <cjwatson@debian.org> | 2015-08-19 18:34:29 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2015-08-19 18:37:32 +0100 |
| commit | d2d9171e73cd2db10fabf9dd4924d3dcd5f13c7a (patch) | |
| tree | deedfca8dcc980d858d5caacbde773e44a081bc2 /debian | |
| parent | a608a63196dbda54e9bdd656baa253c56e76bace (diff) | |
| parent | c0ec3def4bec4afe1cad9e99081e658200b13a02 (diff) | |
Backport PAM security fixes.
- sshd(8): Fixed a privilege separation weakness related to PAM support.
Attackers who could successfully compromise the pre-authentication
process for remote code execution and who had valid credentials on the
host could impersonate other users. Reported by Moritz Jodeit.
- sshd(8): Fixed a use-after-free bug related to PAM support that was
reachable by attackers who could compromise the pre-authentication
process for remote code execution (closes: #795711). Also reported by
Moritz Jodeit.
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/.git-dpm | 4 | ||||
| -rw-r--r-- | debian/changelog | 8 | ||||
| -rw-r--r-- | debian/patches/backport-do-not-resend-username-to-pam.patch | 43 | ||||
| -rw-r--r-- | debian/patches/backport-pam-use-after-free.patch | 39 | ||||
| -rw-r--r-- | debian/patches/series | 2 |
5 files changed, 94 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 935f783bc..13b023289 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
| 2 | 12577aa167c76d517bfe78f603fe805f190d8d05 | 2 | c0ec3def4bec4afe1cad9e99081e658200b13a02 |
| 3 | 12577aa167c76d517bfe78f603fe805f190d8d05 | 3 | c0ec3def4bec4afe1cad9e99081e658200b13a02 |
| 4 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 | 4 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 |
| 5 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 | 5 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 |
| 6 | openssh_6.9p1.orig.tar.gz | 6 | openssh_6.9p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index 6c851b644..8e8e9d778 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -136,6 +136,14 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium | |||
| 136 | world-writable. Local attackers may be able to write arbitrary | 136 | world-writable. Local attackers may be able to write arbitrary |
| 137 | messages to logged-in users, including terminal escape sequences. | 137 | messages to logged-in users, including terminal escape sequences. |
| 138 | Reported by Nikolay Edigaryev. | 138 | Reported by Nikolay Edigaryev. |
| 139 | - sshd(8): Fixed a privilege separation weakness related to PAM support. | ||
| 140 | Attackers who could successfully compromise the pre-authentication | ||
| 141 | process for remote code execution and who had valid credentials on the | ||
| 142 | host could impersonate other users. Reported by Moritz Jodeit. | ||
| 143 | - sshd(8): Fixed a use-after-free bug related to PAM support that was | ||
| 144 | reachable by attackers who could compromise the pre-authentication | ||
| 145 | process for remote code execution (closes: #795711). Also reported by | ||
| 146 | Moritz Jodeit. | ||
| 139 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the | 147 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the |
| 140 | GSSAPI key exchange patch. | 148 | GSSAPI key exchange patch. |
| 141 | 149 | ||
diff --git a/debian/patches/backport-do-not-resend-username-to-pam.patch b/debian/patches/backport-do-not-resend-username-to-pam.patch new file mode 100644 index 000000000..00ace37f1 --- /dev/null +++ b/debian/patches/backport-do-not-resend-username-to-pam.patch | |||
| @@ -0,0 +1,43 @@ | |||
| 1 | From 5b83c6a466b2a7fe6aaf50e082c58fe63592e211 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Damien Miller <djm@mindrot.org> | ||
| 3 | Date: Tue, 11 Aug 2015 13:33:24 +1000 | ||
| 4 | Subject: Don't resend username to PAM; it already has it. | ||
| 5 | |||
| 6 | Pointed out by Moritz Jodeit; ok dtucker@ | ||
| 7 | |||
| 8 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b | ||
| 9 | Forwarded: not-needed | ||
| 10 | Last-Update: 2015-08-19 | ||
| 11 | |||
| 12 | Patch-Name: backport-do-not-resend-username-to-pam.patch | ||
| 13 | --- | ||
| 14 | monitor.c | 2 -- | ||
| 15 | monitor_wrap.c | 1 - | ||
| 16 | 2 files changed, 3 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/monitor.c b/monitor.c | ||
| 19 | index 12ed6fd..870a6b9 100644 | ||
| 20 | --- a/monitor.c | ||
| 21 | +++ b/monitor.c | ||
| 22 | @@ -1143,9 +1143,7 @@ extern KbdintDevice sshpam_device; | ||
| 23 | int | ||
| 24 | mm_answer_pam_init_ctx(int sock, Buffer *m) | ||
| 25 | { | ||
| 26 | - | ||
| 27 | debug3("%s", __func__); | ||
| 28 | - authctxt->user = buffer_get_string(m, NULL); | ||
| 29 | sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); | ||
| 30 | sshpam_authok = NULL; | ||
| 31 | buffer_clear(m); | ||
| 32 | diff --git a/monitor_wrap.c b/monitor_wrap.c | ||
| 33 | index 2a0fe9b..e2fcf75 100644 | ||
| 34 | --- a/monitor_wrap.c | ||
| 35 | +++ b/monitor_wrap.c | ||
| 36 | @@ -632,7 +632,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) | ||
| 37 | |||
| 38 | debug3("%s", __func__); | ||
| 39 | buffer_init(&m); | ||
| 40 | - buffer_put_cstring(&m, authctxt->user); | ||
| 41 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); | ||
| 42 | debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); | ||
| 43 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); | ||
diff --git a/debian/patches/backport-pam-use-after-free.patch b/debian/patches/backport-pam-use-after-free.patch new file mode 100644 index 000000000..460654953 --- /dev/null +++ b/debian/patches/backport-pam-use-after-free.patch | |||
| @@ -0,0 +1,39 @@ | |||
| 1 | From c0ec3def4bec4afe1cad9e99081e658200b13a02 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Damien Miller <djm@mindrot.org> | ||
| 3 | Date: Tue, 11 Aug 2015 13:34:12 +1000 | ||
| 4 | Subject: set sshpam_ctxt to NULL after free | ||
| 5 | |||
| 6 | Avoids use-after-free in monitor when privsep child is compromised. | ||
| 7 | Reported by Moritz Jodeit; ok dtucker@ | ||
| 8 | |||
| 9 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 | ||
| 10 | Forwarded: not-needed | ||
| 11 | Last-Update: 2015-08-19 | ||
| 12 | |||
| 13 | Patch-Name: backport-pam-use-after-free.patch | ||
| 14 | --- | ||
| 15 | monitor.c | 4 +++- | ||
| 16 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
| 17 | |||
| 18 | diff --git a/monitor.c b/monitor.c | ||
| 19 | index 870a6b9..e8541b4 100644 | ||
| 20 | --- a/monitor.c | ||
| 21 | +++ b/monitor.c | ||
| 22 | @@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m) | ||
| 23 | int | ||
| 24 | mm_answer_pam_free_ctx(int sock, Buffer *m) | ||
| 25 | { | ||
| 26 | + int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
| 27 | |||
| 28 | debug3("%s", __func__); | ||
| 29 | (sshpam_device.free_ctx)(sshpam_ctxt); | ||
| 30 | + sshpam_ctxt = sshpam_authok = NULL; | ||
| 31 | buffer_clear(m); | ||
| 32 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | ||
| 33 | auth_method = "keyboard-interactive"; | ||
| 34 | auth_submethod = "pam"; | ||
| 35 | - return (sshpam_authok == sshpam_ctxt); | ||
| 36 | + return r; | ||
| 37 | } | ||
| 38 | #endif | ||
| 39 | |||
diff --git a/debian/patches/series b/debian/patches/series index bee70bc30..1a843eac8 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
| @@ -28,3 +28,5 @@ gnome-ssh-askpass2-icon.patch | |||
| 28 | sigstop.patch | 28 | sigstop.patch |
| 29 | debian-config.patch | 29 | debian-config.patch |
| 30 | backport-fix-pty-permissions.patch | 30 | backport-fix-pty-permissions.patch |
| 31 | backport-do-not-resend-username-to-pam.patch | ||
| 32 | backport-pam-use-after-free.patch | ||