summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--auth2-chall.c11
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog7
-rw-r--r--debian/patches/backport-kbdint-duplicates.patch53
-rw-r--r--debian/patches/series1
5 files changed, 71 insertions, 5 deletions
diff --git a/auth2-chall.c b/auth2-chall.c
index ddabe1a90..4aff09d80 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */ 1/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved. 4 * Copyright (c) 2001 Per Allansson. All rights reserved.
@@ -83,6 +83,7 @@ struct KbdintAuthctxt
83 void *ctxt; 83 void *ctxt;
84 KbdintDevice *device; 84 KbdintDevice *device;
85 u_int nreq; 85 u_int nreq;
86 u_int devices_done;
86}; 87};
87 88
88#ifdef USE_PAM 89#ifdef USE_PAM
@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
169 if (len == 0) 170 if (len == 0)
170 break; 171 break;
171 for (i = 0; devices[i]; i++) { 172 for (i = 0; devices[i]; i++) {
172 if (!auth2_method_allowed(authctxt, 173 if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
174 !auth2_method_allowed(authctxt,
173 "keyboard-interactive", devices[i]->name)) 175 "keyboard-interactive", devices[i]->name))
174 continue; 176 continue;
175 if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) 177 if (strncmp(kbdintctxt->devices, devices[i]->name,
178 len) == 0) {
176 kbdintctxt->device = devices[i]; 179 kbdintctxt->device = devices[i];
180 kbdintctxt->devices_done |= 1 << i;
181 }
177 } 182 }
178 t = kbdintctxt->devices; 183 t = kbdintctxt->devices;
179 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; 184 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 13b023289..f64723622 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2c0ec3def4bec4afe1cad9e99081e658200b13a02 2ba9e0b1d4edf5876b289affd9d31bab493f0d0a4
3c0ec3def4bec4afe1cad9e99081e658200b13a02 3ba9e0b1d4edf5876b289affd9d31bab493f0d0a4
4544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 4544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
5544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 5544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
6openssh_6.9p1.orig.tar.gz 6openssh_6.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 8e8e9d778..252bc394f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -144,6 +144,13 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
144 reachable by attackers who could compromise the pre-authentication 144 reachable by attackers who could compromise the pre-authentication
145 process for remote code execution (closes: #795711). Also reported by 145 process for remote code execution (closes: #795711). Also reported by
146 Moritz Jodeit. 146 Moritz Jodeit.
147 - CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using
148 keyboard-interactive authentication (closes: #793616). By specifying
149 a long, repeating keyboard-interactive "devices" string, an attacker
150 could request the same authentication method be tried thousands of
151 times in a single pass. The LoginGraceTime timeout in sshd(8) and any
152 authentication failure delays implemented by the authentication
153 mechanism itself were still applied. Found by Kingcope.
147 * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the 154 * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
148 GSSAPI key exchange patch. 155 GSSAPI key exchange patch.
149 156
diff --git a/debian/patches/backport-kbdint-duplicates.patch b/debian/patches/backport-kbdint-duplicates.patch
new file mode 100644
index 000000000..0973503c9
--- /dev/null
+++ b/debian/patches/backport-kbdint-duplicates.patch
@@ -0,0 +1,53 @@
1From ba9e0b1d4edf5876b289affd9d31bab493f0d0a4 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Sat, 18 Jul 2015 07:57:14 +0000
4Subject: only query each keyboard-interactive device once per authentication
5 request regardless of how many times it is listed
6
7ok markus@
8
9Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5b64f85bb811246c59ebab70aed331f26ba37b18
10Forwarded: not-needed
11Last-Update: 2015-08-19
12
13Patch-Name: backport-kbdint-duplicates.patch
14---
15 auth2-chall.c | 11 ++++++++---
16 1 file changed, 8 insertions(+), 3 deletions(-)
17
18diff --git a/auth2-chall.c b/auth2-chall.c
19index ddabe1a..4aff09d 100644
20--- a/auth2-chall.c
21+++ b/auth2-chall.c
22@@ -1,4 +1,4 @@
23-/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */
24+/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */
25 /*
26 * Copyright (c) 2001 Markus Friedl. All rights reserved.
27 * Copyright (c) 2001 Per Allansson. All rights reserved.
28@@ -83,6 +83,7 @@ struct KbdintAuthctxt
29 void *ctxt;
30 KbdintDevice *device;
31 u_int nreq;
32+ u_int devices_done;
33 };
34
35 #ifdef USE_PAM
36@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
37 if (len == 0)
38 break;
39 for (i = 0; devices[i]; i++) {
40- if (!auth2_method_allowed(authctxt,
41+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
42+ !auth2_method_allowed(authctxt,
43 "keyboard-interactive", devices[i]->name))
44 continue;
45- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
46+ if (strncmp(kbdintctxt->devices, devices[i]->name,
47+ len) == 0) {
48 kbdintctxt->device = devices[i];
49+ kbdintctxt->devices_done |= 1 << i;
50+ }
51 }
52 t = kbdintctxt->devices;
53 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
diff --git a/debian/patches/series b/debian/patches/series
index 1a843eac8..188ec8abc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -30,3 +30,4 @@ debian-config.patch
30backport-fix-pty-permissions.patch 30backport-fix-pty-permissions.patch
31backport-do-not-resend-username-to-pam.patch 31backport-do-not-resend-username-to-pam.patch
32backport-pam-use-after-free.patch 32backport-pam-use-after-free.patch
33backport-kbdint-duplicates.patch