diff options
-rw-r--r-- | debian/.git-dpm | 4 | ||||
-rw-r--r-- | debian/changelog | 8 | ||||
-rw-r--r-- | debian/patches/backport-do-not-resend-username-to-pam.patch | 43 | ||||
-rw-r--r-- | debian/patches/backport-pam-use-after-free.patch | 39 | ||||
-rw-r--r-- | debian/patches/series | 2 | ||||
-rw-r--r-- | monitor.c | 6 | ||||
-rw-r--r-- | monitor_wrap.c | 1 |
7 files changed, 97 insertions, 6 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 935f783bc..13b023289 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,6 +1,6 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 12577aa167c76d517bfe78f603fe805f190d8d05 | 2 | c0ec3def4bec4afe1cad9e99081e658200b13a02 |
3 | 12577aa167c76d517bfe78f603fe805f190d8d05 | 3 | c0ec3def4bec4afe1cad9e99081e658200b13a02 |
4 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 | 4 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 |
5 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 | 5 | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 |
6 | openssh_6.9p1.orig.tar.gz | 6 | openssh_6.9p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index 6c851b644..8e8e9d778 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -136,6 +136,14 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium | |||
136 | world-writable. Local attackers may be able to write arbitrary | 136 | world-writable. Local attackers may be able to write arbitrary |
137 | messages to logged-in users, including terminal escape sequences. | 137 | messages to logged-in users, including terminal escape sequences. |
138 | Reported by Nikolay Edigaryev. | 138 | Reported by Nikolay Edigaryev. |
139 | - sshd(8): Fixed a privilege separation weakness related to PAM support. | ||
140 | Attackers who could successfully compromise the pre-authentication | ||
141 | process for remote code execution and who had valid credentials on the | ||
142 | host could impersonate other users. Reported by Moritz Jodeit. | ||
143 | - sshd(8): Fixed a use-after-free bug related to PAM support that was | ||
144 | reachable by attackers who could compromise the pre-authentication | ||
145 | process for remote code execution (closes: #795711). Also reported by | ||
146 | Moritz Jodeit. | ||
139 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the | 147 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the |
140 | GSSAPI key exchange patch. | 148 | GSSAPI key exchange patch. |
141 | 149 | ||
diff --git a/debian/patches/backport-do-not-resend-username-to-pam.patch b/debian/patches/backport-do-not-resend-username-to-pam.patch new file mode 100644 index 000000000..00ace37f1 --- /dev/null +++ b/debian/patches/backport-do-not-resend-username-to-pam.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 5b83c6a466b2a7fe6aaf50e082c58fe63592e211 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Tue, 11 Aug 2015 13:33:24 +1000 | ||
4 | Subject: Don't resend username to PAM; it already has it. | ||
5 | |||
6 | Pointed out by Moritz Jodeit; ok dtucker@ | ||
7 | |||
8 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b | ||
9 | Forwarded: not-needed | ||
10 | Last-Update: 2015-08-19 | ||
11 | |||
12 | Patch-Name: backport-do-not-resend-username-to-pam.patch | ||
13 | --- | ||
14 | monitor.c | 2 -- | ||
15 | monitor_wrap.c | 1 - | ||
16 | 2 files changed, 3 deletions(-) | ||
17 | |||
18 | diff --git a/monitor.c b/monitor.c | ||
19 | index 12ed6fd..870a6b9 100644 | ||
20 | --- a/monitor.c | ||
21 | +++ b/monitor.c | ||
22 | @@ -1143,9 +1143,7 @@ extern KbdintDevice sshpam_device; | ||
23 | int | ||
24 | mm_answer_pam_init_ctx(int sock, Buffer *m) | ||
25 | { | ||
26 | - | ||
27 | debug3("%s", __func__); | ||
28 | - authctxt->user = buffer_get_string(m, NULL); | ||
29 | sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); | ||
30 | sshpam_authok = NULL; | ||
31 | buffer_clear(m); | ||
32 | diff --git a/monitor_wrap.c b/monitor_wrap.c | ||
33 | index 2a0fe9b..e2fcf75 100644 | ||
34 | --- a/monitor_wrap.c | ||
35 | +++ b/monitor_wrap.c | ||
36 | @@ -632,7 +632,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) | ||
37 | |||
38 | debug3("%s", __func__); | ||
39 | buffer_init(&m); | ||
40 | - buffer_put_cstring(&m, authctxt->user); | ||
41 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); | ||
42 | debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); | ||
43 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); | ||
diff --git a/debian/patches/backport-pam-use-after-free.patch b/debian/patches/backport-pam-use-after-free.patch new file mode 100644 index 000000000..460654953 --- /dev/null +++ b/debian/patches/backport-pam-use-after-free.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From c0ec3def4bec4afe1cad9e99081e658200b13a02 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Tue, 11 Aug 2015 13:34:12 +1000 | ||
4 | Subject: set sshpam_ctxt to NULL after free | ||
5 | |||
6 | Avoids use-after-free in monitor when privsep child is compromised. | ||
7 | Reported by Moritz Jodeit; ok dtucker@ | ||
8 | |||
9 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 | ||
10 | Forwarded: not-needed | ||
11 | Last-Update: 2015-08-19 | ||
12 | |||
13 | Patch-Name: backport-pam-use-after-free.patch | ||
14 | --- | ||
15 | monitor.c | 4 +++- | ||
16 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/monitor.c b/monitor.c | ||
19 | index 870a6b9..e8541b4 100644 | ||
20 | --- a/monitor.c | ||
21 | +++ b/monitor.c | ||
22 | @@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m) | ||
23 | int | ||
24 | mm_answer_pam_free_ctx(int sock, Buffer *m) | ||
25 | { | ||
26 | + int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
27 | |||
28 | debug3("%s", __func__); | ||
29 | (sshpam_device.free_ctx)(sshpam_ctxt); | ||
30 | + sshpam_ctxt = sshpam_authok = NULL; | ||
31 | buffer_clear(m); | ||
32 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | ||
33 | auth_method = "keyboard-interactive"; | ||
34 | auth_submethod = "pam"; | ||
35 | - return (sshpam_authok == sshpam_ctxt); | ||
36 | + return r; | ||
37 | } | ||
38 | #endif | ||
39 | |||
diff --git a/debian/patches/series b/debian/patches/series index bee70bc30..1a843eac8 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -28,3 +28,5 @@ gnome-ssh-askpass2-icon.patch | |||
28 | sigstop.patch | 28 | sigstop.patch |
29 | debian-config.patch | 29 | debian-config.patch |
30 | backport-fix-pty-permissions.patch | 30 | backport-fix-pty-permissions.patch |
31 | backport-do-not-resend-username-to-pam.patch | ||
32 | backport-pam-use-after-free.patch | ||
@@ -1143,9 +1143,7 @@ extern KbdintDevice sshpam_device; | |||
1143 | int | 1143 | int |
1144 | mm_answer_pam_init_ctx(int sock, Buffer *m) | 1144 | mm_answer_pam_init_ctx(int sock, Buffer *m) |
1145 | { | 1145 | { |
1146 | |||
1147 | debug3("%s", __func__); | 1146 | debug3("%s", __func__); |
1148 | authctxt->user = buffer_get_string(m, NULL); | ||
1149 | sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); | 1147 | sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); |
1150 | sshpam_authok = NULL; | 1148 | sshpam_authok = NULL; |
1151 | buffer_clear(m); | 1149 | buffer_clear(m); |
@@ -1227,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
1227 | int | 1225 | int |
1228 | mm_answer_pam_free_ctx(int sock, Buffer *m) | 1226 | mm_answer_pam_free_ctx(int sock, Buffer *m) |
1229 | { | 1227 | { |
1228 | int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
1230 | 1229 | ||
1231 | debug3("%s", __func__); | 1230 | debug3("%s", __func__); |
1232 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1231 | (sshpam_device.free_ctx)(sshpam_ctxt); |
1232 | sshpam_ctxt = sshpam_authok = NULL; | ||
1233 | buffer_clear(m); | 1233 | buffer_clear(m); |
1234 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1234 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
1235 | auth_method = "keyboard-interactive"; | 1235 | auth_method = "keyboard-interactive"; |
1236 | auth_submethod = "pam"; | 1236 | auth_submethod = "pam"; |
1237 | return (sshpam_authok == sshpam_ctxt); | 1237 | return r; |
1238 | } | 1238 | } |
1239 | #endif | 1239 | #endif |
1240 | 1240 | ||
diff --git a/monitor_wrap.c b/monitor_wrap.c index 2a0fe9bf6..e2fcf75ff 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -632,7 +632,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) | |||
632 | 632 | ||
633 | debug3("%s", __func__); | 633 | debug3("%s", __func__); |
634 | buffer_init(&m); | 634 | buffer_init(&m); |
635 | buffer_put_cstring(&m, authctxt->user); | ||
636 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); | 635 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); |
637 | debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); | 636 | debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); |
638 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); | 637 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); |