From b9438bbc073e792547318c8e343923748536529c Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Fri, 29 Sep 2006 11:36:40 +0000 Subject: - CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. --- auth.h | 1 + debian/changelog | 6 ++++++ log.c | 12 ++++++++++++ log.h | 1 + session.c | 2 +- sshd.c | 5 ++--- 6 files changed, 23 insertions(+), 4 deletions(-) diff --git a/auth.h b/auth.h index 267e7b022..e76cf871a 100644 --- a/auth.h +++ b/auth.h @@ -49,6 +49,7 @@ typedef struct KbdintDevice KbdintDevice; struct Authctxt { int success; + int authenticated; /* authenticated and alarms cancelled */ int postponed; /* authentication needs another step */ int valid; /* user exists and is allowed to login */ int attempt; diff --git a/debian/changelog b/debian/changelog index 705a61580..6007a9d7b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,12 @@ openssh (1:4.3p2-4) UNRELEASED; urgency=high - CVE-2006-4924: Fix a pre-authentication denial of service found by Tavis Ormandy, that would cause sshd(8) to spin until the login grace time expired (closes: #389995). + - CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The + signal handler was vulnerable to a race condition that could be + exploited to perform a pre-authentication denial of service. On + portable OpenSSH, this vulnerability could theoretically lead to + pre-authentication remote code execution if GSSAPI authentication is + enabled, but the likelihood of successful exploitation appears remote. * Read /etc/default/locale as well as /etc/environment (thanks, Raphaƫl Hertzog; closes: #369395). diff --git a/log.c b/log.c index c09786ade..07f866230 100644 --- a/log.c +++ b/log.c @@ -131,6 +131,18 @@ error(const char *fmt,...) va_end(args); } +void +sigdie(const char *fmt,...) +{ + va_list args; + + va_start(args, fmt); + do_log(SYSLOG_LEVEL_FATAL, fmt, args); + va_end(args); + _exit(1); +} + + /* Log this message (information that usually should go to the log). */ void diff --git a/log.h b/log.h index d7170fc22..76012180c 100644 --- a/log.h +++ b/log.h @@ -56,6 +56,7 @@ LogLevel log_level_number(char *); void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2))); void error(const char *, ...) __attribute__((format(printf, 1, 2))); +void sigdie(const char *, ...) __attribute__((format(printf, 1, 2))); void logit(const char *, ...) __attribute__((format(printf, 1, 2))); void verbose(const char *, ...) __attribute__((format(printf, 1, 2))); void debug(const char *, ...) __attribute__((format(printf, 1, 2))); diff --git a/session.c b/session.c index daad03929..3420db57d 100644 --- a/session.c +++ b/session.c @@ -2440,7 +2440,7 @@ do_cleanup(Authctxt *authctxt) return; called = 1; - if (authctxt == NULL) + if (authctxt == NULL || !authctxt->authenticated) return; #ifdef KRB5 if (options.kerberos_ticket_cleanup && diff --git a/sshd.c b/sshd.c index 85b679d5e..b1776ef45 100644 --- a/sshd.c +++ b/sshd.c @@ -310,13 +310,11 @@ main_sigchld_handler(int sig) static void grace_alarm_handler(int sig) { - /* XXX no idea how fix this signal handler */ - if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) kill(pmonitor->m_pid, SIGALRM); /* Log error and exit. */ - fatal("Timeout before authentication for %s", get_remote_ipaddr()); + sigdie("Timeout before authentication for %s", get_remote_ipaddr()); } /* @@ -1797,6 +1795,7 @@ main(int ac, char **av) */ alarm(0); signal(SIGALRM, SIG_DFL); + authctxt->authenticated = 1; if (startup_pipe != -1) { close(startup_pipe); startup_pipe = -1; -- cgit v1.2.3