[OE-core] [PATCH 4/4] openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
Armin Kuster
akuster808 at gmail.com
Sat Nov 21 18:22:45 UTC 2015
three security fixes.
CVE-2015-6563 (Low) openssh: Privilege separation weakness related to PAM support
CVE-2015-6564 (medium) openssh: Use-after-free bug related to PAM support
CVE-2015-6565 (High) openssh: Incorrectly set TTYs to be world-writable
(From OE-Core rev: 259df232b513367a0a18b17e3e377260a770288f)
Signed-off-by: Armin Kuster <akuster at mvista.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster at mvista.com>
Conflicts:
meta/recipes-connectivity/openssh/openssh_6.6p1.bb
---
.../openssh/openssh/CVE-2015-6563.patch | 36 ++++++++++++++++++++++
.../openssh/openssh/CVE-2015-6564.patch | 34 ++++++++++++++++++++
.../openssh/openssh/CVE-2015-6565.patch | 35 +++++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_6.6p1.bb | 5 ++-
4 files changed, 109 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
new file mode 100644
index 0000000..19cea41
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
@@ -0,0 +1,36 @@
+CVE-2015-6563
+
+Don't resend username to PAM; it already has it.
+Pointed out by Moritz Jodeit; ok dtucker@
+
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+Index: openssh-6.7p1/monitor.c
+===================================================================
+--- openssh-6.7p1.orig/monitor.c
++++ openssh-6.7p1/monitor.c
+@@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+ debug3("%s", __func__);
+- authctxt->user = buffer_get_string(m, NULL);
+ sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ sshpam_authok = NULL;
+ buffer_clear(m);
+Index: openssh-6.7p1/monitor_wrap.c
+===================================================================
+--- openssh-6.7p1.orig/monitor_wrap.c
++++ openssh-6.7p1/monitor_wrap.c
+@@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+- buffer_put_cstring(&m, authctxt->user);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
new file mode 100644
index 0000000..588d42d
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
@@ -0,0 +1,34 @@
+CVE-2015-6564
+
+ set sshpam_ctxt to NULL after free
+
+ Avoids use-after-free in monitor when privsep child is compromised.
+ Reported by Moritz Jodeit; ok dtucker@
+
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+Index: openssh-6.7p1/monitor.c
+===================================================================
+--- openssh-6.7p1.orig/monitor.c
++++ openssh-6.7p1/monitor.c
+@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+
+ debug3("%s", __func__);
+ (sshpam_device.free_ctx)(sshpam_ctxt);
++ sshpam_ctxt = sshpam_authok = NULL;
+ buffer_clear(m);
+ mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
+- return (sshpam_authok == sshpam_ctxt);
++ return r;
+ }
+ #endif
+
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
new file mode 100644
index 0000000..42667b0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
@@ -0,0 +1,35 @@
+CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable
+
+fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
+
+Upstream-Status: Backport
+
+merged two changes into one.
+[1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2
+tighten permissions on pty when the "tty" group does not exist; pointed out by Corinna Vinschen; ok markus
+
+[2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941396b6835ad18018845f515b0c4fe20be21a
+fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+Index: openssh-6.7p1/sshpty.c
+===================================================================
+--- openssh-6.7p1.orig/sshpty.c
++++ openssh-6.7p1/sshpty.c
+@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch
+
+ /* Determine the group to make the owner of the tty. */
+ grp = getgrnam("tty");
+- if (grp) {
+- gid = grp->gr_gid;
+- mode = S_IRUSR | S_IWUSR | S_IWGRP;
+- } else {
+- gid = pw->pw_gid;
+- mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
+- }
++ gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
++ mode = (grp != NULL) ? 0620 : 0600;
+
+ /*
+ * Change owner and mode of the tty as required.
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
index f575665..4b88704 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -25,7 +25,10 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
file://run-ptest \
file://openssh-CVE-2014-2532.patch \
file://openssh-CVE-2014-2653.patch \
- file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
+ file://CVE-2015-6563.patch \
+ file://CVE-2015-6564.patch \
+ file://CVE-2015-6565.patch \
+ "
PAM_SRC_URI = "file://sshd"
--
1.9.1
More information about the Openembedded-core
mailing list