[OE-core] [OE-Core] [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix
Haris Okanovic
harisokn at gmail.com
Mon Nov 30 15:43:10 UTC 2015
On 11/05/2015 04:00 PM, Joshua Lock wrote:
> Thanks, I've pushed this change to my joshuagl/fido-next branch of
> openembedded-core-contrib and am testing it now.
You can find instructions on testing the vulnerability at the following
URL. I forgot to include it in the change description.
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
> Regards,
>
> Joshua
>
> 1.
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next
>
>
>>
>> Signed-off-by: Haris Okanovic <haris.okanovic at ni.com>
>> Reviewed-by: Rich Tollerton <rich.tollerton at ni.com>
>> Reviewed-by: Ken Sharp <ken.sharp at ni.com>
>> Natinst-ReviewBoard-ID: 115602
>> Natinst-CAR-ID: 541263
>>
>> ---
>>
>> This patch only applies to Fido and earlier releases. Bug is already
>> fixed in Jethro which builds OpenSSH 7.1.
>> ---
>> .../openssh/openssh/CVE-2015-5600.patch | 50
>> ++++++++++++++++++++++
>> meta/recipes-connectivity/openssh/openssh_6.7p1.bb | 1 +
>> 2 files changed, 51 insertions(+)
>> create mode 100644
>> meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>>
>> diff --git
>> a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> new file mode 100644
>> index 0000000..fa1c85e
>> --- /dev/null
>> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> @@ -0,0 +1,50 @@
>> +From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
>> +From: "djm at openbsd.org" <djm at openbsd.org>
>> +Date: Sat, 18 Jul 2015 07:57:14 +0000
>> +Subject: [PATCH] CVE-2015-5600
>> +
>> +only query each keyboard-interactive device once per
>> + authentication request regardless of how many times it is listed; ok
>> markus@
>> +
>> +Source:
>> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
>>
>> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
>>
>> +
>> +Upstream-Status: Backport
>> +---
>> + auth2-chall.c | 9 +++++++--
>> + 1 file changed, 7 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/auth2-chall.c b/auth2-chall.c
>> +index
>> ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78
>> 100644
>> +--- a/auth2-chall.c
>> ++++ b/auth2-chall.c
>> +@@ -83,6 +83,7 @@ struct KbdintAuthctxt
>> + void *ctxt;
>> + KbdintDevice *device;
>> + u_int nreq;
>> ++ u_int devices_done;
>> + };
>> +
>> + #ifdef USE_PAM
>> +@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt,
>> KbdintAuthctxt *kbdintctxt)
>> + if (len == 0)
>> + break;
>> + for (i = 0; devices[i]; i++) {
>> +- if (!auth2_method_allowed(authctxt,
>> ++ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
>> ++ !auth2_method_allowed(authctxt,
>> + "keyboard-interactive", devices[i]->name))
>> + continue;
>> +- if (strncmp(kbdintctxt->devices, devices[i]->name, len)
>> == 0)
>> ++ if (strncmp(kbdintctxt->devices, devices[i]->name,
>> ++ len) == 0) {
>> + kbdintctxt->device = devices[i];
>> ++ kbdintctxt->devices_done |= 1 << i;
>> ++ }
>> + }
>> + t = kbdintctxt->devices;
>> + kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
>> +--
>> +2.6.2
>> +
>> diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> index aa71cc1..9246284 100644
>> --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> @@ -25,6 +25,7 @@ SRC_URI =
>> "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
>> file://CVE-2015-6563.patch \
>> file://CVE-2015-6564.patch \
>> file://CVE-2015-6565.patch \
>> + file://CVE-2015-5600.patch \
>> "
>>
>> PAM_SRC_URI = "file://sshd"
>>
>
More information about the Openembedded-core
mailing list