From: Joshua Lock <joshua.lock@collabora.co.uk>
To: openembedded-core@lists.openembedded.org
Subject: Re: [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix
Date: Thu, 5 Nov 2015 22:00:54 +0000 [thread overview]
Message-ID: <563BD196.2010005@collabora.co.uk> (raw)
In-Reply-To: <1446235976-7118-1-git-send-email-haris.okanovic@ni.com>
On 30/10/15 20:12, Haris Okanovic wrote:
> only query each keyboard-interactive device once per
> authentication request regardless of how many times it is listed
>
> Source:
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
>
> Bug report:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5600
> https://bugzilla.redhat.com/show_bug.cgi?id=1245969
>
> Testing:
> Built in Fido and installed to x86_64 test system.
> Verified both 'keyboard-interactive' and 'publickey' logon works with
> root and a regular user from an openssh 7.1p1-1 client on Arch.
Thanks, I've pushed this change to my joshuagl/fido-next branch of
openembedded-core-contrib and am testing it now.
Regards,
Joshua
1.
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next
>
> Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
> Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
> Reviewed-by: Ken Sharp <ken.sharp@ni.com>
> Natinst-ReviewBoard-ID: 115602
> Natinst-CAR-ID: 541263
>
> ---
>
> This patch only applies to Fido and earlier releases. Bug is already
> fixed in Jethro which builds OpenSSH 7.1.
> ---
> .../openssh/openssh/CVE-2015-5600.patch | 50 ++++++++++++++++++++++
> meta/recipes-connectivity/openssh/openssh_6.7p1.bb | 1 +
> 2 files changed, 51 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> new file mode 100644
> index 0000000..fa1c85e
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> @@ -0,0 +1,50 @@
> +From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
> +From: "djm@openbsd.org" <djm@openbsd.org>
> +Date: Sat, 18 Jul 2015 07:57:14 +0000
> +Subject: [PATCH] CVE-2015-5600
> +
> +only query each keyboard-interactive device once per
> + authentication request regardless of how many times it is listed; ok markus@
> +
> +Source:
> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
> +
> +Upstream-Status: Backport
> +---
> + auth2-chall.c | 9 +++++++--
> + 1 file changed, 7 insertions(+), 2 deletions(-)
> +
> +diff --git a/auth2-chall.c b/auth2-chall.c
> +index ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78 100644
> +--- a/auth2-chall.c
> ++++ b/auth2-chall.c
> +@@ -83,6 +83,7 @@ struct KbdintAuthctxt
> + void *ctxt;
> + KbdintDevice *device;
> + u_int nreq;
> ++ u_int devices_done;
> + };
> +
> + #ifdef USE_PAM
> +@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
> + if (len == 0)
> + break;
> + for (i = 0; devices[i]; i++) {
> +- if (!auth2_method_allowed(authctxt,
> ++ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
> ++ !auth2_method_allowed(authctxt,
> + "keyboard-interactive", devices[i]->name))
> + continue;
> +- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
> ++ if (strncmp(kbdintctxt->devices, devices[i]->name,
> ++ len) == 0) {
> + kbdintctxt->device = devices[i];
> ++ kbdintctxt->devices_done |= 1 << i;
> ++ }
> + }
> + t = kbdintctxt->devices;
> + kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
> +--
> +2.6.2
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> index aa71cc1..9246284 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> @@ -25,6 +25,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
> file://CVE-2015-6563.patch \
> file://CVE-2015-6564.patch \
> file://CVE-2015-6565.patch \
> + file://CVE-2015-5600.patch \
> "
>
> PAM_SRC_URI = "file://sshd"
>
next prev parent reply other threads:[~2015-11-05 22:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-30 20:12 [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix Haris Okanovic
2015-11-05 22:00 ` Joshua Lock [this message]
2015-11-30 15:43 ` Haris Okanovic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=563BD196.2010005@collabora.co.uk \
--to=joshua.lock@collabora.co.uk \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.