From: Haris Okanovic <harisokn@gmail.com>
To: Joshua Lock <joshua.lock@collabora.co.uk>,
openembedded-core@lists.openembedded.org
Subject: Re: [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix
Date: Mon, 30 Nov 2015 09:43:10 -0600 [thread overview]
Message-ID: <565C6E8E.6040706@gmail.com> (raw)
In-Reply-To: <563BD196.2010005@collabora.co.uk>
On 11/05/2015 04:00 PM, Joshua Lock wrote:
> Thanks, I've pushed this change to my joshuagl/fido-next branch of
> openembedded-core-contrib and am testing it now.
You can find instructions on testing the vulnerability at the following
URL. I forgot to include it in the change description.
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
> Regards,
>
> Joshua
>
> 1.
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next
>
>
>>
>> Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
>> Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
>> Reviewed-by: Ken Sharp <ken.sharp@ni.com>
>> Natinst-ReviewBoard-ID: 115602
>> Natinst-CAR-ID: 541263
>>
>> ---
>>
>> This patch only applies to Fido and earlier releases. Bug is already
>> fixed in Jethro which builds OpenSSH 7.1.
>> ---
>> .../openssh/openssh/CVE-2015-5600.patch | 50
>> ++++++++++++++++++++++
>> meta/recipes-connectivity/openssh/openssh_6.7p1.bb | 1 +
>> 2 files changed, 51 insertions(+)
>> create mode 100644
>> meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>>
>> diff --git
>> a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> new file mode 100644
>> index 0000000..fa1c85e
>> --- /dev/null
>> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> @@ -0,0 +1,50 @@
>> +From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
>> +From: "djm@openbsd.org" <djm@openbsd.org>
>> +Date: Sat, 18 Jul 2015 07:57:14 +0000
>> +Subject: [PATCH] CVE-2015-5600
>> +
>> +only query each keyboard-interactive device once per
>> + authentication request regardless of how many times it is listed; ok
>> markus@
>> +
>> +Source:
>> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
>>
>> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
>>
>> +
>> +Upstream-Status: Backport
>> +---
>> + auth2-chall.c | 9 +++++++--
>> + 1 file changed, 7 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/auth2-chall.c b/auth2-chall.c
>> +index
>> ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78
>> 100644
>> +--- a/auth2-chall.c
>> ++++ b/auth2-chall.c
>> +@@ -83,6 +83,7 @@ struct KbdintAuthctxt
>> + void *ctxt;
>> + KbdintDevice *device;
>> + u_int nreq;
>> ++ u_int devices_done;
>> + };
>> +
>> + #ifdef USE_PAM
>> +@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt,
>> KbdintAuthctxt *kbdintctxt)
>> + if (len == 0)
>> + break;
>> + for (i = 0; devices[i]; i++) {
>> +- if (!auth2_method_allowed(authctxt,
>> ++ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
>> ++ !auth2_method_allowed(authctxt,
>> + "keyboard-interactive", devices[i]->name))
>> + continue;
>> +- if (strncmp(kbdintctxt->devices, devices[i]->name, len)
>> == 0)
>> ++ if (strncmp(kbdintctxt->devices, devices[i]->name,
>> ++ len) == 0) {
>> + kbdintctxt->device = devices[i];
>> ++ kbdintctxt->devices_done |= 1 << i;
>> ++ }
>> + }
>> + t = kbdintctxt->devices;
>> + kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
>> +--
>> +2.6.2
>> +
>> diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> index aa71cc1..9246284 100644
>> --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> @@ -25,6 +25,7 @@ SRC_URI =
>> "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
>> file://CVE-2015-6563.patch \
>> file://CVE-2015-6564.patch \
>> file://CVE-2015-6565.patch \
>> + file://CVE-2015-5600.patch \
>> "
>>
>> PAM_SRC_URI = "file://sshd"
>>
>
prev parent reply other threads:[~2015-11-30 15:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-30 20:12 [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix Haris Okanovic
2015-11-05 22:00 ` Joshua Lock
2015-11-30 15:43 ` Haris Okanovic [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=565C6E8E.6040706@gmail.com \
--to=harisokn@gmail.com \
--cc=joshua.lock@collabora.co.uk \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.