From: Haris Okanovic <harisokn@gmail.com>
To: Joshua Lock <joshua.lock@collabora.co.uk>,
openembedded-core@lists.openembedded.org
Subject: Re: [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix
Date: Mon, 30 Nov 2015 09:43:10 -0600 [thread overview]
Message-ID: <565C6E8E.6040706@gmail.com> (raw)
In-Reply-To: <563BD196.2010005@collabora.co.uk>
On 11/05/2015 04:00 PM, Joshua Lock wrote:
> Thanks, I've pushed this change to my joshuagl/fido-next branch of
> openembedded-core-contrib and am testing it now.
You can find instructions on testing the vulnerability at the following
URL. I forgot to include it in the change description.
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
> Regards,
>
> Joshua
>
> 1.
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next
>
>
>>
>> Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
>> Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
>> Reviewed-by: Ken Sharp <ken.sharp@ni.com>
>> Natinst-ReviewBoard-ID: 115602
>> Natinst-CAR-ID: 541263
>>
>> ---
>>
>> This patch only applies to Fido and earlier releases. Bug is already
>> fixed in Jethro which builds OpenSSH 7.1.
>> ---
>> .../openssh/openssh/CVE-2015-5600.patch | 50
>> ++++++++++++++++++++++
>> meta/recipes-connectivity/openssh/openssh_6.7p1.bb | 1 +
>> 2 files changed, 51 insertions(+)
>> create mode 100644
>> meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>>
>> diff --git
>> a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> new file mode 100644
>> index 0000000..fa1c85e
>> --- /dev/null
>> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>> @@ -0,0 +1,50 @@
>> +From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
>> +From: "djm@openbsd.org" <djm@openbsd.org>
>> +Date: Sat, 18 Jul 2015 07:57:14 +0000
>> +Subject: [PATCH] CVE-2015-5600
>> +
>> +only query each keyboard-interactive device once per
>> + authentication request regardless of how many times it is listed; ok
>> markus@
>> +
>> +Source:
>> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
>>
>> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
>>
>> +
>> +Upstream-Status: Backport
>> +---
>> + auth2-chall.c | 9 +++++++--
>> + 1 file changed, 7 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/auth2-chall.c b/auth2-chall.c
>> +index
>> ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78
>> 100644
>> +--- a/auth2-chall.c
>> ++++ b/auth2-chall.c
>> +@@ -83,6 +83,7 @@ struct KbdintAuthctxt
>> + void *ctxt;
>> + KbdintDevice *device;
>> + u_int nreq;
>> ++ u_int devices_done;
>> + };
>> +
>> + #ifdef USE_PAM
>> +@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt,
>> KbdintAuthctxt *kbdintctxt)
>> + if (len == 0)
>> + break;
>> + for (i = 0; devices[i]; i++) {
>> +- if (!auth2_method_allowed(authctxt,
>> ++ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
>> ++ !auth2_method_allowed(authctxt,
>> + "keyboard-interactive", devices[i]->name))
>> + continue;
>> +- if (strncmp(kbdintctxt->devices, devices[i]->name, len)
>> == 0)
>> ++ if (strncmp(kbdintctxt->devices, devices[i]->name,
>> ++ len) == 0) {
>> + kbdintctxt->device = devices[i];
>> ++ kbdintctxt->devices_done |= 1 << i;
>> ++ }
>> + }
>> + t = kbdintctxt->devices;
>> + kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
>> +--
>> +2.6.2
>> +
>> diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> index aa71cc1..9246284 100644
>> --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
>> @@ -25,6 +25,7 @@ SRC_URI =
>> "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
>> file://CVE-2015-6563.patch \
>> file://CVE-2015-6564.patch \
>> file://CVE-2015-6565.patch \
>> + file://CVE-2015-5600.patch \
>> "
>>
>> PAM_SRC_URI = "file://sshd"
>>
>
prev parent reply other threads:[~2015-11-30 15:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-30 20:12 [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix Haris Okanovic
2015-11-05 22:00 ` Joshua Lock
2015-11-30 15:43 ` Haris Okanovic [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=565C6E8E.6040706@gmail.com \
--to=harisokn@gmail.com \
--cc=joshua.lock@collabora.co.uk \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox