openssh/openssh-7.6p1-CVE-2018-15473.patch

From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Tue, 31 Jul 2018 03:10:27 +0000
Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=
 =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=
 =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=
 =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 usr.bin/ssh/auth2-gss.c       | 11 +++++++----
 usr.bin/ssh/auth2-hostbased.c | 11 ++++++-----
 usr.bin/ssh/auth2-pubkey.c    | 25 +++++++++++++++----------
 3 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c
index 649c830916a..c919ef4c353 100644
--- a/usr.bin/ssh/auth2-gss.c
+++ b/usr.bin/ssh/auth2-gss.c
@@ -65,9 +65,6 @@ userauth_gssapi(struct ssh *ssh)
 	u_int len;
 	u_char *doid = NULL;
 
-	if (!authctxt->valid || authctxt->user == NULL)
-		return (0);
-
 	mechs = packet_get_int();
 	if (mechs == 0) {
 		debug("Mechanism negotiation is not supported");
@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh)
 		return (0);
 	}
 
+	if (!authctxt->valid || authctxt->user == NULL) {
+		debug2("%s: disabled because of invalid user", __func__);
+		free(doid);
+		return (0);
+	}
+
 	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
 		if (ctxt != NULL)
 			ssh_gssapi_delete_ctx(&ctxt);
diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c
index ad335555934..fb5e5f42272 100644
--- a/usr.bin/ssh/auth2-hostbased.c
+++ b/usr.bin/ssh/auth2-hostbased.c
@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh)
 	size_t alen, blen, slen;
 	int r, pktype, authenticated = 0;
 
-	if (!authctxt->valid) {
-		debug2("%s: disabled because of invalid user", __func__);
-		return 0;
-	}
 	/* XXX use sshkey_froms() */
 	if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
 	    (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh)
 		goto done;
 	}
 
+	if (!authctxt->valid || authctxt->user == NULL) {
+		debug2("%s: disabled because of invalid user", __func__);
+		goto done;
+	}
+
 	service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" :
 	    authctxt->service;
 	if ((b = sshbuf_new()) == NULL)
diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
index 195da5e2111..af9e5f04c45 100644
--- a/usr.bin/ssh/auth2-pubkey.c
+++ b/usr.bin/ssh/auth2-pubkey.c
@@ -86,18 +86,14 @@ userauth_pubkey(struct ssh *ssh)
 userauth_pubkey(struct ssh *ssh)
 {
 	Authctxt *authctxt = ssh->authctxt;
-	struct sshbuf *b;
+	struct sshbuf *b = NULL;
 	struct sshkey *key = NULL;
-	char *pkalg, *userstyle = NULL, *fp = NULL;
-	u_char *pkblob, *sig, have_sig;
+	char *pkalg = NULL, *userstyle = NULL, *fp = NULL;
+	u_char *pkblob = NULL, *sig = NULL, have_sig;
 	size_t blen, slen;
 	int r, pktype;
 	int authenticated = 0;
 
-	if (!authctxt->valid) {
-		debug2("%s: disabled because of invalid user", __func__);
-		return 0;
-	}
 	if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0)
 		fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r));
 	if (ssh->compat & SSH_BUG_PKAUTH) {
@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh)
 				fatal("%s: sshbuf_put_string session id: %s",
 				    __func__, ssh_err(r));
 		}
+		if (!authctxt->valid || authctxt->user == NULL) {
+			debug2("%s: disabled because of invalid user",
+			    __func__);
+			goto done;
+		}
 		/* reconstruct packet */
 		xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
 		    authctxt->style ? ":" : "",
@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh)
 #ifdef DEBUG_PK
 		sshbuf_dump(b, stderr);
 #endif
-
 		/* test for correct signature */
 		authenticated = 0;
 		if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh)
 			authenticated = 1;
 		}
 		sshbuf_free(b);
-		free(sig);
 		auth2_record_key(authctxt, authenticated, key);
 	} else {
 		debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh)
 		if ((r = sshpkt_get_end(ssh)) != 0)
 			fatal("%s: %s", __func__, ssh_err(r));
 
+		if (!authctxt->valid || authctxt->user == NULL) {
+			debug2("%s: disabled because of invalid user",
+			    __func__);
+			goto done;
+		}
 		/* XXX fake reply and always send PK_OK ? */
 		/*
 		 * XXX this allows testing whether a user is allowed
@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh)
 	free(pkalg);
 	free(pkblob);
 	free(fp);
+	free(sig);
 	return authenticated;
 }
Fix CVE-2018-15473 (#1619064) 2018-08-25 12:25:30 +00:00			`From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001`
			`From: djm <djm@openbsd.org>`
			`Date: Tue, 31 Jul 2018 03:10:27 +0000`
			`Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=`
			`=?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=`
			`=?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=`
			`=?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`---`
			`usr.bin/ssh/auth2-gss.c \| 11 +++++++----`
			`usr.bin/ssh/auth2-hostbased.c \| 11 ++++++-----`
			`usr.bin/ssh/auth2-pubkey.c \| 25 +++++++++++++++----------`
			`3 files changed, 28 insertions(+), 19 deletions(-)`

			`diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c`
			`index 649c830916a..c919ef4c353 100644`
			`--- a/usr.bin/ssh/auth2-gss.c`
			`+++ b/usr.bin/ssh/auth2-gss.c`
			`@@ -65,9 +65,6 @@ userauth_gssapi(struct ssh *ssh)`
			`u_int len;`
			`u_char *doid = NULL;`

			`- if (!authctxt->valid \|\| authctxt->user == NULL)`
			`- return (0);`
			`-`
			`mechs = packet_get_int();`
			`if (mechs == 0) {`
			`debug("Mechanism negotiation is not supported");`
			`@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh)`
			`return (0);`
			`}`

			`+ if (!authctxt->valid \|\| authctxt->user == NULL) {`
			`+ debug2("%s: disabled because of invalid user", __func__);`
			`+ free(doid);`
			`+ return (0);`
			`+ }`
			`+`
			`if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {`
			`if (ctxt != NULL)`
			`ssh_gssapi_delete_ctx(&ctxt);`
			`diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c`
			`index ad335555934..fb5e5f42272 100644`
			`--- a/usr.bin/ssh/auth2-hostbased.c`
			`+++ b/usr.bin/ssh/auth2-hostbased.c`
			`@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh)`
			`size_t alen, blen, slen;`
			`int r, pktype, authenticated = 0;`

			`- if (!authctxt->valid) {`
			`- debug2("%s: disabled because of invalid user", __func__);`
			`- return 0;`
			`- }`
			`/* XXX use sshkey_froms() */`
			`if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 \|\|`
			`(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 \|\|`
			`@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh)`
			`goto done;`
			`}`

			`+ if (!authctxt->valid \|\| authctxt->user == NULL) {`
			`+ debug2("%s: disabled because of invalid user", __func__);`
			`+ goto done;`
			`+ }`
			`+`
			`service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" :`
			`authctxt->service;`
			`if ((b = sshbuf_new()) == NULL)`
			`diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c`
			`index 195da5e2111..af9e5f04c45 100644`
			`--- a/usr.bin/ssh/auth2-pubkey.c`
			`+++ b/usr.bin/ssh/auth2-pubkey.c`
			`@@ -86,18 +86,14 @@ userauth_pubkey(struct ssh *ssh)`
			`userauth_pubkey(struct ssh *ssh)`
			`{`
			`Authctxt *authctxt = ssh->authctxt;`
			`- struct sshbuf *b;`
			`+ struct sshbuf *b = NULL;`
			`struct sshkey *key = NULL;`
			`- char pkalg, userstyle = NULL, *fp = NULL;`
			`- u_char pkblob, sig, have_sig;`
			`+ char pkalg = NULL, userstyle = NULL, *fp = NULL;`
			`+ u_char pkblob = NULL, sig = NULL, have_sig;`
			`size_t blen, slen;`
			`int r, pktype;`
			`int authenticated = 0;`

			`- if (!authctxt->valid) {`
			`- debug2("%s: disabled because of invalid user", __func__);`
			`- return 0;`
			`- }`
			`if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0)`
			`fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r));`
			`if (ssh->compat & SSH_BUG_PKAUTH) {`
			`@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh)`
			`fatal("%s: sshbuf_put_string session id: %s",`
			`__func__, ssh_err(r));`
			`}`
			`+ if (!authctxt->valid \|\| authctxt->user == NULL) {`
			`+ debug2("%s: disabled because of invalid user",`
			`+ __func__);`
			`+ goto done;`
			`+ }`
			`/* reconstruct packet */`
			`xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,`
			`authctxt->style ? ":" : "",`
			`@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh)`
			`#ifdef DEBUG_PK`
			`sshbuf_dump(b, stderr);`
			`#endif`
			`-`
			`/* test for correct signature */`
			`authenticated = 0;`
			`if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&`
			`@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh)`
			`authenticated = 1;`
			`}`
			`sshbuf_free(b);`
			`- free(sig);`
			`auth2_record_key(authctxt, authenticated, key);`
			`} else {`
			`debug("%s: test whether pkalg/pkblob are acceptable for %s %s",`
			`@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh)`
			`if ((r = sshpkt_get_end(ssh)) != 0)`
			`fatal("%s: %s", __func__, ssh_err(r));`

			`+ if (!authctxt->valid \|\| authctxt->user == NULL) {`
			`+ debug2("%s: disabled because of invalid user",`
			`+ __func__);`
			`+ goto done;`
			`+ }`
			`/* XXX fake reply and always send PK_OK ? */`
			`/*`
			`* XXX this allows testing whether a user is allowed`
			`@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh)`
			`free(pkalg);`
			`free(pkblob);`
			`free(fp);`
			`+ free(sig);`
			`return authenticated;`
			`}`