Fix several vulnerabilities published with new openssh-7.0, namely:
Incorrectly set TTYs to be world-writable (#1252861) https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a Privilege separation weakness related to PAM support (#1252844) https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b Use-after-free bug related to PAM support (#1252852) https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
This commit is contained in:
parent
405790ef61
commit
4776fad91e
63
openssh-6.9p1-security-7.0.patch
Normal file
63
openssh-6.9p1-security-7.0.patch
Normal file
@ -0,0 +1,63 @@
|
||||
diff --git a/sshpty.c b/sshpty.c
|
||||
index 7bb7641..15da8c6 100644
|
||||
--- a/sshpty.c
|
||||
+++ b/sshpty.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
|
||||
+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty)
|
||||
/* Determine the group to make the owner of the tty. */
|
||||
grp = getgrnam("tty");
|
||||
gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
|
||||
- mode = (grp != NULL) ? 0622 : 0600;
|
||||
+ mode = (grp != NULL) ? 0620 : 0600;
|
||||
|
||||
/*
|
||||
* Change owner and mode of the tty as required.
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index b410965..f1b873d 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
|
||||
int
|
||||
mm_answer_pam_init_ctx(int sock, Buffer *m)
|
||||
{
|
||||
-
|
||||
debug3("%s", __func__);
|
||||
- authctxt->user = buffer_get_string(m, NULL);
|
||||
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
|
||||
sshpam_authok = NULL;
|
||||
buffer_clear(m);
|
||||
@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
|
||||
int
|
||||
mm_answer_pam_free_ctx(int sock, Buffer *m)
|
||||
{
|
||||
+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
|
||||
|
||||
debug3("%s", __func__);
|
||||
(sshpam_device.free_ctx)(sshpam_ctxt);
|
||||
+ sshpam_ctxt = sshpam_authok = NULL;
|
||||
buffer_clear(m);
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
|
||||
auth_method = "keyboard-interactive";
|
||||
auth_submethod = "pam";
|
||||
- return (sshpam_authok == sshpam_ctxt);
|
||||
+ return r;
|
||||
}
|
||||
#endif
|
||||
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index e6217b3..eac421b 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
|
||||
|
||||
debug3("%s", __func__);
|
||||
buffer_init(&m);
|
||||
- buffer_put_cstring(&m, authctxt->user);
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
|
||||
debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
|
||||
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
|
@ -227,6 +227,11 @@ Patch929: openssh-6.9p1-permit-root-login.patch
|
||||
Patch930: openssh-6.9p1-authentication-limits-bypass.patch
|
||||
# Handle terminal control characters in scp progressmeter (#1247204)
|
||||
Patch931: openssh-6.9p1-scp-progressmeter.patch
|
||||
# Vulnerabilities published with openssh-7.0:
|
||||
# Incorrectly set TTYs to be world-writable (#1252861)
|
||||
# Privilege separation weakness related to PAM support (#1252844)
|
||||
# Use-after-free bug related to PAM support (#1252852)
|
||||
Patch932: openssh-6.9p1-security-7.0.patch
|
||||
|
||||
|
||||
|
||||
@ -452,6 +457,7 @@ popd
|
||||
%patch929 -p1 -b .root-login
|
||||
%patch930 -p1 -b .kbd
|
||||
%patch931 -p1 -b .progressmeter
|
||||
%patch932 -p1 -b .security
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch700 -p1 -b .fips
|
||||
|
Loading…
Reference in New Issue
Block a user