From 5cbd391da94b7dcd5b02f15e2403319021618137 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 15 Jan 2016 09:33:32 +0100 Subject: [PATCH] Fix vulnerabilities published with openssh-7.1p2 (#1298626) * CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature * Fix an out of-bound read access in the packet handling code --- openssh-6.9p1-security-7.1.patch | 79 ++++++++++++++++++++++++++++++++ openssh.spec | 5 ++ 2 files changed, 84 insertions(+) create mode 100644 openssh-6.9p1-security-7.1.patch diff --git a/openssh-6.9p1-security-7.1.patch b/openssh-6.9p1-security-7.1.patch new file mode 100644 index 0000000..b506b13 --- /dev/null +++ b/openssh-6.9p1-security-7.1.patch @@ -0,0 +1,79 @@ +From d77148e3a3ef6c29b26ec74331455394581aa257 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Sun, 8 Nov 2015 21:59:11 +0000 +Subject: upstream commit + +fix OOB read in packet code caused by missing return + statement found by Ben Hawkes; ok markus@ deraadt@ + +Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62 +--- + packet.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/packet.c b/packet.c +index 01d3e29..7b5c419 100644 +--- a/packet.c ++++ b/packet.c +@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + logit("Bad packet length %u.", state->packlen); + if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) + return r; ++ return SSH_ERR_CONN_CORRUPT; + } + sshbuf_reset(state->incoming_packet); + } else if (state->packlen == 0) { +-- +cgit v0.11.2 + +From e6c85f8889c5c9eb04796fdb76d2807636b9eef5 Mon Sep 17 00:00:00 2001 +From: Damien Miller +Date: Fri, 15 Jan 2016 01:30:36 +1100 +Subject: forcibly disable roaming support in the client + +--- + readconf.c | 5 ++--- + ssh.c | 3 --- + 2 files changed, 2 insertions(+), 6 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 0a38091..dd67811 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1713,7 +1713,7 @@ initialize_options(Options * options) + options->tun_remote = -1; + options->local_command = NULL; + options->permit_local_command = -1; +- options->use_roaming = -1; ++ options->use_roaming = 0; + options->visual_host_key = -1; + options->ip_qos_interactive = -1; + options->ip_qos_bulk = -1; +@@ -1889,8 +1889,7 @@ fill_default_options(Options * options) + options->tun_remote = SSH_TUNID_ANY; + if (options->permit_local_command == -1) + options->permit_local_command = 0; +- if (options->use_roaming == -1) +- options->use_roaming = 1; ++ options->use_roaming = 0; + if (options->visual_host_key == -1) + options->visual_host_key = 0; + if (options->ip_qos_interactive == -1) +diff --git a/ssh.c b/ssh.c +index 096c5b5..cf6eaeb 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1949,9 +1949,6 @@ ssh_session2(void) + fork_postauth(); + } + +- if (options.use_roaming) +- request_roaming(); +- + return client_loop(tty_flag, tty_flag ? + options.escape_char : SSH_ESCAPECHAR_NONE, id); + } +-- +cgit v0.11.2 + + diff --git a/openssh.spec b/openssh.spec index dc184ac..a0f02c3 100644 --- a/openssh.spec +++ b/openssh.spec @@ -236,6 +236,10 @@ Patch932: openssh-6.9p1-security-7.0.patch Patch933: openssh-6.9p1-show-more-fingerprints.patch # Add GSSAPIKexAlgorithms option for server and client application Patch934: openssh-6.9p1-gssKexAlgorithms.patch +# Vulnerabilities published with openssh-7.1p2 (#1298626) +# CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature +# Fix an out of-bound read access in the packet handling code +Patch935: openssh-6.9p1-security-7.1.patch License: BSD @@ -463,6 +467,7 @@ popd %patch932 -p1 -b .security %patch933 -p1 -b .fingerprint %patch934 -p1 -b .gsskexalg +%patch935 -p1 -b .security71 %patch200 -p1 -b .audit %patch700 -p1 -b .fips