From 793e7839fc72732deaba729b2d429596276dc75f Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 9 Aug 2016 08:43:37 +0200 Subject: [PATCH] CVE-2016-6515: Denial of service via very long passwords (#1364936) related to user enumeration. Upstream: https://github.com/openssh/openssh-portable/commit/fcd135c9df --- openssh-7.2p2-user-enumeration.patch | 40 ++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/openssh-7.2p2-user-enumeration.patch b/openssh-7.2p2-user-enumeration.patch index 91ccccf..19c8493 100644 --- a/openssh-7.2p2-user-enumeration.patch +++ b/openssh-7.2p2-user-enumeration.patch @@ -212,4 +212,44 @@ index 451de78..465b5a7 100644 if (sshpam_err == PAM_SUCCESS && authctxt->valid) { debug("PAM: password authentication accepted for %.100s", authctxt->user); +From fcd135c9df440bcd2d5870405ad3311743d78d97 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Thu, 21 Jul 2016 01:39:35 +0000 +Subject: [PATCH] upstream commit + +Skip passwords longer than 1k in length so clients can't +easily DoS sshd by sending very long passwords, causing it to spend CPU +hashing them. feedback djm@, ok markus@. + +Brought to our attention by tomas.kuthan at oracle.com, shilei-c at +360.cn and coredump at autistici.org + +Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333 +--- + auth-passwd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/auth-passwd.c b/auth-passwd.c +index 530b5d4..996c2cf 100644 +--- a/auth-passwd.c ++++ b/auth-passwd.c +@@ -66,6 +66,8 @@ extern login_cap_t *lc; + #define DAY (24L * 60 * 60) /* 1 day in seconds */ + #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ + ++#define MAX_PASSWORD_LEN 1024 ++ + void + disable_forwarding(void) + { +@@ -87,6 +89,9 @@ auth_password(Authctxt *authctxt, const char *password) + static int expire_checked = 0; + #endif + ++ if (strlen(password) > MAX_PASSWORD_LEN) ++ return 0; ++ + #ifndef HAVE_CYGWIN + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + ok = 0;