From 8ebd1ac76bb531669efea99b3a137afa6056fab5 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Sat, 25 Aug 2018 14:25:30 +0200 Subject: [PATCH] Fix CVE-2018-15473 (#1619064) --- openssh-7.6p1-CVE-2018-15473.patch | 146 +++++++++++++++++++++++++++++ openssh.spec | 3 + 2 files changed, 149 insertions(+) create mode 100644 openssh-7.6p1-CVE-2018-15473.patch diff --git a/openssh-7.6p1-CVE-2018-15473.patch b/openssh-7.6p1-CVE-2018-15473.patch new file mode 100644 index 0000000..373bb74 --- /dev/null +++ b/openssh-7.6p1-CVE-2018-15473.patch @@ -0,0 +1,146 @@ +From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001 +From: djm +Date: Tue, 31 Jul 2018 03:10:27 +0000 +Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?= + =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?= + =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?= + =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + usr.bin/ssh/auth2-gss.c | 11 +++++++---- + usr.bin/ssh/auth2-hostbased.c | 11 ++++++----- + usr.bin/ssh/auth2-pubkey.c | 25 +++++++++++++++---------- + 3 files changed, 28 insertions(+), 19 deletions(-) + +diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c +index 649c830916a..c919ef4c353 100644 +--- a/usr.bin/ssh/auth2-gss.c ++++ b/usr.bin/ssh/auth2-gss.c +@@ -65,9 +65,6 @@ userauth_gssapi(struct ssh *ssh) + u_int len; + u_char *doid = NULL; + +- if (!authctxt->valid || authctxt->user == NULL) +- return (0); +- + mechs = packet_get_int(); + if (mechs == 0) { + debug("Mechanism negotiation is not supported"); +@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh) + return (0); + } + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", __func__); ++ free(doid); ++ return (0); ++ } ++ + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { + if (ctxt != NULL) + ssh_gssapi_delete_ctx(&ctxt); +diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c +index ad335555934..fb5e5f42272 100644 +--- a/usr.bin/ssh/auth2-hostbased.c ++++ b/usr.bin/ssh/auth2-hostbased.c +@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh) + size_t alen, blen, slen; + int r, pktype, authenticated = 0; + +- if (!authctxt->valid) { +- debug2("%s: disabled because of invalid user", __func__); +- return 0; +- } + /* XXX use sshkey_froms() */ + if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || + (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || +@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh) + goto done; + } + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", __func__); ++ goto done; ++ } ++ + service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" : + authctxt->service; + if ((b = sshbuf_new()) == NULL) +diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c +index 195da5e2111..af9e5f04c45 100644 +--- a/usr.bin/ssh/auth2-pubkey.c ++++ b/usr.bin/ssh/auth2-pubkey.c +@@ -86,18 +86,14 @@ userauth_pubkey(struct ssh *ssh) + userauth_pubkey(struct ssh *ssh) + { + Authctxt *authctxt = ssh->authctxt; +- struct sshbuf *b; ++ struct sshbuf *b = NULL; + struct sshkey *key = NULL; +- char *pkalg, *userstyle = NULL, *fp = NULL; +- u_char *pkblob, *sig, have_sig; ++ char *pkalg = NULL, *userstyle = NULL, *fp = NULL; ++ u_char *pkblob = NULL, *sig = NULL, have_sig; + size_t blen, slen; + int r, pktype; + int authenticated = 0; + +- if (!authctxt->valid) { +- debug2("%s: disabled because of invalid user", __func__); +- return 0; +- } + if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0) + fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r)); + if (ssh->compat & SSH_BUG_PKAUTH) { +@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh) + fatal("%s: sshbuf_put_string session id: %s", + __func__, ssh_err(r)); + } ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", ++ __func__); ++ goto done; ++ } + /* reconstruct packet */ + xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user, + authctxt->style ? ":" : "", +@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh) + #ifdef DEBUG_PK + sshbuf_dump(b, stderr); + #endif +- + /* test for correct signature */ + authenticated = 0; + if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) && +@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh) + authenticated = 1; + } + sshbuf_free(b); +- free(sig); + auth2_record_key(authctxt, authenticated, key); + } else { + debug("%s: test whether pkalg/pkblob are acceptable for %s %s", +@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh) + if ((r = sshpkt_get_end(ssh)) != 0) + fatal("%s: %s", __func__, ssh_err(r)); + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", ++ __func__); ++ goto done; ++ } + /* XXX fake reply and always send PK_OK ? */ + /* + * XXX this allows testing whether a user is allowed +@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh) + free(pkalg); + free(pkblob); + free(fp); ++ free(sig); + return authenticated; + } + + diff --git a/openssh.spec b/openssh.spec index 7b8360d..c864308 100644 --- a/openssh.spec +++ b/openssh.spec @@ -233,6 +233,8 @@ Patch949: openssh-7.6p1-cleanup-selinux.patch Patch950: openssh-7.5p1-sandbox.patch # PermitOpen bug in OpenSSH 7.6: Patch951: openssh-7.6p1-permitopen-bug.patch +# CVE-2018-15473: User "enumeration" via malformed packets in authentication requests +Patch952: openssh-7.6p1-CVE-2018-15473.patch License: BSD @@ -456,6 +458,7 @@ popd %patch949 -p1 -b .refactor %patch950 -p1 -b .sandbox %patch951 -p1 -b .permitOpen +%patch952 -p3 -b .enumeration %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race