Fix CVE-2018-15473 (#1619064)
This commit is contained in:
parent
1b87361339
commit
8ebd1ac76b
|
@ -0,0 +1,146 @@
|
||||||
|
From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: djm <djm@openbsd.org>
|
||||||
|
Date: Tue, 31 Jul 2018 03:10:27 +0000
|
||||||
|
Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=
|
||||||
|
=?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=
|
||||||
|
=?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=
|
||||||
|
=?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
---
|
||||||
|
usr.bin/ssh/auth2-gss.c | 11 +++++++----
|
||||||
|
usr.bin/ssh/auth2-hostbased.c | 11 ++++++-----
|
||||||
|
usr.bin/ssh/auth2-pubkey.c | 25 +++++++++++++++----------
|
||||||
|
3 files changed, 28 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c
|
||||||
|
index 649c830916a..c919ef4c353 100644
|
||||||
|
--- a/usr.bin/ssh/auth2-gss.c
|
||||||
|
+++ b/usr.bin/ssh/auth2-gss.c
|
||||||
|
@@ -65,9 +65,6 @@ userauth_gssapi(struct ssh *ssh)
|
||||||
|
u_int len;
|
||||||
|
u_char *doid = NULL;
|
||||||
|
|
||||||
|
- if (!authctxt->valid || authctxt->user == NULL)
|
||||||
|
- return (0);
|
||||||
|
-
|
||||||
|
mechs = packet_get_int();
|
||||||
|
if (mechs == 0) {
|
||||||
|
debug("Mechanism negotiation is not supported");
|
||||||
|
@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh)
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||||
|
+ debug2("%s: disabled because of invalid user", __func__);
|
||||||
|
+ free(doid);
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
|
||||||
|
if (ctxt != NULL)
|
||||||
|
ssh_gssapi_delete_ctx(&ctxt);
|
||||||
|
diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c
|
||||||
|
index ad335555934..fb5e5f42272 100644
|
||||||
|
--- a/usr.bin/ssh/auth2-hostbased.c
|
||||||
|
+++ b/usr.bin/ssh/auth2-hostbased.c
|
||||||
|
@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
|
size_t alen, blen, slen;
|
||||||
|
int r, pktype, authenticated = 0;
|
||||||
|
|
||||||
|
- if (!authctxt->valid) {
|
||||||
|
- debug2("%s: disabled because of invalid user", __func__);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
/* XXX use sshkey_froms() */
|
||||||
|
if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
|
||||||
|
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
|
||||||
|
@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||||
|
+ debug2("%s: disabled because of invalid user", __func__);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" :
|
||||||
|
authctxt->service;
|
||||||
|
if ((b = sshbuf_new()) == NULL)
|
||||||
|
diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
|
||||||
|
index 195da5e2111..af9e5f04c45 100644
|
||||||
|
--- a/usr.bin/ssh/auth2-pubkey.c
|
||||||
|
+++ b/usr.bin/ssh/auth2-pubkey.c
|
||||||
|
@@ -86,18 +86,14 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
userauth_pubkey(struct ssh *ssh)
|
||||||
|
{
|
||||||
|
Authctxt *authctxt = ssh->authctxt;
|
||||||
|
- struct sshbuf *b;
|
||||||
|
+ struct sshbuf *b = NULL;
|
||||||
|
struct sshkey *key = NULL;
|
||||||
|
- char *pkalg, *userstyle = NULL, *fp = NULL;
|
||||||
|
- u_char *pkblob, *sig, have_sig;
|
||||||
|
+ char *pkalg = NULL, *userstyle = NULL, *fp = NULL;
|
||||||
|
+ u_char *pkblob = NULL, *sig = NULL, have_sig;
|
||||||
|
size_t blen, slen;
|
||||||
|
int r, pktype;
|
||||||
|
int authenticated = 0;
|
||||||
|
|
||||||
|
- if (!authctxt->valid) {
|
||||||
|
- debug2("%s: disabled because of invalid user", __func__);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0)
|
||||||
|
fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r));
|
||||||
|
if (ssh->compat & SSH_BUG_PKAUTH) {
|
||||||
|
@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
fatal("%s: sshbuf_put_string session id: %s",
|
||||||
|
__func__, ssh_err(r));
|
||||||
|
}
|
||||||
|
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||||
|
+ debug2("%s: disabled because of invalid user",
|
||||||
|
+ __func__);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
/* reconstruct packet */
|
||||||
|
xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
|
||||||
|
authctxt->style ? ":" : "",
|
||||||
|
@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
#ifdef DEBUG_PK
|
||||||
|
sshbuf_dump(b, stderr);
|
||||||
|
#endif
|
||||||
|
-
|
||||||
|
/* test for correct signature */
|
||||||
|
authenticated = 0;
|
||||||
|
if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
|
||||||
|
@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
authenticated = 1;
|
||||||
|
}
|
||||||
|
sshbuf_free(b);
|
||||||
|
- free(sig);
|
||||||
|
auth2_record_key(authctxt, authenticated, key);
|
||||||
|
} else {
|
||||||
|
debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
|
||||||
|
@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
if ((r = sshpkt_get_end(ssh)) != 0)
|
||||||
|
fatal("%s: %s", __func__, ssh_err(r));
|
||||||
|
|
||||||
|
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||||
|
+ debug2("%s: disabled because of invalid user",
|
||||||
|
+ __func__);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
/* XXX fake reply and always send PK_OK ? */
|
||||||
|
/*
|
||||||
|
* XXX this allows testing whether a user is allowed
|
||||||
|
@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
free(pkalg);
|
||||||
|
free(pkblob);
|
||||||
|
free(fp);
|
||||||
|
+ free(sig);
|
||||||
|
return authenticated;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
@ -233,6 +233,8 @@ Patch949: openssh-7.6p1-cleanup-selinux.patch
|
||||||
Patch950: openssh-7.5p1-sandbox.patch
|
Patch950: openssh-7.5p1-sandbox.patch
|
||||||
# PermitOpen bug in OpenSSH 7.6:
|
# PermitOpen bug in OpenSSH 7.6:
|
||||||
Patch951: openssh-7.6p1-permitopen-bug.patch
|
Patch951: openssh-7.6p1-permitopen-bug.patch
|
||||||
|
# CVE-2018-15473: User "enumeration" via malformed packets in authentication requests
|
||||||
|
Patch952: openssh-7.6p1-CVE-2018-15473.patch
|
||||||
|
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
|
@ -456,6 +458,7 @@ popd
|
||||||
%patch949 -p1 -b .refactor
|
%patch949 -p1 -b .refactor
|
||||||
%patch950 -p1 -b .sandbox
|
%patch950 -p1 -b .sandbox
|
||||||
%patch951 -p1 -b .permitOpen
|
%patch951 -p1 -b .permitOpen
|
||||||
|
%patch952 -p3 -b .enumeration
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
|
|
Loading…
Reference in New Issue