Fix CVE-2018-15473 (#1619064)

2018-08-25 14:25:30 +02:00 · 2018-08-25 14:25:30 +02:00 · 8ebd1ac76b
commit 8ebd1ac76b
parent 1b87361339
2 changed files with 149 additions and 0 deletions
--- a/openssh-7.6p1-CVE-2018-15473.patch
+++ b/openssh-7.6p1-CVE-2018-15473.patch
@ -0,0 +1,146 @@
+From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001
+From: djm <djm@openbsd.org>
+Date: Tue, 31 Jul 2018 03:10:27 +0000
+Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=
+ =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=
+ =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=
+ =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ usr.bin/ssh/auth2-gss.c       | 11 +++++++----
+ usr.bin/ssh/auth2-hostbased.c | 11 ++++++-----
+ usr.bin/ssh/auth2-pubkey.c    | 25 +++++++++++++++----------
+ 3 files changed, 28 insertions(+), 19 deletions(-)
+
+diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c
+index 649c830916a..c919ef4c353 100644
+--- a/usr.bin/ssh/auth2-gss.c
+++ b/usr.bin/ssh/auth2-gss.c
+@@ -65,9 +65,6 @@ userauth_gssapi(struct ssh *ssh)
+ 	u_int len;
+ 	u_char *doid = NULL;
+ 
+-	if (!authctxt->valid || authctxt->user == NULL)
+-		return (0);
+-
+ 	mechs = packet_get_int();
+ 	if (mechs == 0) {
+ 		debug("Mechanism negotiation is not supported");
+@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh)
+ 		return (0);
+ 	}
+ 
+	if (!authctxt->valid || authctxt->user == NULL) {
+		debug2("%s: disabled because of invalid user", __func__);
+		free(doid);
+		return (0);
+	}
+
+ 	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+ 		if (ctxt != NULL)
+ 			ssh_gssapi_delete_ctx(&ctxt);
+diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c
+index ad335555934..fb5e5f42272 100644
+--- a/usr.bin/ssh/auth2-hostbased.c
+++ b/usr.bin/ssh/auth2-hostbased.c
+@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh)
+ 	size_t alen, blen, slen;
+ 	int r, pktype, authenticated = 0;
+ 
+-	if (!authctxt->valid) {
+-		debug2("%s: disabled because of invalid user", __func__);
+-		return 0;
+-	}
+ 	/* XXX use sshkey_froms() */
+ 	if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
+ 	    (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
+@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh)
+ 		goto done;
+ 	}
+ 
+	if (!authctxt->valid || authctxt->user == NULL) {
+		debug2("%s: disabled because of invalid user", __func__);
+		goto done;
+	}
+
+ 	service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" :
+ 	    authctxt->service;
+ 	if ((b = sshbuf_new()) == NULL)
+diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
+index 195da5e2111..af9e5f04c45 100644
+--- a/usr.bin/ssh/auth2-pubkey.c
+++ b/usr.bin/ssh/auth2-pubkey.c
+@@ -86,18 +86,14 @@ userauth_pubkey(struct ssh *ssh)
+ userauth_pubkey(struct ssh *ssh)
+ {
+ 	Authctxt *authctxt = ssh->authctxt;
+-	struct sshbuf *b;
+	struct sshbuf *b = NULL;
+ 	struct sshkey *key = NULL;
+-	char *pkalg, *userstyle = NULL, *fp = NULL;
+-	u_char *pkblob, *sig, have_sig;
+	char *pkalg = NULL, *userstyle = NULL, *fp = NULL;
+	u_char *pkblob = NULL, *sig = NULL, have_sig;
+ 	size_t blen, slen;
+ 	int r, pktype;
+ 	int authenticated = 0;
+ 
+-	if (!authctxt->valid) {
+-		debug2("%s: disabled because of invalid user", __func__);
+-		return 0;
+-	}
+ 	if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0)
+ 		fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r));
+ 	if (ssh->compat & SSH_BUG_PKAUTH) {
+@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh)
+ 				fatal("%s: sshbuf_put_string session id: %s",
+ 				    __func__, ssh_err(r));
+ 		}
+		if (!authctxt->valid || authctxt->user == NULL) {
+			debug2("%s: disabled because of invalid user",
+			    __func__);
+			goto done;
+		}
+ 		/* reconstruct packet */
+ 		xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
+ 		    authctxt->style ? ":" : "",
+@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh)
+ #ifdef DEBUG_PK
+ 		sshbuf_dump(b, stderr);
+ #endif
+-
+ 		/* test for correct signature */
+ 		authenticated = 0;
+ 		if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
+@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh)
+ 			authenticated = 1;
+ 		}
+ 		sshbuf_free(b);
+-		free(sig);
+ 		auth2_record_key(authctxt, authenticated, key);
+ 	} else {
+ 		debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
+@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh)
+ 		if ((r = sshpkt_get_end(ssh)) != 0)
+ 			fatal("%s: %s", __func__, ssh_err(r));
+ 
+		if (!authctxt->valid || authctxt->user == NULL) {
+			debug2("%s: disabled because of invalid user",
+			    __func__);
+			goto done;
+		}
+ 		/* XXX fake reply and always send PK_OK ? */
+ 		/*
+ 		 * XXX this allows testing whether a user is allowed
+@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh)
+ 	free(pkalg);
+ 	free(pkblob);
+ 	free(fp);
+	free(sig);
+ 	return authenticated;
+ }
+ 
+
--- a/openssh.spec
+++ b/openssh.spec
@ -233,6 +233,8 @@ Patch949: openssh-7.6p1-cleanup-selinux.patch
 Patch950: openssh-7.5p1-sandbox.patch
 # PermitOpen bug in OpenSSH 7.6:
 Patch951: openssh-7.6p1-permitopen-bug.patch
+# CVE-2018-15473: User "enumeration" via malformed packets in authentication requests
+Patch952: openssh-7.6p1-CVE-2018-15473.patch


 License: BSD
@ -456,6 +458,7 @@ popd
 %patch949 -p1 -b .refactor
 %patch950 -p1 -b .sandbox
 %patch951 -p1 -b .permitOpen
+%patch952 -p3 -b .enumeration

 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race