Browse Source
gnu: OpenSSH: Update to 7.8p1.
gnu: OpenSSH: Update to 7.8p1.
* gnu/packages/ssh.scm (openssh): Update to 7.8p1. [source]: Remove 'openssh-CVE-2018-15473.patch'. * gnu/packages/patches/openssh-CVE-2018-15473.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it.wip-ipfs
Leo Famulari
4 years ago
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
3 changed files with 2 additions and 169 deletions
@ -1,165 +0,0 @@ |
|||
Fix CVE-2018-15473, a method by which remote clients can enumerate |
|||
usernames on the server: |
|||
|
|||
http://seclists.org/oss-sec/2018/q3/124 |
|||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473 |
|||
|
|||
Patch adapted from upstream source repository: |
|||
|
|||
https://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8 |
|||
|
|||
From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001 |
|||
From: "djm@openbsd.org" <djm@openbsd.org> |
|||
Date: Tue, 31 Jul 2018 03:10:27 +0000 |
|||
Subject: [PATCH] upstream: delay bailout for invalid authentic |
|||
|
|||
=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
|
|||
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
|
|||
=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
|
|||
MIME-Version: 1.0 |
|||
Content-Type: text/plain; charset=UTF-8 |
|||
Content-Transfer-Encoding: 8bit |
|||
|
|||
OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d |
|||
---
|
|||
auth2-gss.c | 11 +++++++---- |
|||
auth2-hostbased.c | 11 ++++++----- |
|||
auth2-pubkey.c | 25 +++++++++++++++---------- |
|||
3 files changed, 28 insertions(+), 19 deletions(-) |
|||
|
|||
# Adapted from upstream to apply to OpenSSH 7.7p1. |
|||
diff --git a/auth2-gss.c b/auth2-gss.c
|
|||
index 589283b7..1d7cfb39 100644
|
|||
--- a/auth2-gss.c
|
|||
+++ b/auth2-gss.c
|
|||
@@ -69,9 +69,6 @@ userauth_gssapi(struct ssh *ssh)
|
|||
u_int len; |
|||
u_char *doid = NULL; |
|||
|
|||
- if (!authctxt->valid || authctxt->user == NULL)
|
|||
- return (0);
|
|||
-
|
|||
mechs = packet_get_int(); |
|||
if (mechs == 0) { |
|||
debug("Mechanism negotiation is not supported"); |
|||
diff --git a/auth2-gss.c b/auth2-gss.c
|
|||
index 47308c5c..9351e042 100644
|
|||
--- a/auth2-gss.c
|
|||
+++ b/auth2-gss.c
|
|||
@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh)
|
|||
return (0); |
|||
} |
|||
|
|||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|||
+ debug2("%s: disabled because of invalid user", __func__);
|
|||
+ free(doid);
|
|||
+ return (0);
|
|||
+ }
|
|||
+
|
|||
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { |
|||
if (ctxt != NULL) |
|||
ssh_gssapi_delete_ctx(&ctxt); |
|||
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
|||
index 60159a56..35939329 100644
|
|||
--- a/auth2-hostbased.c
|
|||
+++ b/auth2-hostbased.c
|
|||
@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
|
|||
size_t alen, blen, slen; |
|||
int r, pktype, authenticated = 0; |
|||
|
|||
- if (!authctxt->valid) {
|
|||
- debug2("%s: disabled because of invalid user", __func__);
|
|||
- return 0;
|
|||
- }
|
|||
/* XXX use sshkey_froms() */ |
|||
if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || |
|||
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || |
|||
@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh)
|
|||
goto done; |
|||
} |
|||
|
|||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|||
+ debug2("%s: disabled because of invalid user", __func__);
|
|||
+ goto done;
|
|||
+ }
|
|||
+
|
|||
if ((b = sshbuf_new()) == NULL) |
|||
fatal("%s: sshbuf_new failed", __func__); |
|||
/* reconstruct packet */ |
|||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
|||
index c4d0f790..e1c15040 100644
|
|||
--- a/auth2-pubkey.c
|
|||
+++ b/auth2-pubkey.c
|
|||
@@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh)
|
|||
{ |
|||
Authctxt *authctxt = ssh->authctxt; |
|||
struct passwd *pw = authctxt->pw; |
|||
- struct sshbuf *b;
|
|||
+ struct sshbuf *b = NULL;
|
|||
struct sshkey *key = NULL; |
|||
- char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
|
|||
- u_char *pkblob, *sig, have_sig;
|
|||
+ char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
|
|||
+ u_char *pkblob = NULL, *sig = NULL, have_sig;
|
|||
size_t blen, slen; |
|||
int r, pktype; |
|||
int authenticated = 0; |
|||
struct sshauthopt *authopts = NULL; |
|||
|
|||
- if (!authctxt->valid) {
|
|||
- debug2("%s: disabled because of invalid user", __func__);
|
|||
- return 0;
|
|||
- }
|
|||
if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || |
|||
(r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || |
|||
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) |
|||
@@ -167,6 +163,11 @@ userauth_pubkey(struct ssh *ssh)
|
|||
fatal("%s: sshbuf_put_string session id: %s", |
|||
__func__, ssh_err(r)); |
|||
} |
|||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|||
+ debug2("%s: disabled because of invalid user",
|
|||
+ __func__);
|
|||
+ goto done;
|
|||
+ }
|
|||
/* reconstruct packet */ |
|||
xasprintf(&userstyle, "%s%s%s", authctxt->user, |
|||
authctxt->style ? ":" : "", |
|||
@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh)
|
|||
#ifdef DEBUG_PK |
|||
sshbuf_dump(b, stderr); |
|||
#endif |
|||
-
|
|||
/* test for correct signature */ |
|||
authenticated = 0; |
|||
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && |
|||
@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)
|
|||
authenticated = 1; |
|||
} |
|||
sshbuf_free(b); |
|||
- free(sig);
|
|||
auth2_record_key(authctxt, authenticated, key); |
|||
} else { |
|||
debug("%s: test pkalg %s pkblob %s%s%s", |
|||
@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh)
|
|||
if ((r = sshpkt_get_end(ssh)) != 0) |
|||
fatal("%s: %s", __func__, ssh_err(r)); |
|||
|
|||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|||
+ debug2("%s: disabled because of invalid user",
|
|||
+ __func__);
|
|||
+ goto done;
|
|||
+ }
|
|||
/* XXX fake reply and always send PK_OK ? */ |
|||
/* |
|||
* XXX this allows testing whether a user is allowed |
|||
@@ -238,6 +242,7 @@ done:
|
|||
free(pkblob); |
|||
free(key_s); |
|||
free(ca_s); |
|||
+ free(sig);
|
|||
return authenticated; |
|||
} |
|||
|
|||
--
|
|||
2.18.0 |
|||
Write
Preview
Loading…
Cancel
Save
Reference in new issue