Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
openssh.10219
openssh-6.6p1-CVE-2018-15473.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssh-6.6p1-CVE-2018-15473.patch of Package openssh.10219
From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001 From: djm <djm@openbsd.org> Date: Tue, 31 Jul 2018 03:10:27 +0000 Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?= =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?= =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?= =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- usr.bin/ssh/auth2-gss.c | 11 +++++++---- usr.bin/ssh/auth2-hostbased.c | 11 ++++++----- usr.bin/ssh/auth2-pubkey.c | 25 +++++++++++++++---------- 3 files changed, 28 insertions(+), 19 deletions(-) Index: openssh-6.6p1/auth2-gss.c =================================================================== --- openssh-6.6p1.orig/auth2-gss.c +++ openssh-6.6p1/auth2-gss.c @@ -101,9 +101,6 @@ userauth_gssapi(Authctxt *authctxt) u_int len; u_char *doid = NULL; - if (!authctxt->valid || authctxt->user == NULL) - return (0); - mechs = packet_get_int(); if (mechs == 0) { debug("Mechanism negotiation is not supported"); @@ -134,6 +131,12 @@ userauth_gssapi(Authctxt *authctxt) return (0); } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("userauth_hostbased: disabled because of invalid user"); + free(doid); + return (0); + } + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { if (ctxt != NULL) ssh_gssapi_delete_ctx(&ctxt); Index: openssh-6.6p1/auth2-hostbased.c =================================================================== --- openssh-6.6p1.orig/auth2-hostbased.c +++ openssh-6.6p1/auth2-hostbased.c @@ -64,10 +64,6 @@ userauth_hostbased(Authctxt *authctxt) int pktype; int authenticated = 0; - if (!authctxt->valid) { - debug2("userauth_hostbased: disabled because of invalid user"); - return 0; - } pkalg = packet_get_string(&alen); pkblob = packet_get_string(&blen); chost = packet_get_string(NULL); @@ -106,6 +102,11 @@ userauth_hostbased(Authctxt *authctxt) "signature format"); goto done; } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("userauth_hostbased: disabled because of invalid user"); + goto done; + } + service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; buffer_init(&b); @@ -181,7 +182,6 @@ hostbased_key_allowed(struct passwd *pw, debug2("stripping trailing dot from chost %s", chost); chost[len - 1] = '\0'; } - if (options.hostbased_uses_name_from_packet_only) { if (auth_rhosts2(pw, cuser, chost, chost) == 0) return 0; Index: openssh-6.6p1/auth2-pubkey.c =================================================================== --- openssh-6.6p1.orig/auth2-pubkey.c +++ openssh-6.6p1/auth2-pubkey.c @@ -75,16 +75,12 @@ userauth_pubkey(Authctxt *authctxt) { Buffer b; Key *key = NULL; - char *pkalg, *userstyle; - u_char *pkblob, *sig; + char *pkalg = NULL, *userstyle = NULL; + u_char *pkblob = NULL, *sig = NULL; u_int alen, blen, slen; int have_sig, pktype; int authenticated = 0; - if (!authctxt->valid) { - debug2("userauth_pubkey: disabled because of invalid user"); - return 0; - } have_sig = packet_get_char(); if (datafellows & SSH_BUG_PKAUTH) { debug2("userauth_pubkey: SSH_BUG_PKAUTH"); @@ -131,6 +127,10 @@ userauth_pubkey(Authctxt *authctxt) } else { buffer_put_string(&b, session_id2, session_id2_len); } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("userauth_hostbased: disabled because of invalid user"); + goto done; + } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); xasprintf(&userstyle, "%s%s%s", authctxt->user, @@ -154,7 +155,6 @@ userauth_pubkey(Authctxt *authctxt) buffer_dump(&b); #endif pubkey_auth_info(authctxt, key, NULL); - /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && @@ -162,11 +162,14 @@ userauth_pubkey(Authctxt *authctxt) buffer_len(&b))) == 1) authenticated = 1; buffer_free(&b); - free(sig); } else { debug("test whether pkalg/pkblob are acceptable"); packet_check_eom(); + if (!authctxt->valid || authctxt->user == NULL) { + debug2("userauth_hostbased: disabled because of invalid user"); + goto done; + } /* XXX fake reply and always send PK_OK ? */ /* * XXX this allows testing whether a user is allowed @@ -192,6 +196,7 @@ done: key_free(key); free(pkalg); free(pkblob); + free(sig); return authenticated; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor