From 810d56f49d58b1372ee691e88e20a622a5d49b11 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 06 2019 10:03:19 +0000 Subject: import openssh-7.4p1-21.el7 --- diff --git a/SOURCES/openssh-7.4p1-CVE-2018-15473.patch b/SOURCES/openssh-7.4p1-CVE-2018-15473.patch new file mode 100644 index 0000000..fb8934c --- /dev/null +++ b/SOURCES/openssh-7.4p1-CVE-2018-15473.patch @@ -0,0 +1,145 @@ +From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 31 Jul 2018 03:10:27 +0000 +Subject: [PATCH] upstream: delay bailout for invalid authentic + +=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?= +=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?= +=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d +--- + auth2-gss.c | 11 +++++++---- + auth2-hostbased.c | 11 ++++++----- + auth2-pubkey.c | 25 +++++++++++++++---------- + 3 files changed, 28 insertions(+), 19 deletions(-) + +diff --git a/auth2-gss.c b/auth2-gss.c +index 47308c5ce..9351e0428 100644 +--- a/auth2-gss.c ++++ b/auth2-gss.c +@@ -70,9 +70,6 @@ userauth_gssapi(struct ssh *ssh) + u_int len; + u_char *doid = NULL; + +- if (!authctxt->valid || authctxt->user == NULL) +- return (0); +- + mechs = packet_get_int(); + if (mechs == 0) { + debug("Mechanism negotiation is not supported"); +@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh) + return (0); + } + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", __func__); ++ free(doid); ++ return (0); ++ } ++ + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { + if (ctxt != NULL) + ssh_gssapi_delete_ctx(&ctxt); +diff --git a/auth2-hostbased.c b/auth2-hostbased.c +index 60159a56c..359393291 100644 +--- a/auth2-hostbased.c ++++ b/auth2-hostbased.c +@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh) + int pktype; + int authenticated = 0; + +- if (!authctxt->valid) { +- debug2("userauth_hostbased: disabled because of invalid user"); +- return 0; +- } + pkalg = packet_get_string(&alen); + pkblob = packet_get_string(&blen); + chost = packet_get_string(NULL); +@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh) + goto done; + } + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", __func__); ++ goto done; ++ } ++ + service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : + authctxt->service; + buffer_init(&b); +diff --git a/auth2-pubkey.c b/auth2-pubkey.c +index c4d0f7908..e1c150401 100644 +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c +@@ -89,16 +89,12 @@ userauth_pubkey(struct ssh *ssh) + { + Buffer b; + Key *key = NULL; +- char *pkalg, *userstyle, *pubkey, *fp = NULL; +- u_char *pkblob, *sig; ++ char *pkalg = NULL, *userstyle = NULL, *pubkey = NULL, *fp = NULL; ++ u_char *pkblob = NULL, *sig = NULL; + u_int alen, blen, slen; + int have_sig, pktype; + int authenticated = 0; + +- if (!authctxt->valid) { +- debug2("%s: disabled because of invalid user", __func__); +- return 0; +- } + have_sig = packet_get_char(); + if (datafellows & SSH_BUG_PKAUTH) { + debug2("%s: SSH_BUG_PKAUTH", __func__); +@@ -167,6 +163,12 @@ userauth_pubkey(struct ssh *ssh) + } else { + buffer_put_string(&b, session_id2, session_id2_len); + } ++ if (!authctxt->valid || authctxt->user == NULL) { ++ buffer_free(&b); ++ debug2("%s: disabled because of invalid user", ++ __func__); ++ goto done; ++ } + /* reconstruct packet */ + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); + xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user, +@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh) + #endif + pubkey = sshkey_format_oneline(key, options.fingerprint_hash); + auth_info(authctxt, "%s", pubkey); +- + /* test for correct signature */ + authenticated = 0; + if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) && +@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh) + free(pubkey); + } + buffer_free(&b); +- free(sig); + } else { + debug("%s: test whether pkalg/pkblob are acceptable for %s %s", + __func__, sshkey_type(key), fp); +@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh) + __func__, sshkey_type(key), fp); + packet_check_eom(); + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", ++ __func__); ++ goto done; ++ } + /* XXX fake reply and always send PK_OK ? */ + /* + * XXX this allows testing whether a user is allowed +@@ -238,6 +242,7 @@ userauth_pubkey(struct ssh *ssh) + free(pkalg); + free(pkblob); + free(fp); ++ free(sig); + return authenticated; + } + diff --git a/SOURCES/openssh-7.4p1-fips.patch b/SOURCES/openssh-7.4p1-fips.patch index d325029..81aa300 100644 --- a/SOURCES/openssh-7.4p1-fips.patch +++ b/SOURCES/openssh-7.4p1-fips.patch @@ -10,7 +10,7 @@ diff -up openssh-7.4p1/cipher.c.fips openssh-7.4p1/cipher.c #include #include #include -@@ -116,6 +118,20 @@ static const struct sshcipher ciphers[] +@@ -116,6 +118,24 @@ static const struct sshcipher ciphers[] { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } }; @@ -25,6 +25,10 @@ diff -up openssh-7.4p1/cipher.c.fips openssh-7.4p1/cipher.c + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, ++ { "aes128-gcm@openssh.com", ++ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, ++ { "aes256-gcm@openssh.com", ++ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } +}; + @@ -338,12 +342,13 @@ diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h /* the actual algorithms */ #define KEX_CLIENT_ENCRYPT \ -@@ -144,6 +152,37 @@ +@@ -144,6 +152,38 @@ #define KEX_CLIENT_MAC KEX_SERVER_MAC +#define KEX_FIPS_ENCRYPT \ -+ "aes128-ctr,aes192-ctr,aes256-ctr," \ ++ "aes128-ctr,aes192-ctr,aes256-ctr" \ ++ AESGCM_CIPHER_MODES "," \ + "aes128-cbc,3des-cbc," \ + "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" +#ifdef HAVE_EVP_SHA256 diff --git a/SOURCES/openssh-7.4p1-uidswap.patch b/SOURCES/openssh-7.4p1-uidswap.patch new file mode 100644 index 0000000..2ca18b5 --- /dev/null +++ b/SOURCES/openssh-7.4p1-uidswap.patch @@ -0,0 +1,50 @@ +From 26f96ca10ad0ec5da9b05b99de1e1ccea15a11be Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 15 Jun 2018 07:01:11 +0000 +Subject: [PATCH] upstream: invalidate supplemental group cache used by + +temporarily_use_uid() when the target uid differs; could cause failure to +read authorized_keys under some configurations. patch by Jakub Jelen via +bz2873; ok dtucker, markus + +OpenBSD-Commit-ID: 48a345f0ee90f6c465a078eb5e89566b23abd8a1 +--- + uidswap.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/uidswap.c b/uidswap.c +index 8bf6b244e..1430b822a 100644 +--- a/uidswap.c ++++ b/uidswap.c +@@ -49,6 +49,7 @@ static gid_t saved_egid = 0; + /* Saved effective uid. */ + static int privileged = 0; + static int temporarily_use_uid_effective = 0; ++static uid_t user_groups_uid; + static gid_t *saved_egroups = NULL, *user_groups = NULL; + static int saved_egroupslen = -1, user_groupslen = -1; + +@@ -92,10 +93,11 @@ temporarily_use_uid(struct passwd *pw) + fatal("getgroups: %.100s", strerror(errno)); + } else { /* saved_egroupslen == 0 */ + free(saved_egroups); ++ saved_egroups = NULL; + } + + /* set and save the user's groups */ +- if (user_groupslen == -1) { ++ if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) { + if (initgroups(pw->pw_name, pw->pw_gid) < 0) + fatal("initgroups: %s: %.100s", pw->pw_name, + strerror(errno)); +@@ -110,7 +112,9 @@ temporarily_use_uid(struct passwd *pw) + fatal("getgroups: %.100s", strerror(errno)); + } else { /* user_groupslen == 0 */ + free(user_groups); ++ user_groups = NULL; + } ++ user_groups_uid = pw->pw_uid; + } + /* Set the effective uid to the given (unprivileged) uid. */ + if (setgroups(user_groupslen, user_groups) < 0) + diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 5c030bc..e1f50a5 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -64,7 +64,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 7.4p1 -%define openssh_rel 16 +%define openssh_rel 21 %define pam_ssh_agent_ver 0.10.3 %define pam_ssh_agent_rel 2 @@ -250,6 +250,10 @@ Patch958: openssh-7.4p1-winscp-compat.patch Patch959: openssh-7.4p1-authorized_keys_command.patch # Fix for CVE-2017-15906 (#1517226) Patch960: openssh-7.5p1-sftp-empty-files.patch +# Fix for CVE-2018-15473 (#1619079) +Patch961: openssh-7.4p1-CVE-2018-15473.patch +# invalidate supplemental group cache used by temporarily_use_uid() (#1619079) +Patch962: openssh-7.4p1-uidswap.patch License: BSD Group: Applications/Internet @@ -504,6 +508,8 @@ popd %patch958 -p1 -b .winscp %patch959 -p1 -b .large-command %patch960 -p1 -b .sftp-empty +%patch961 -p1 -b .CVE-2018-15473 +%patch962 -p1 -b .uidswap %patch200 -p1 -b .audit %patch202 -p1 -b .audit-race @@ -829,6 +835,23 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Tue Jun 25 2019 Jakub Jelen - 7.4p1-21 + 0.10.3-2 +- Avoid double comma in the default cipher list in FIPS mode (#1722446) + +* Tue May 21 2019 Jakub Jelen - 7.4p1-20 + 0.10.3-2 +- Revert the updating of cached passwd structure (#1712053) + +* Mon Mar 04 2019 Jakub Jelen - 7.4p1-19 + 0.10.3-2 +- Update cached passwd structure after PAM authentication (#1674541) + +* Wed Feb 13 2019 Jakub Jelen - 7.4p1-18 + 0.10.3-2 +- invalidate supplemental group cache used by temporarily_use_uid() + when the target uid differs (#1583735) + +* Mon Jan 14 2019 Jakub Jelen - 7.4p1-17 + 0.10.3-2 +- Fix for CVE-2018-15473 (#1619079) +- Enable GCM mode for AES ciphers in FIPS mode (#1600869) + * Fri Nov 24 2017 Jakub Jelen - 7.4p1-16 + 0.10.3-2 - Fix for CVE-2017-15906 (#1517226)