Tree - rpms/openssh - CentOS Git server

rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago

Source
Stats

Blame SOURCES/openssh-7.4p1-CVE-2018-15473.patch

Blob History Raw

		810d56	`From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001`
		810d56	`From: "djm@openbsd.org" <djm@openbsd.org>`
		810d56	`Date: Tue, 31 Jul 2018 03:10:27 +0000`
		810d56	`Subject: [PATCH] upstream: delay bailout for invalid authentic`
		810d56
		810d56	`=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=`
		810d56	`=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=`
		810d56	`=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=`
		810d56	`MIME-Version: 1.0`
		810d56	`Content-Type: text/plain; charset=UTF-8`
		810d56	`Content-Transfer-Encoding: 8bit`
		810d56
		810d56	`OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d`
		810d56	`---`
		810d56	`auth2-gss.c \| 11 +++++++----`
		810d56	`auth2-hostbased.c \| 11 ++++++-----`
		810d56	`auth2-pubkey.c \| 25 +++++++++++++++----------`
		810d56	`3 files changed, 28 insertions(+), 19 deletions(-)`
		810d56
		810d56	`diff --git a/auth2-gss.c b/auth2-gss.c`
		810d56	`index 47308c5ce..9351e0428 100644`
		810d56	`--- a/auth2-gss.c`
		810d56	`+++ b/auth2-gss.c`
		810d56	`@@ -70,9 +70,6 @@ userauth_gssapi(struct ssh *ssh)`
		810d56	`u_int len;`
		810d56	`u_char *doid = NULL;`
		810d56
		810d56	`- if (!authctxt->valid \|\| authctxt->user == NULL)`
		810d56	`- return (0);`
		810d56	`-`
		810d56	`mechs = packet_get_int();`
		810d56	`if (mechs == 0) {`
		810d56	`debug("Mechanism negotiation is not supported");`
		810d56	`@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh)`
		810d56	`return (0);`
		810d56	`}`
		810d56
		810d56	`+ if (!authctxt->valid \|\| authctxt->user == NULL) {`
		810d56	`+ debug2("%s: disabled because of invalid user", __func__);`
		810d56	`+ free(doid);`
		810d56	`+ return (0);`
		810d56	`+ }`
		810d56	`+`
		810d56	`if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {`
		810d56	`if (ctxt != NULL)`
		810d56	`ssh_gssapi_delete_ctx(&ctxt);`
		810d56	`diff --git a/auth2-hostbased.c b/auth2-hostbased.c`
		810d56	`index 60159a56c..359393291 100644`
		810d56	`--- a/auth2-hostbased.c`
		810d56	`+++ b/auth2-hostbased.c`
		810d56	`@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)`
		810d56	`int pktype;`
		810d56	`int authenticated = 0;`
		810d56
		810d56	`- if (!authctxt->valid) {`
		810d56	`- debug2("userauth_hostbased: disabled because of invalid user");`
		810d56	`- return 0;`
		810d56	`- }`
		810d56	`pkalg = packet_get_string(&alen;;`
		810d56	`pkblob = packet_get_string(&blen);`
		810d56	`chost = packet_get_string(NULL);`
		810d56	`@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh)`
		810d56	`goto done;`
		810d56	`}`
		810d56
		810d56	`+ if (!authctxt->valid \|\| authctxt->user == NULL) {`
		810d56	`+ debug2("%s: disabled because of invalid user", __func__);`
		810d56	`+ goto done;`
		810d56	`+ }`
		810d56	`+`
		810d56	`service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :`
		810d56	`authctxt->service;`
		810d56	`buffer_init(&b);`
		810d56	`diff --git a/auth2-pubkey.c b/auth2-pubkey.c`
		810d56	`index c4d0f7908..e1c150401 100644`
		810d56	`--- a/auth2-pubkey.c`
		810d56	`+++ b/auth2-pubkey.c`
		810d56	`@@ -89,16 +89,12 @@ userauth_pubkey(struct ssh *ssh)`
		810d56	`{`
		810d56	`Buffer b;`
		810d56	`Key *key = NULL;`
		810d56	`- char pkalg, userstyle, pubkey, fp = NULL;`
		810d56	`- u_char pkblob, sig;`
		810d56	`+ char pkalg = NULL, userstyle = NULL, pubkey = NULL, fp = NULL;`
		810d56	`+ u_char pkblob = NULL, sig = NULL;`
		810d56	`u_int alen, blen, slen;`
		810d56	`int have_sig, pktype;`
		810d56	`int authenticated = 0;`
		810d56
		810d56	`- if (!authctxt->valid) {`
		810d56	`- debug2("%s: disabled because of invalid user", __func__);`
		810d56	`- return 0;`
		810d56	`- }`
		810d56	`have_sig = packet_get_char();`
		810d56	`if (datafellows & SSH_BUG_PKAUTH) {`
		810d56	`debug2("%s: SSH_BUG_PKAUTH", __func__);`
		810d56	`@@ -167,6 +163,12 @@ userauth_pubkey(struct ssh *ssh)`
		810d56	`} else {`
		810d56	`buffer_put_string(&b, session_id2, session_id2_len);`
		810d56	`}`
		810d56	`+ if (!authctxt->valid \|\| authctxt->user == NULL) {`
		810d56	`+ buffer_free(&b);`
		810d56	`+ debug2("%s: disabled because of invalid user",`
		810d56	`+ __func__);`
		810d56	`+ goto done;`
		810d56	`+ }`
		810d56	`/* reconstruct packet */`
		810d56	`buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);`
		810d56	`xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,`
		810d56	`@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh)`
		810d56	`#endif`
		810d56	`pubkey = sshkey_format_oneline(key, options.fingerprint_hash);`
		810d56	`auth_info(authctxt, "%s", pubkey);`
		810d56	`-`
		810d56	`/* test for correct signature */`
		810d56	`authenticated = 0;`
		810d56	`if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&`
		810d56	`@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)`
		810d56	`free(pubkey);`
		810d56	`}`
		810d56	`buffer_free(&b);`
		810d56	`- free(sig);`
		810d56	`} else {`
		810d56	`debug("%s: test whether pkalg/pkblob are acceptable for %s %s",`
		810d56	`__func__, sshkey_type(key), fp);`
		810d56	`@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh)`
		810d56	`__func__, sshkey_type(key), fp);`
		810d56	`packet_check_eom();`
		810d56
		810d56	`+ if (!authctxt->valid \|\| authctxt->user == NULL) {`
		810d56	`+ debug2("%s: disabled because of invalid user",`
		810d56	`+ __func__);`
		810d56	`+ goto done;`
		810d56	`+ }`
		810d56	`/* XXX fake reply and always send PK_OK ? */`
		810d56	`/*`
		810d56	`* XXX this allows testing whether a user is allowed`
		810d56	`@@ -238,6 +242,7 @@ userauth_pubkey(struct ssh *ssh)`
		810d56	`free(pkalg);`
		810d56	`free(pkblob);`
		810d56	`free(fp);`
		810d56	`+ free(sig);`
		810d56	`return authenticated;`
		810d56	`}`
		810d56

rcolebaugh / rpms / openssh

Source Code

Blame SOURCES/openssh-7.4p1-CVE-2018-15473.patch