rpms / openssh

Clone
Source Code
GIT

Blame SOURCES/openssh-7.4p1-CVE-2018-15473.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   810d56f49d58b1372ee691e88e20a622a5d49b11
  2.   SOURCES
  3.   openssh-7.4p1-CVE-2018-15473.patch
Blob History Raw
810d56 
From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001
810d56 
From: "djm@openbsd.org" <djm@openbsd.org>
810d56 
Date: Tue, 31 Jul 2018 03:10:27 +0000
810d56 
Subject: [PATCH] upstream: delay bailout for invalid authentic
810d56
810d56 
=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
810d56 
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
810d56 
=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
810d56 
MIME-Version: 1.0
810d56 
Content-Type: text/plain; charset=UTF-8
810d56 
Content-Transfer-Encoding: 8bit
810d56
810d56 
OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
810d56 
---
810d56 
 auth2-gss.c       | 11 +++++++----
810d56 
 auth2-hostbased.c | 11 ++++++-----
810d56 
 auth2-pubkey.c    | 25 +++++++++++++++----------
810d56 
 3 files changed, 28 insertions(+), 19 deletions(-)
810d56
810d56 
diff --git a/auth2-gss.c b/auth2-gss.c
810d56 
index 47308c5ce..9351e0428 100644
810d56 
--- a/auth2-gss.c
810d56 
+++ b/auth2-gss.c
810d56 
@@ -70,9 +70,6 @@ userauth_gssapi(struct ssh *ssh)
810d56 
 	u_int len;
810d56 
 	u_char *doid = NULL;
810d56
810d56 
-	if (!authctxt->valid || authctxt->user == NULL)
810d56 
-		return (0);
810d56 
-
810d56 
 	mechs = packet_get_int();
810d56 
 	if (mechs == 0) {
810d56 
 		debug("Mechanism negotiation is not supported");
810d56 
@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh)
810d56 
 		return (0);
810d56 
 	}
810d56
810d56 
+	if (!authctxt->valid || authctxt->user == NULL) {
810d56 
+		debug2("%s: disabled because of invalid user", __func__);
810d56 
+		free(doid);
810d56 
+		return (0);
810d56 
+	}
810d56 
+
810d56 
 	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
810d56 
 		if (ctxt != NULL)
810d56 
 			ssh_gssapi_delete_ctx(&ctxt);
810d56 
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
810d56 
index 60159a56c..359393291 100644
810d56 
--- a/auth2-hostbased.c
810d56 
+++ b/auth2-hostbased.c
810d56 
@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
810d56 
 	int pktype;
810d56 
 	int authenticated = 0;
810d56
810d56 
-	if (!authctxt->valid) {
810d56 
-		debug2("userauth_hostbased: disabled because of invalid user");
810d56 
-		return 0;
810d56 
-	}
810d56 
 	pkalg = packet_get_string(&alen;;
810d56 
 	pkblob = packet_get_string(&blen);
810d56 
 	chost = packet_get_string(NULL);
810d56 
@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh)
810d56 
 		goto done;
810d56 
 	}
810d56
810d56 
+	if (!authctxt->valid || authctxt->user == NULL) {
810d56 
+		debug2("%s: disabled because of invalid user", __func__);
810d56 
+		goto done;
810d56 
+	}
810d56 
+
810d56 
 	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
810d56 
 	    authctxt->service;
810d56 
 	buffer_init(&b);
810d56 
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
810d56 
index c4d0f7908..e1c150401 100644
810d56 
--- a/auth2-pubkey.c
810d56 
+++ b/auth2-pubkey.c
810d56 
@@ -89,16 +89,12 @@ userauth_pubkey(struct ssh *ssh)
810d56 
 {
810d56 
 	Buffer b;
810d56 
 	Key *key = NULL;
810d56 
-	char *pkalg, *userstyle, *pubkey, *fp = NULL;
810d56 
-	u_char *pkblob, *sig;
810d56 
+	char *pkalg = NULL, *userstyle = NULL, *pubkey = NULL, *fp = NULL;
810d56 
+	u_char *pkblob = NULL, *sig = NULL;
810d56 
 	u_int alen, blen, slen;
810d56 
 	int have_sig, pktype;
810d56 
 	int authenticated = 0;
810d56
810d56 
-	if (!authctxt->valid) {
810d56 
-		debug2("%s: disabled because of invalid user", __func__);
810d56 
-		return 0;
810d56 
-	}
810d56 
 	have_sig = packet_get_char();
810d56 
 	if (datafellows & SSH_BUG_PKAUTH) {
810d56 
 		debug2("%s: SSH_BUG_PKAUTH", __func__);
810d56 
@@ -167,6 +163,12 @@ userauth_pubkey(struct ssh *ssh)
810d56 
 		} else {
810d56 
 			buffer_put_string(&b, session_id2, session_id2_len);
810d56 
 		}
810d56 
+		if (!authctxt->valid || authctxt->user == NULL) {
810d56 
+			buffer_free(&b);
810d56 
+			debug2("%s: disabled because of invalid user",
810d56 
+			    __func__);
810d56 
+			goto done;
810d56 
+		}
810d56 
 		/* reconstruct packet */
810d56 
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
810d56 
 		xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
810d56 
@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh)
810d56 
 #endif
810d56 
 		pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
810d56 
 		auth_info(authctxt, "%s", pubkey);
810d56 
-
810d56 
 		/* test for correct signature */
810d56 
 		authenticated = 0;
810d56 
 		if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
810d56 
@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)
810d56 
 			free(pubkey);
810d56 
 		}
810d56 
 		buffer_free(&b);
810d56 
-		free(sig);
810d56 
 	} else {
810d56 
 		debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
810d56 
 		    __func__, sshkey_type(key), fp);
810d56 
@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh)
810d56 
 		    __func__, sshkey_type(key), fp);
810d56 
 		packet_check_eom();
810d56
810d56 
+		if (!authctxt->valid || authctxt->user == NULL) {
810d56 
+			debug2("%s: disabled because of invalid user",
810d56 
+			    __func__);
810d56 
+			goto done;
810d56 
+		}
810d56 
 		/* XXX fake reply and always send PK_OK ? */
810d56 
 		/*
810d56 
 		 * XXX this allows testing whether a user is allowed
810d56 
@@ -238,6 +242,7 @@ userauth_pubkey(struct ssh *ssh)
810d56 
 	free(pkalg);
810d56 
 	free(pkblob);
810d56 
 	free(fp);
810d56 
+	free(sig);
810d56 
 	return authenticated;
810d56 
 }
810d56

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation