[OE-core] [OE-Core] [Fido] [PATCH] openssh: Backport CVE-2015-5600 fix

Joshua Lock joshua.lock at collabora.co.uk
Thu Nov 5 22:00:54 UTC 2015 

On 30/10/15 20:12, Haris Okanovic wrote:
> only query each keyboard-interactive device once per
> authentication request regardless of how many times it is listed
>
> Source:
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
>
> Bug report:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5600
> https://bugzilla.redhat.com/show_bug.cgi?id=1245969
>
> Testing:
> Built in Fido and installed to x86_64 test system.
> Verified both 'keyboard-interactive' and 'publickey' logon works with
> root and a regular user from an openssh 7.1p1-1 client on Arch.

Thanks, I've pushed this change to my joshuagl/fido-next branch of 
openembedded-core-contrib and am testing it now.

Regards,

Joshua

1. 
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next

>
> Signed-off-by: Haris Okanovic <haris.okanovic at ni.com>
> Reviewed-by: Rich Tollerton <rich.tollerton at ni.com>
> Reviewed-by: Ken Sharp <ken.sharp at ni.com>
> Natinst-ReviewBoard-ID: 115602
> Natinst-CAR-ID: 541263
>
> ---
>
> This patch only applies to Fido and earlier releases. Bug is already
> fixed in Jethro which builds OpenSSH 7.1.
> ---
>   .../openssh/openssh/CVE-2015-5600.patch            | 50 ++++++++++++++++++++++
>   meta/recipes-connectivity/openssh/openssh_6.7p1.bb |  1 +
>   2 files changed, 51 insertions(+)
>   create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> new file mode 100644
> index 0000000..fa1c85e
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
> @@ -0,0 +1,50 @@
> +From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
> +From: "djm at openbsd.org" <djm at openbsd.org>
> +Date: Sat, 18 Jul 2015 07:57:14 +0000
> +Subject: [PATCH] CVE-2015-5600
> +
> +only query each keyboard-interactive device once per
> + authentication request regardless of how many times it is listed; ok markus@
> +
> +Source:
> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
> +http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
> +
> +Upstream-Status: Backport
> +---
> + auth2-chall.c | 9 +++++++--
> + 1 file changed, 7 insertions(+), 2 deletions(-)
> +
> +diff --git a/auth2-chall.c b/auth2-chall.c
> +index ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78 100644
> +--- a/auth2-chall.c
> ++++ b/auth2-chall.c
> +@@ -83,6 +83,7 @@ struct KbdintAuthctxt
> + 	void *ctxt;
> + 	KbdintDevice *device;
> + 	u_int nreq;
> ++	u_int devices_done;
> + };
> +
> + #ifdef USE_PAM
> +@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
> + 		if (len == 0)
> + 			break;
> + 		for (i = 0; devices[i]; i++) {
> +-			if (!auth2_method_allowed(authctxt,
> ++			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
> ++			    !auth2_method_allowed(authctxt,
> + 			    "keyboard-interactive", devices[i]->name))
> + 				continue;
> +-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
> ++			if (strncmp(kbdintctxt->devices, devices[i]->name,
> ++			    len) == 0) {
> + 				kbdintctxt->device = devices[i];
> ++				kbdintctxt->devices_done |= 1 << i;
> ++			}
> + 		}
> + 		t = kbdintctxt->devices;
> + 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
> +--
> +2.6.2
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> index aa71cc1..9246284 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> @@ -25,6 +25,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
>              file://CVE-2015-6563.patch  \
>              file://CVE-2015-6564.patch \
>              file://CVE-2015-6565.patch \
> +           file://CVE-2015-5600.patch \
>              "
>
>   PAM_SRC_URI = "file://sshd"
>

More information about the Openembedded-core mailing list