Commit 23d60a55 authored by Natanael Copa's avatar Natanael Copa
Browse files

main/openssh: security fix for CVE-2014-2653

fixes #2860

this also makes sure that CVE-2014-2532 is actually applied
parent 7c6f59eb
......@@ -2,7 +2,7 @@
pkgname=openssh
pkgver=6.4_p1
_myver=${pkgver%_*}${pkgver#*_}
pkgrel=1
pkgrel=2
pkgdesc="Port of OpenBSD's free SSH release"
url="http://www.openssh.org/portable.html"
arch="all"
......@@ -19,6 +19,7 @@ source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.
sshd.initd
sshd.confd
CVE-2014-2532.patch
CVE-2014-2653.patch
"
# HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
......@@ -31,7 +32,7 @@ prepare() {
msg "Applying $i"
gunzip -c "$srcdir"/"${i##*/}" | patch -p1 -N || return 1
;;
*.diff)
*.diff|*.patch)
msg "Applying $i"
patch -p1 -N -i "$srcdir"/${i##*/} || return 1
;;
......@@ -110,7 +111,8 @@ c65d454dc5b149647273485fc184636d openssh-hmac-accel.diff
f7d9d6f96940ef66bd3c3a0aa27e57a7 openssh-fix-utmp.diff
cb0dd08c413fad346f0c594107b4a2e0 sshd.initd
b35e9f3829f4cfca07168fcba98749c7 sshd.confd
e4cf579145106ce3d4465453b70ea50d CVE-2014-2532.patch"
e4cf579145106ce3d4465453b70ea50d CVE-2014-2532.patch
02a7de5652d9769576e3b252d768cd0f CVE-2014-2653.patch"
sha256sums="5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2 openssh-6.4p1.tar.gz
4f78f16807c6b6a3a3773c000b85df0c56ea8a93dc35eaa6bbdffe6e30328e58 openssh6.2-dynwindows.diff
6e803be3b3569eedfe69d9e9aeabef2e3fec2ed28f75bc456dfd69c2ef2c8198 openssh-peaktput.diff
......@@ -119,7 +121,8 @@ c3189ba0e17e60e83851ac2d6f18ad5b08cb90cccfce31d61cccb9fd76d44d59 openssh-fix-in
f2748da45d0bc31055727f8c80d93e1872cc043ced3202e2f6d150aca3c08dde openssh-fix-utmp.diff
3fa062fd4bfac64abf21f3c1d0548f1dfcf3c6e56e84ece14c848f53a293024e sshd.initd
29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 sshd.confd
323d1a7a0ff72143580ac1b0ce2a28b9640f956368bc6629890c22c79af28aaa CVE-2014-2532.patch"
323d1a7a0ff72143580ac1b0ce2a28b9640f956368bc6629890c22c79af28aaa CVE-2014-2532.patch
03826427d72f86c68f079acab6c9c86e8f27f7514b66428f404c2f235fd0c0bd CVE-2014-2653.patch"
sha512sums="f87b3e1d3110b87c1dfff729459ff26024863480c8eb4449b9e3b0b750d187acdfedb199ca4ea133b5dfa436bed0e2eea7607392d451b18c626c4dc1d38bb52a openssh-6.4p1.tar.gz
773cc0629e17a8f78e82be56e579855ea9b3ca8fd26360964aee854d717a7cfc2c9d4d654cf0fda5723c3aabe96e48ee2cfe6d1fd64b5717f0ef5eb997d00293 openssh6.2-dynwindows.diff
64f5aff3fc1a0d2f7c65ea875d1c2c4d98a3d305ff2677d9d4ca82f20778df9e317b1bfc428cee2b0df1bfa01a65dfcf83b68435a227a23a2cf3400fef35d656 openssh-peaktput.diff
......@@ -128,4 +131,5 @@ aaa128126400171d0755038a846672aa7b1e87340edf73a672962d403abf404ef1821466b17da51d
cc909f68d9da1b264926973b96d36162b5c588299c98d62f526faf2ef1273d98bb8d8dea4d482770a2aef88bcbf15fa61144401aef9ab916c15e1623bcf449b5 openssh-fix-utmp.diff
1483e2bcd700da9b02f04508d490b472c816344787bf1675fef2f7e27f72b91e4323e4e8c1db701e47d81d37d6d4b0623eaeac46b2cf589ae5ad69f363baa594 sshd.initd
b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 sshd.confd
4521052ef55b77a2932484fa52f4a7688e8dbd4e6aa1e210ce24a59b8501775ca7e844108e36c06a9e3a47b70cd8d59007c12ca7a7bb8af27ae1e31e7b0de34d CVE-2014-2532.patch"
4521052ef55b77a2932484fa52f4a7688e8dbd4e6aa1e210ce24a59b8501775ca7e844108e36c06a9e3a47b70cd8d59007c12ca7a7bb8af27ae1e31e7b0de34d CVE-2014-2532.patch
be48059ae1715669f970a19acde14f262588172c5a8d8d1c84159bc69a60c5750b21c98f39f65df72ae071f7f918046000a2499b9ef16ba2cb4bcd8399bc8e40 CVE-2014-2653.patch"
From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001
From: Matthew Vernon <mcv21@cam.ac.uk>
Date: Wed, 26 Mar 2014 15:32:23 +0000
Subject: Attempt SSHFP lookup even if server presents a certificate
If an ssh server presents a certificate to the client, then the client
does not check the DNS for SSHFP records. This means that a malicious
server can essentially disable DNS-host-key-checking, which means the
client will fall back to asking the user (who will just say "yes" to
the fingerprint, sadly).
This patch is by Damien Miller (of openssh upstream). It's simpler
than the patch by Mark Wooding which I applied yesterday; a copy is
taken of the proffered key/cert, the key extracted from the cert (if
necessary), and then the DNS consulted.
Signed-off-by: Matthew Vernon <matthew@debian.org>
Bug-Debian: http://bugs.debian.org/742513
Patch-Name: sshfp_with_server_cert_upstr
---
sshconnect.c | 42 ++++++++++++++++++++++++++----------------
1 file changed, 26 insertions(+), 16 deletions(-)
diff --git a/sshconnect.c b/sshconnect.c
index 87c3770..324f5e0 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{
int flags = 0;
char *fp;
+ Key *plain = NULL;
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
debug("Server host key: %s %s", key_type(host_key), fp);
free(fp);
- /* XXX certs are not yet supported for DNS */
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
- if (flags & DNS_VERIFY_FOUND) {
-
- if (options.verify_host_key_dns == 1 &&
- flags & DNS_VERIFY_MATCH &&
- flags & DNS_VERIFY_SECURE)
- return 0;
-
- if (flags & DNS_VERIFY_MATCH) {
- matching_host_key_dns = 1;
- } else {
- warn_changed_key(host_key);
- error("Update the SSHFP RR in DNS with the new "
- "host key to get rid of this message.");
+ if (options.verify_host_key_dns) {
+ /*
+ * XXX certs are not yet supported for DNS, so downgrade
+ * them and try the plain key.
+ */
+ plain = key_from_private(host_key);
+ if (key_is_cert(plain))
+ key_drop_cert(plain);
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+ if (flags & DNS_VERIFY_FOUND) {
+ if (options.verify_host_key_dns == 1 &&
+ flags & DNS_VERIFY_MATCH &&
+ flags & DNS_VERIFY_SECURE) {
+ key_free(plain);
+ return 0;
+ }
+ if (flags & DNS_VERIFY_MATCH) {
+ matching_host_key_dns = 1;
+ } else {
+ warn_changed_key(plain);
+ error("Update the SSHFP RR in DNS "
+ "with the new host key to get rid "
+ "of this message.");
+ }
}
}
+ key_free(plain);
}
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment