Commit 981de7de authored by Timo Teräs's avatar Timo Teräs Committed by Natanael Copa
Browse files

main/openssh: security fix for CVE-2014-2653

fixes #2858
(cherry picked from commit 71bd4159)

Conflicts:
	main/openssh/APKBUILD
parent e9ac5113
......@@ -2,7 +2,7 @@
pkgname=openssh
pkgver=6.1_p1
_myver=${pkgver%_*}${pkgver#*_}
pkgrel=1
pkgrel=2
pkgdesc="Port of OpenBSD's free SSH release"
url="http://www.openssh.org/portable.html"
arch="all"
......@@ -17,6 +17,7 @@ source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.
sshd.initd
sshd.confd
CVE-2014-2532.patch
CVE-2014-2653.patch
"
_builddir="$srcdir"/$pkgname-$_myver
......@@ -28,7 +29,7 @@ prepare() {
msg "Applying $i"
gunzip -c "$srcdir"/"${i##*/}" | patch -p1 -N || return 1
;;
*.diff)
*.diff|*.patch)
msg "Applying $i"
patch -p1 -N -i "$srcdir"/${i##*/} || return 1
;;
......@@ -91,4 +92,5 @@ b6a71aab576d592b4645a5a4e21a9116 openssh-dynwindow_noneswitch.diff
c65d454dc5b149647273485fc184636d openssh-hmac-accel.diff
cb0dd08c413fad346f0c594107b4a2e0 sshd.initd
b35e9f3829f4cfca07168fcba98749c7 sshd.confd
e4cf579145106ce3d4465453b70ea50d CVE-2014-2532.patch"
e4cf579145106ce3d4465453b70ea50d CVE-2014-2532.patch
82a3a5b6f1eda13b7957ed391964730b CVE-2014-2653.patch"
Description: Attempt SSHFP lookup even if server presents a certificate
If an ssh server presents a certificate to the client, then the client does
not check the DNS for SSHFP records. This means that a malicious server can
essentially disable DNS-host-key-checking, which means the client will fall
back to asking the user (who will just say "yes" to the fingerprint,
sadly).
.
This is CVE-2014-2653.
Author: Damien Miller <djm@mindrot.org>
Reviewed-by: Matthew Vernon <matthew@debian.org>
Bug-Debian: http://bugs.debian.org/742513
Forwarded: not-needed
Last-Update: 2014-04-03
Index: b/sshconnect.c
===================================================================
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1110,29 +1110,39 @@
{
int flags = 0;
char *fp;
+ Key *plain = NULL;
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
debug("Server host key: %s %s", key_type(host_key), fp);
xfree(fp);
- /* XXX certs are not yet supported for DNS */
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
- if (flags & DNS_VERIFY_FOUND) {
-
- if (options.verify_host_key_dns == 1 &&
- flags & DNS_VERIFY_MATCH &&
- flags & DNS_VERIFY_SECURE)
- return 0;
-
- if (flags & DNS_VERIFY_MATCH) {
- matching_host_key_dns = 1;
- } else {
- warn_changed_key(host_key);
- error("Update the SSHFP RR in DNS with the new "
- "host key to get rid of this message.");
+ if (options.verify_host_key_dns) {
+ /*
+ * XXX certs are not yet supported for DNS, so downgrade
+ * them and try the plain key.
+ */
+ plain = key_from_private(host_key);
+ if (key_is_cert(plain))
+ key_drop_cert(plain);
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+ if (flags & DNS_VERIFY_FOUND) {
+ if (options.verify_host_key_dns == 1 &&
+ flags & DNS_VERIFY_MATCH &&
+ flags & DNS_VERIFY_SECURE) {
+ key_free(plain);
+ return 0;
+ }
+ if (flags & DNS_VERIFY_MATCH) {
+ matching_host_key_dns = 1;
+ } else {
+ warn_changed_key(plain);
+ error("Update the SSHFP RR in DNS "
+ "with the new host key to get rid "
+ "of this message.");
+ }
}
}
+ key_free(plain);
}
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment