Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
aports
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
636
Issues
636
List
Boards
Labels
Service Desk
Milestones
Merge Requests
193
Merge Requests
193
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
alpine
aports
Commits
c314d18b
Commit
c314d18b
authored
Aug 22, 2018
by
Natanael Copa
1
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
main/openssh: backport security fix (CVE-2018-15473)
fixes
#9317
parent
77897932
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
151 additions
and
1 deletion
+151
-1
main/openssh/APKBUILD
main/openssh/APKBUILD
+5
-1
main/openssh/CVE-2018-15473.patch
main/openssh/CVE-2018-15473.patch
+146
-0
No files found.
main/openssh/APKBUILD
View file @
c314d18b
...
...
@@ -4,7 +4,7 @@
pkgname
=
openssh
pkgver
=
7.7_p1
_myver
=
${
pkgver
%_*
}${
pkgver
#*_
}
pkgrel
=
3
pkgrel
=
4
pkgdesc
=
"Port of OpenBSD's free SSH release"
url
=
"http://www.openssh.org/portable.html"
arch
=
"all"
...
...
@@ -35,10 +35,13 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
bsd-compatible-realpath.patch
sftp-interactive.patch
disable-forwarding-by-default.patch
CVE-2018-15473.patch
sshd.initd
sshd.confd
"
# secfixes:
# 7.7_p1-r4:
# - CVE-2018-15473
# 7.5_p1-r8:
# - CVE-2017-15906
# 7.4_p1-r0:
...
...
@@ -199,5 +202,6 @@ f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b33894
f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch
3f8d0b8547965c47ac8980d45a55f48472a60a2cbba3d552cb3a8c383455830e309b2df4e0afd4b01a53b7e45197fc172760e41302c10fdd0b55dbb85a6d9d87 CVE-2018-15473.patch
bcd56bebe37acb69986abd247d6b74daf7dde1712f30640244a1dd70c505a6a536c5536bef11345e128b6785e1c8ff9736627556e702218805fb14b23bd7047c sshd.initd
ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc sshd.confd"
main/openssh/CVE-2018-15473.patch
0 → 100644
View file @
c314d18b
From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Tue, 31 Jul 2018 03:10:27 +0000
Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=
=?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=
=?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=
=?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
usr.bin/ssh/auth2-gss.c | 11 +++++++----
usr.bin/ssh/auth2-hostbased.c | 11 ++++++-----
usr.bin/ssh/auth2-pubkey.c | 25 +++++++++++++++----------
3 files changed, 28 insertions(+), 19 deletions(-)
diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c
index 649c830916a..c919ef4c353 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -69,9 +69,6 @@
userauth_gssapi(struct ssh *ssh)
u_int len;
u_char *doid = NULL;
- if (!authctxt->valid || authctxt->user == NULL)
- return (0);
-
mechs = packet_get_int();
if (mechs == 0) {
debug("Mechanism negotiation is not supported");
@@ -101,6 +98,12 @@
userauth_gssapi(struct ssh *ssh)
return (0);
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user", __func__);
+ free(doid);
+ return (0);
+ }
+
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
if (ctxt != NULL)
ssh_gssapi_delete_ctx(&ctxt);
diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c
index ad335555934..fb5e5f42272 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -66,10 +66,6 @@
userauth_hostbased(struct ssh *ssh)
size_t alen, blen, slen;
int r, pktype, authenticated = 0;
- if (!authctxt->valid) {
- debug2("%s: disabled because of invalid user", __func__);
- return 0;
- }
/* XXX use sshkey_froms() */
if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
@@ -116,6 +112,11 @@
userauth_hostbased(struct ssh *ssh)
goto done;
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user", __func__);
+ goto done;
+ }
+
if ((b = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
/* reconstruct packet */
diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
index 195da5e2111..af9e5f04c45 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -86,19 +86,15 @@
userauth_pubkey(struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
struct passwd *pw = authctxt->pw;
- struct sshbuf *b;
+ struct sshbuf *b = NULL;
struct sshkey *key = NULL;
- char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
- u_char *pkblob, *sig, have_sig;
+ char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
+ u_char *pkblob = NULL, *sig = NULL, have_sig;
size_t blen, slen;
int r, pktype;
int authenticated = 0;
struct sshauthopt *authopts = NULL;
- if (!authctxt->valid) {
- debug2("%s: disabled because of invalid user", __func__);
- return 0;
- }
if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
(r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
@@ -164,6 +160,11 @@
userauth_pubkey(struct ssh *ssh)
fatal("%s: sshbuf_put_string session id: %s",
__func__, ssh_err(r));
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user",
+ __func__);
+ goto done;
+ }
/* reconstruct packet */
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
@@ -180,7 +181,6 @@
userauth_pubkey(struct ssh *ssh)
#ifdef DEBUG_PK
sshbuf_dump(b, stderr);
#endif
-
/* test for correct signature */
authenticated = 0;
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@@ -191,7 +191,6 @@
userauth_pubkey(struct ssh *ssh)
authenticated = 1;
}
sshbuf_free(b);
- free(sig);
auth2_record_key(authctxt, authenticated, key);
} else {
debug("%s: test pkalg %s pkblob %s%s%s",
@@ -202,6 +201,11 @@
userauth_pubkey(struct ssh *ssh)
if ((r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user",
+ __func__);
+ goto done;
+ }
/* XXX fake reply and always send PK_OK ? */
/*
* XXX this allows testing whether a user is allowed
@@ -235,6 +239,7 @@
userauth_pubkey(struct ssh *ssh)
free(pkblob);
free(key_s);
free(ca_s);
+ free(sig);
return authenticated;
}
Alicha CH
@alicha
mentioned in issue
#9317 (closed)
·
Jul 12, 2019
mentioned in issue
#9317 (closed)
mentioned in issue #9317
Toggle commit list
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
