File openssh-6.6p1-use_each_kbd_method_just_once.patch of Package openssh.10219

# HG changeset patch
# Parent  510f5197c122f0dab011fb2bd31fbf875d759449
Only query each keyboard-interactive device once per authentication request
regardless of how many times it is listed.

CVE-2015-5600
bsc#938746

upstream commit: 5b64f85bb811246c59ebab70aed331f26ba37b18

diff --git a/openssh-6.6p1/auth2-chall.c b/openssh-6.6p1/auth2-chall.c
--- a/openssh-6.6p1/auth2-chall.c
+++ b/openssh-6.6p1/auth2-chall.c
@@ -77,16 +77,17 @@ KbdintDevice *devices[] = {
 
 typedef struct KbdintAuthctxt KbdintAuthctxt;
 struct KbdintAuthctxt
 {
 	char *devices;
 	void *ctxt;
 	KbdintDevice *device;
 	u_int nreq;
+	u_int devices_done;
 };
 
 #ifdef USE_PAM
 void
 remove_kbdint_device(const char *devname)
 {
 	int i, j;
 
@@ -163,21 +164,25 @@ kbdint_next_device(Authctxt *authctxt, K
 		kbdint_reset_device(kbdintctxt);
 	do {
 		len = kbdintctxt->devices ?
 		    strcspn(kbdintctxt->devices, ",") : 0;
 
 		if (len == 0)
 			break;
 		for (i = 0; devices[i]; i++) {
-			if (!auth2_method_allowed(authctxt,
+			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
+			    !auth2_method_allowed(authctxt,
 			    "keyboard-interactive", devices[i]->name))
 				continue;
-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+			if (strncmp(kbdintctxt->devices, devices[i]->name,
+			    len) == 0) {
 				kbdintctxt->device = devices[i];
+				kbdintctxt->devices_done |= 1 << i;
+			}
 		}
 		t = kbdintctxt->devices;
 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
 		free(t);
 		debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
 		    kbdintctxt->devices : "<empty>");
 	} while (kbdintctxt->devices && !kbdintctxt->device);
openSUSE Build Service is sponsored by