File openssh-7.6p1-CVE-2018-15473.patch of Package openssh.17031
From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Tue, 31 Jul 2018 03:10:27 +0000
Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=
=?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=
=?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=
=?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
usr.bin/ssh/auth2-gss.c | 11 +++++++----
usr.bin/ssh/auth2-hostbased.c | 11 ++++++-----
usr.bin/ssh/auth2-pubkey.c | 25 +++++++++++++++----------
3 files changed, 28 insertions(+), 19 deletions(-)
Index: openssh-7.6p1/auth2-gss.c
===================================================================
--- openssh-7.6p1.orig/auth2-gss.c 2019-03-12 14:38:32.420914340 +0100
+++ openssh-7.6p1/auth2-gss.c 2019-03-12 14:38:37.116940749 +0100
@@ -105,9 +105,6 @@ userauth_gssapi(struct ssh *ssh)
u_int len;
u_char *doid = NULL;
- if (!authctxt->valid || authctxt->user == NULL)
- return (0);
-
mechs = packet_get_int();
if (mechs == 0) {
debug("Mechanism negotiation is not supported");
@@ -138,6 +135,12 @@ userauth_gssapi(struct ssh *ssh)
return (0);
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user", __func__);
+ free(doid);
+ return (0);
+ }
+
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
if (ctxt != NULL)
ssh_gssapi_delete_ctx(&ctxt);
Index: openssh-7.6p1/auth2-hostbased.c
===================================================================
--- openssh-7.6p1.orig/auth2-hostbased.c 2019-03-12 14:38:33.264919086 +0100
+++ openssh-7.6p1/auth2-hostbased.c 2019-03-12 14:38:37.116940749 +0100
@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
size_t alen, blen, slen;
int r, pktype, authenticated = 0;
- if (!authctxt->valid) {
- debug2("%s: disabled because of invalid user", __func__);
- return 0;
- }
/* XXX use sshkey_froms() */
if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
@@ -117,6 +113,10 @@ userauth_hostbased(struct ssh *ssh)
__func__, sshkey_type(key));
goto done;
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user", __func__);
+ goto done;
+ }
service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" :
authctxt->service;
Index: openssh-7.6p1/auth2-pubkey.c
===================================================================
--- openssh-7.6p1.orig/auth2-pubkey.c 2019-03-12 14:38:33.264919086 +0100
+++ openssh-7.6p1/auth2-pubkey.c 2019-03-12 14:38:37.120940772 +0100
@@ -77,18 +77,15 @@ static int
userauth_pubkey(struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
- struct sshbuf *b;
+ struct sshbuf *b = NULL;
struct sshkey *key = NULL;
- char *pkalg, *userstyle = NULL, *fp = NULL;
- u_char *pkblob, *sig, have_sig;
+ char *pkalg = NULL, *userstyle = NULL, *key_s = NULL;
+ char *fp = NULL;
+ u_char *pkblob = NULL, *sig = NULL, have_sig;
size_t blen, slen;
int r, pktype;
int authenticated = 0;
- if (!authctxt->valid) {
- debug2("%s: disabled because of invalid user", __func__);
- return 0;
- }
if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0)
fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r));
if (ssh->compat & SSH_BUG_PKAUTH) {
@@ -166,6 +163,11 @@ userauth_pubkey(struct ssh *ssh)
fatal("%s: sshbuf_put_string session id: %s",
__func__, ssh_err(r));
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user",
+ __func__);
+ goto done;
+ }
/* reconstruct packet */
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
@@ -193,7 +195,6 @@ userauth_pubkey(struct ssh *ssh)
#ifdef DEBUG_PK
sshbuf_dump(b, stderr);
#endif
-
/* test for correct signature */
authenticated = 0;
if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
@@ -202,7 +203,6 @@ userauth_pubkey(struct ssh *ssh)
authenticated = 1;
}
sshbuf_free(b);
- free(sig);
auth2_record_key(authctxt, authenticated, key);
} else {
debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
@@ -210,6 +210,11 @@ userauth_pubkey(struct ssh *ssh)
if ((r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user",
+ __func__);
+ goto done;
+ }
/* XXX fake reply and always send PK_OK ? */
/*
* XXX this allows testing whether a user is allowed
@@ -237,6 +242,7 @@ done:
free(userstyle);
free(pkalg);
free(pkblob);
+ free(sig);
free(fp);
return authenticated;
}