* [PATCH][fido] openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
@ 2015-09-09 0:22 Armin Kuster
2015-09-15 16:02 ` Joshua Lock
0 siblings, 1 reply; 2+ messages in thread
From: Armin Kuster @ 2015-09-09 0:22 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
three security fixes.
CVE-2015-6563 (Low) openssh: Privilege separation weakness related to PAM support
CVE-2015-6564 (medium) openssh: Use-after-free bug related to PAM support
CVE-2015-6565 (High) openssh: Incorrectly set TTYs to be world-writable
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../openssh/openssh/CVE-2015-6563.patch | 36 ++++++++++++++++++++++
.../openssh/openssh/CVE-2015-6564.patch | 34 ++++++++++++++++++++
.../openssh/openssh/CVE-2015-6565.patch | 35 +++++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_6.7p1.bb | 6 +++-
4 files changed, 110 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
new file mode 100644
index 0000000..19cea41
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
@@ -0,0 +1,36 @@
+CVE-2015-6563
+
+Don't resend username to PAM; it already has it.
+Pointed out by Moritz Jodeit; ok dtucker@
+
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: openssh-6.7p1/monitor.c
+===================================================================
+--- openssh-6.7p1.orig/monitor.c
++++ openssh-6.7p1/monitor.c
+@@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+ debug3("%s", __func__);
+- authctxt->user = buffer_get_string(m, NULL);
+ sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ sshpam_authok = NULL;
+ buffer_clear(m);
+Index: openssh-6.7p1/monitor_wrap.c
+===================================================================
+--- openssh-6.7p1.orig/monitor_wrap.c
++++ openssh-6.7p1/monitor_wrap.c
+@@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+- buffer_put_cstring(&m, authctxt->user);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
new file mode 100644
index 0000000..588d42d
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
@@ -0,0 +1,34 @@
+CVE-2015-6564
+
+ set sshpam_ctxt to NULL after free
+
+ Avoids use-after-free in monitor when privsep child is compromised.
+ Reported by Moritz Jodeit; ok dtucker@
+
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: openssh-6.7p1/monitor.c
+===================================================================
+--- openssh-6.7p1.orig/monitor.c
++++ openssh-6.7p1/monitor.c
+@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+
+ debug3("%s", __func__);
+ (sshpam_device.free_ctx)(sshpam_ctxt);
++ sshpam_ctxt = sshpam_authok = NULL;
+ buffer_clear(m);
+ mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
+- return (sshpam_authok == sshpam_ctxt);
++ return r;
+ }
+ #endif
+
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
new file mode 100644
index 0000000..42667b0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
@@ -0,0 +1,35 @@
+CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable
+
+fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
+
+Upstream-Status: Backport
+
+merged two changes into one.
+[1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2
+tighten permissions on pty when the "tty" group does not exist; pointed out by Corinna Vinschen; ok markus
+
+[2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941396b6835ad18018845f515b0c4fe20be21a
+fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: openssh-6.7p1/sshpty.c
+===================================================================
+--- openssh-6.7p1.orig/sshpty.c
++++ openssh-6.7p1/sshpty.c
+@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch
+
+ /* Determine the group to make the owner of the tty. */
+ grp = getgrnam("tty");
+- if (grp) {
+- gid = grp->gr_gid;
+- mode = S_IRUSR | S_IWUSR | S_IWGRP;
+- } else {
+- gid = pw->pw_gid;
+- mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
+- }
++ gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
++ mode = (grp != NULL) ? 0620 : 0600;
+
+ /*
+ * Change owner and mode of the tty as required.
diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
index a272629..aa71cc1 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
@@ -21,7 +21,11 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
file://volatiles.99_sshd \
file://add-test-support-for-busybox.patch \
file://run-ptest \
- file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
+ file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch \
+ file://CVE-2015-6563.patch \
+ file://CVE-2015-6564.patch \
+ file://CVE-2015-6565.patch \
+ "
PAM_SRC_URI = "file://sshd"
--
2.3.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH][fido] openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
2015-09-09 0:22 [PATCH][fido] openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565 Armin Kuster
@ 2015-09-15 16:02 ` Joshua Lock
0 siblings, 0 replies; 2+ messages in thread
From: Joshua Lock @ 2015-09-15 16:02 UTC (permalink / raw)
To: openembedded-core
On Tue, 2015-09-08 at 17:22 -0700, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> three security fixes.
>
> CVE-2015-6563 (Low) openssh: Privilege separation weakness related to
> PAM support
> CVE-2015-6564 (medium) openssh: Use-after-free bug related to PAM
> support
> CVE-2015-6565 (High) openssh: Incorrectly set TTYs to be world
> -writable
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
Patch queued in my joshuagl/fido-next tree - thanks!
Joshua
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/
fido-next
> ---
> .../openssh/openssh/CVE-2015-6563.patch | 36
> ++++++++++++++++++++++
> .../openssh/openssh/CVE-2015-6564.patch | 34
> ++++++++++++++++++++
> .../openssh/openssh/CVE-2015-6565.patch | 35
> +++++++++++++++++++++
> meta/recipes-connectivity/openssh/openssh_6.7p1.bb | 6 +++-
> 4 files changed, 110 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE
> -2015-6563.patch
> create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE
> -2015-6564.patch
> create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE
> -2015-6565.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015
> -6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015
> -6563.patch
> new file mode 100644
> index 0000000..19cea41
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
> @@ -0,0 +1,36 @@
> +CVE-2015-6563
> +
> +Don't resend username to PAM; it already has it.
> +Pointed out by Moritz Jodeit; ok dtucker@
> +
> +Upstream-Status: Backport
> +https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab725
> 5c60433e4dd23cf7fce8a8b
> +
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +Index: openssh-6.7p1/monitor.c
> +===================================================================
> +--- openssh-6.7p1.orig/monitor.c
> ++++ openssh-6.7p1/monitor.c
> +@@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device;
> + int
> + mm_answer_pam_init_ctx(int sock, Buffer *m)
> + {
> +-
> + debug3("%s", __func__);
> +- authctxt->user = buffer_get_string(m, NULL);
> + sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
> + sshpam_authok = NULL;
> + buffer_clear(m);
> +Index: openssh-6.7p1/monitor_wrap.c
> +===================================================================
> +--- openssh-6.7p1.orig/monitor_wrap.c
> ++++ openssh-6.7p1/monitor_wrap.c
> +@@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
> +
> + debug3("%s", __func__);
> + buffer_init(&m);
> +- buffer_put_cstring(&m, authctxt->user);
> + mm_request_send(pmonitor->m_recvfd,
> MONITOR_REQ_PAM_INIT_CTX, &m);
> + debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX",
> __func__);
> + mm_request_receive_expect(pmonitor->m_recvfd,
> MONITOR_ANS_PAM_INIT_CTX, &m);
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015
> -6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015
> -6564.patch
> new file mode 100644
> index 0000000..588d42d
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
> @@ -0,0 +1,34 @@
> +CVE-2015-6564
> +
> + set sshpam_ctxt to NULL after free
> +
> + Avoids use-after-free in monitor when privsep child is compromised.
> + Reported by Moritz Jodeit; ok dtucker@
> +
> +Upstream-Status: Backport
> +https://github.com/openssh/openssh-portable/commit/5e75f519876905608
> 9fb06c4d738ab0e5abc66f7
> +
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +Index: openssh-6.7p1/monitor.c
> +===================================================================
> +--- openssh-6.7p1.orig/monitor.c
> ++++ openssh-6.7p1/monitor.c
> +@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
> + int
> + mm_answer_pam_free_ctx(int sock, Buffer *m)
> + {
> ++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
> +
> + debug3("%s", __func__);
> + (sshpam_device.free_ctx)(sshpam_ctxt);
> ++ sshpam_ctxt = sshpam_authok = NULL;
> + buffer_clear(m);
> + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
> + auth_method = "keyboard-interactive";
> + auth_submethod = "pam";
> +- return (sshpam_authok == sshpam_ctxt);
> ++ return r;
> + }
> + #endif
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015
> -6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015
> -6565.patch
> new file mode 100644
> index 0000000..42667b0
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
> @@ -0,0 +1,35 @@
> +CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable
> +
> +fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
> +
> +Upstream-Status: Backport
> +
> +merged two changes into one.
> +[1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883
> d4eccb94b16c355987f58f86a7dee17a0c2
> +tighten permissions on pty when the "tty" group does not exist;
> pointed out by Corinna Vinschen; ok markus
> +
> +[2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941
> 396b6835ad18018845f515b0c4fe20be21a
> +fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
> +
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +Index: openssh-6.7p1/sshpty.c
> +===================================================================
> +--- openssh-6.7p1.orig/sshpty.c
> ++++ openssh-6.7p1/sshpty.c
> +@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch
> +
> + /* Determine the group to make the owner of the tty. */
> + grp = getgrnam("tty");
> +- if (grp) {
> +- gid = grp->gr_gid;
> +- mode = S_IRUSR | S_IWUSR | S_IWGRP;
> +- } else {
> +- gid = pw->pw_gid;
> +- mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
> +- }
> ++ gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
> ++ mode = (grp != NULL) ? 0620 : 0600;
> +
> + /*
> + * Change owner and mode of the tty as required.
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> index a272629..aa71cc1 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
> @@ -21,7 +21,11 @@ SRC_URI = "
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
> file://volatiles.99_sshd \
> file://add-test-support-for-busybox.patch \
> file://run-ptest \
> - file://auth2-none.c-avoid-authenticate-empty-passwords-to
> -m.patch"
> + file://auth2-none.c-avoid-authenticate-empty-passwords-to
> -m.patch \
> + file://CVE-2015-6563.patch \
> + file://CVE-2015-6564.patch \
> + file://CVE-2015-6565.patch \
> + "
>
> PAM_SRC_URI = "file://sshd"
>
> --
> 2.3.5
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-09-15 16:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-09 0:22 [PATCH][fido] openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565 Armin Kuster
2015-09-15 16:02 ` Joshua Lock
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.