diff options
Diffstat (limited to 'gnu/packages/patches/openssh-CVE-2016-6210-3.patch')
| -rw-r--r-- | gnu/packages/patches/openssh-CVE-2016-6210-3.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/gnu/packages/patches/openssh-CVE-2016-6210-3.patch b/gnu/packages/patches/openssh-CVE-2016-6210-3.patch new file mode 100644 index 0000000000..303c34ee1b --- /dev/null +++ b/gnu/packages/patches/openssh-CVE-2016-6210-3.patch @@ -0,0 +1,60 @@ +From abde8dda29c2db2405d6fbca2fe022430e2c1177 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@zip.com.au> +Date: Thu, 21 Jul 2016 14:17:31 +1000 +Subject: Search users for one with a valid salt. + +If the root account is locked (eg password "!!" or "*LK*") keep looking +until we find a user with a valid salt to use for crypting passwords of +invalid users. ok djm@ + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=dbf788b4d9d9490a5fff08a7b09888272bb10fcc +Bug-Debian: https://bugs.debian.org/831902 +Last-Update: 2016-07-22 + +Patch-Name: CVE-2016-6210-3.patch +--- + openbsd-compat/xcrypt.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c +index 8913bb8..cf6a9b9 100644 +--- a/openbsd-compat/xcrypt.c ++++ b/openbsd-compat/xcrypt.c +@@ -65,7 +65,9 @@ + + /* + * Pick an appropriate password encryption type and salt for the running +- * system. ++ * system by searching through accounts until we find one that has a valid ++ * salt. Usually this will be root unless the root account is locked out. ++ * If we don't find one we return a traditional DES-based salt. + */ + static const char * + pick_salt(void) +@@ -78,14 +80,18 @@ pick_salt(void) + if (salt[0] != '\0') + return salt; + strlcpy(salt, "xx", sizeof(salt)); +- if ((pw = getpwuid(0)) == NULL) +- return salt; +- passwd = shadow_pw(pw); +- if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL) +- return salt; /* no $, DES */ +- typelen = p - passwd + 1; +- strlcpy(salt, passwd, MIN(typelen, sizeof(salt))); +- explicit_bzero(passwd, strlen(passwd)); ++ setpwent(); ++ while ((pw = getpwent()) != NULL) { ++ passwd = shadow_pw(pw); ++ if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) { ++ typelen = p - passwd + 1; ++ strlcpy(salt, passwd, MIN(typelen, sizeof(salt))); ++ explicit_bzero(passwd, strlen(passwd)); ++ goto out; ++ } ++ } ++ out: ++ endpwent(); + return salt; + } + |