diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/openssh-CVE-2018-15473.patch | 165 | ||||
-rw-r--r-- | gnu/packages/ssh.scm | 5 |
3 files changed, 2 insertions, 169 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 71f3583f88..60db25a60c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -997,7 +997,6 @@ dist_patch_DATA = \ %D%/packages/patches/openldap-CVE-2017-9287.patch \ %D%/packages/patches/openocd-nrf52.patch \ %D%/packages/patches/opensmtpd-fix-crash.patch \ - %D%/packages/patches/openssh-CVE-2018-15473.patch \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch \ diff --git a/gnu/packages/patches/openssh-CVE-2018-15473.patch b/gnu/packages/patches/openssh-CVE-2018-15473.patch deleted file mode 100644 index 26b2dc59c3..0000000000 --- a/gnu/packages/patches/openssh-CVE-2018-15473.patch +++ /dev/null @@ -1,165 +0,0 @@ -Fix CVE-2018-15473, a method by which remote clients can enumerate -usernames on the server: - -http://seclists.org/oss-sec/2018/q3/124 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473 - -Patch adapted from upstream source repository: - -https://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8 - -From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" <djm@openbsd.org> -Date: Tue, 31 Jul 2018 03:10:27 +0000 -Subject: [PATCH] upstream: delay bailout for invalid authentic - -=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?= -=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?= -=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d ---- - auth2-gss.c | 11 +++++++---- - auth2-hostbased.c | 11 ++++++----- - auth2-pubkey.c | 25 +++++++++++++++---------- - 3 files changed, 28 insertions(+), 19 deletions(-) - -# Adapted from upstream to apply to OpenSSH 7.7p1. -diff --git a/auth2-gss.c b/auth2-gss.c -index 589283b7..1d7cfb39 100644 ---- a/auth2-gss.c -+++ b/auth2-gss.c -@@ -69,9 +69,6 @@ userauth_gssapi(struct ssh *ssh) - u_int len; - u_char *doid = NULL; - -- if (!authctxt->valid || authctxt->user == NULL) -- return (0); -- - mechs = packet_get_int(); - if (mechs == 0) { - debug("Mechanism negotiation is not supported"); -diff --git a/auth2-gss.c b/auth2-gss.c -index 47308c5c..9351e042 100644 ---- a/auth2-gss.c -+++ b/auth2-gss.c -@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh) - return (0); - } - -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", __func__); -+ free(doid); -+ return (0); -+ } -+ - if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { - if (ctxt != NULL) - ssh_gssapi_delete_ctx(&ctxt); -diff --git a/auth2-hostbased.c b/auth2-hostbased.c -index 60159a56..35939329 100644 ---- a/auth2-hostbased.c -+++ b/auth2-hostbased.c -@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh) - size_t alen, blen, slen; - int r, pktype, authenticated = 0; - -- if (!authctxt->valid) { -- debug2("%s: disabled because of invalid user", __func__); -- return 0; -- } - /* XXX use sshkey_froms() */ - if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || - (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || -@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh) - goto done; - } - -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", __func__); -+ goto done; -+ } -+ - if ((b = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); - /* reconstruct packet */ -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index c4d0f790..e1c15040 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh) - { - Authctxt *authctxt = ssh->authctxt; - struct passwd *pw = authctxt->pw; -- struct sshbuf *b; -+ struct sshbuf *b = NULL; - struct sshkey *key = NULL; -- char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; -- u_char *pkblob, *sig, have_sig; -+ char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; -+ u_char *pkblob = NULL, *sig = NULL, have_sig; - size_t blen, slen; - int r, pktype; - int authenticated = 0; - struct sshauthopt *authopts = NULL; - -- if (!authctxt->valid) { -- debug2("%s: disabled because of invalid user", __func__); -- return 0; -- } - if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || - (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || - (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) -@@ -167,6 +163,11 @@ userauth_pubkey(struct ssh *ssh) - fatal("%s: sshbuf_put_string session id: %s", - __func__, ssh_err(r)); - } -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", -+ __func__); -+ goto done; -+ } - /* reconstruct packet */ - xasprintf(&userstyle, "%s%s%s", authctxt->user, - authctxt->style ? ":" : "", -@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh) - #ifdef DEBUG_PK - sshbuf_dump(b, stderr); - #endif -- - /* test for correct signature */ - authenticated = 0; - if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && -@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh) - authenticated = 1; - } - sshbuf_free(b); -- free(sig); - auth2_record_key(authctxt, authenticated, key); - } else { - debug("%s: test pkalg %s pkblob %s%s%s", -@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh) - if ((r = sshpkt_get_end(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); - -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", -+ __func__); -+ goto done; -+ } - /* XXX fake reply and always send PK_OK ? */ - /* - * XXX this allows testing whether a user is allowed -@@ -238,6 +242,7 @@ done: - free(pkblob); - free(key_s); - free(ca_s); -+ free(sig); - return authenticated; - } - --- -2.18.0 diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 0d9bd5a119..a58ebff481 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -148,15 +148,14 @@ a server that supports the SSH-2 protocol.") (define-public openssh (package (name "openssh") - (version "7.7p1") + (version "7.8p1") (source (origin (method url-fetch) (uri (string-append "mirror://openbsd/OpenSSH/portable/" name "-" version ".tar.gz")) - (patches (search-patches "openssh-CVE-2018-15473.patch")) (sha256 (base32 - "13vbbrvj3mmfhj83qyrg5c0ipr6bzw5s65dy4k8gr7p9hkkfffyp")))) + "1jj4f586r9lhakp2w0zv7j616d6x62m15q8l4nxq7haja6qlnj0s")))) (build-system gnu-build-system) (native-inputs `(("groff" ,groff))) (inputs `(("openssl" ,openssl) |