openssh: Backport CVE-2015-5600 fix

only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed

Source:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u

Bug report:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5600
https://bugzilla.redhat.com/show_bug.cgi?id=1245969

Testing:
Built in Fido and installed to x86_64 test system.
Verified both 'keyboard-interactive' and 'publickey' logon works with
root and a regular user from an openssh 7.1p1-1 client on Arch.

Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
Reviewed-by: Ken Sharp <ken.sharp@ni.com>
Natinst-ReviewBoard-ID: 115602
Natinst-CAR-ID: 541263
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
new file mode 100644 (file)
index 0000000..fa1c85e
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
@@ -0,0 +1,50 @@
+From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 18 Jul 2015 07:57:14 +0000
+Subject: [PATCH] CVE-2015-5600
+
+only query each keyboard-interactive device once per
+ authentication request regardless of how many times it is listed; ok markus@
+
+Source:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
+
+Upstream-Status: Backport
+---
+ auth2-chall.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/auth2-chall.c b/auth2-chall.c
+index ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78 100644
+--- a/auth2-chall.c
++++ b/auth2-chall.c
+@@ -83,6 +83,7 @@ struct KbdintAuthctxt
+       void *ctxt;
+       KbdintDevice *device;
+       u_int nreq;
++      u_int devices_done;
+ };
+ 
+ #ifdef USE_PAM
+@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
+               if (len == 0)
+                       break;
+               for (i = 0; devices[i]; i++) {
+-                      if (!auth2_method_allowed(authctxt,
++                      if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++                          !auth2_method_allowed(authctxt,
+                           "keyboard-interactive", devices[i]->name))
+                               continue;
+-                      if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++                      if (strncmp(kbdintctxt->devices, devices[i]->name,
++                          len) == 0) {
+                               kbdintctxt->device = devices[i];
++                              kbdintctxt->devices_done |= 1 << i;
++                      }
+               }
+               t = kbdintctxt->devices;
+               kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+-- 
+2.6.2
+

diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
index aa71cc1ef4d4a8c2e9404ad6d9ae79c4fb4dc7d1..9246284d1423de6350a96fcfb46df9927aab1fee 100644 (file)
--- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
@@ -25,6 +25,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
            file://CVE-2015-6563.patch  \
            file://CVE-2015-6564.patch \
            file://CVE-2015-6565.patch \
+           file://CVE-2015-5600.patch \
            "
 
 PAM_SRC_URI = "file://sshd"