diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-08-26 11:28:34 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-08-26 11:35:03 +0200 |
commit | 397b30fdd336abf6492edc4c261e51445808a133 (patch) | |
tree | efb6eb6ea67b1c6b960e975e55bb1c5eee570ec1 | |
parent | de3f445ddf9bde0d6f2745e24b78b4af78fb9de4 (diff) |
main/openssh: security fixes from upstream
fixes #4582
CVE-2015-6563:
sshd(8): Portable OpenSSH only: Fixed a privilege separation
weakness related to PAM support. Attackers who could successfully
compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could
impersonate other users. Reported by Moritz Jodeit.
CVE-2015-6564:
sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to
PAM support that was reachable by attackers who could compromise the
pre-authentication process for remote code execution. Also reported by
Moritz Jodeit.
CVE-2015-6565:
sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
writable. Local attackers may be able to write arbitrary messages
to logged-in users, including terminal escape sequences.
Reported by Nikolay Edigaryev.
(cherry picked from commit 26c30cf5be4151eee04678ad118d056de0601833)
-rw-r--r-- | main/openssh/APKBUILD | 14 | ||||
-rw-r--r-- | main/openssh/CVE-2015-6563.patch | 37 | ||||
-rw-r--r-- | main/openssh/CVE-2015-6564.patch | 33 | ||||
-rw-r--r-- | main/openssh/CVE-2015-6565.patch | 35 |
4 files changed, 118 insertions, 1 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD index 5c1320ee3d4..64ad0fa2082 100644 --- a/main/openssh/APKBUILD +++ b/main/openssh/APKBUILD @@ -2,7 +2,7 @@ pkgname=openssh pkgver=6.8_p1 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=3 +pkgrel=4 pkgdesc="Port of OpenBSD's free SSH release" url="http://www.openssh.org/portable.html" arch="all" @@ -13,6 +13,9 @@ makedepends="openssl-dev zlib-dev" subpackages="$pkgname-doc $pkgname-client $pkgname-keysign" source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz CVE-2015-5600.patch + CVE-2015-6563.patch + CVE-2015-6564.patch + CVE-2015-6565.patch openssh6.5-peaktput.diff openssh6.8-dynwindows.diff openssh-fix-utmp.diff @@ -109,6 +112,9 @@ keysign() { md5sums="08f72de6751acfbd0892b5f003922701 openssh-6.8p1.tar.gz f3e17e9514d246d415fb6388609bc0f8 CVE-2015-5600.patch +ae3ac6c890f3172327118f3b793e7f05 CVE-2015-6563.patch +9e107e2636250f33199ba47550ceca1e CVE-2015-6564.patch +449775b5ce63d85331f78784eeb70f78 CVE-2015-6565.patch cd52fe99cb4b7d0d847bf5d710d93564 openssh6.5-peaktput.diff c6e29d7d88529a66d857657753f39694 openssh6.8-dynwindows.diff 37fbfe9cfb9a5e2454382ea8c79ed2e1 openssh-fix-utmp.diff @@ -117,6 +123,9 @@ b35e9f3829f4cfca07168fcba98749c7 sshd.confd 2dd7e366607e95f9762273067309fd6e openssh-sftp-interactive.diff" sha256sums="3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e openssh-6.8p1.tar.gz 8ce7fa061a4d3a0ac94f07ac694551ac1c5c1e5f82daf04a6434b69761c2fb6e CVE-2015-5600.patch +044c3ceeb69c4812414bc605d3fd1f49e48623fe75b958f130420c9a3a3d3914 CVE-2015-6563.patch +0f4db4d65edbbef21862ac10714bdd4f8911cf9f9b6eb220f94663be0c4872c8 CVE-2015-6564.patch +cd30c1f083f810d71d91eb03ad08e2cb46652cb80dc40560729e308d4fab8a81 CVE-2015-6565.patch bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249 openssh6.5-peaktput.diff bf0f00bd88a7224ea0618f6e347a6a805c4e5acd869196725a3923d711ff1246 openssh6.8-dynwindows.diff 1c85437fd94aa4fc269e6297e4eb790baa98c39949ec0410792c09ee31ba9782 openssh-fix-utmp.diff @@ -125,6 +134,9 @@ cf053bee46c7037bdab3b3575c7080f4b514d8623c023a4dcfccb4cdcff179cf sshd.initd 4ce1ad5f767c0f4e854a0cfeef0e2e400f333c649e552df1ecc317e6a6557376 openssh-sftp-interactive.diff" sha512sums="7c4457e4525a56cdabb1164ffaf6bed1c094294ae7d06dd3484dcffcd87738fcffe7019b6cae0032c254b0389832644522d5a9f2603b50637ffeb9999b5fcede openssh-6.8p1.tar.gz 30decd1e2f66e9a772389b190e3576722d554015c2ee2418b83bc77ed692c3e3d8ec0a8caf389b054c7db23571742d9eadd0017e8f95441759401867ceaf1fd1 CVE-2015-5600.patch +7ab16c39dc02d38c2b8498a187c43637f6e8a06dc9786d1746010d2d416d979c34103bd6f95365664a143641d85d6985f73bcf055f5eb481ec34ad2a7ee2e939 CVE-2015-6563.patch +e5a7d536837aefb07260b01c2863f96d0db2521d7739ded69f92490fad4c8537c853320458cdbc3a86cd90805d54fc87e081ece1dd4cb19392599888f9078e26 CVE-2015-6564.patch +1199d18e14dcd9d296894c87b26288ac17744497f2aca0a0c9eae2f0e13e45b193160895cad5334ca282aece3a337831549debea22b98852fc221aec7dbc34eb CVE-2015-6565.patch e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1 openssh6.5-peaktput.diff 307ca56d2bae53f2f2852a695de440843a457c4000524d1b7dbcf2f46f70ae4f8ba7309273b62287ad5eef2005e2911dd737a0f55605352397b8f557d78e18df openssh6.8-dynwindows.diff f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1 openssh-fix-utmp.diff diff --git a/main/openssh/CVE-2015-6563.patch b/main/openssh/CVE-2015-6563.patch new file mode 100644 index 00000000000..d3bdcac132f --- /dev/null +++ b/main/openssh/CVE-2015-6563.patch @@ -0,0 +1,37 @@ +From d4697fe9a28dab7255c60433e4dd23cf7fce8a8b Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Tue, 11 Aug 2015 13:33:24 +1000 +Subject: [PATCH] Don't resend username to PAM; it already has it. + +Pointed out by Moritz Jodeit; ok dtucker@ +--- + monitor.c | 2 -- + monitor_wrap.c | 1 - + 2 files changed, 3 deletions(-) + +diff --git a/monitor.c b/monitor.c +index b410965..f1b873d 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device; + int + mm_answer_pam_init_ctx(int sock, Buffer *m) + { +- + debug3("%s", __func__); +- authctxt->user = buffer_get_string(m, NULL); + sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); + sshpam_authok = NULL; + buffer_clear(m); +diff --git a/monitor_wrap.c b/monitor_wrap.c +index e6217b3..eac421b 100644 +--- a/monitor_wrap.c ++++ b/monitor_wrap.c +@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) + + debug3("%s", __func__); + buffer_init(&m); +- buffer_put_cstring(&m, authctxt->user); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); diff --git a/main/openssh/CVE-2015-6564.patch b/main/openssh/CVE-2015-6564.patch new file mode 100644 index 00000000000..e278dd74149 --- /dev/null +++ b/main/openssh/CVE-2015-6564.patch @@ -0,0 +1,33 @@ +From 5e75f5198769056089fb06c4d738ab0e5abc66f7 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Tue, 11 Aug 2015 13:34:12 +1000 +Subject: [PATCH] set sshpam_ctxt to NULL after free + +Avoids use-after-free in monitor when privsep child is compromised. +Reported by Moritz Jodeit; ok dtucker@ +--- + monitor.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/monitor.c b/monitor.c +index f1b873d..a914209 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) + int + mm_answer_pam_free_ctx(int sock, Buffer *m) + { ++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; + + debug3("%s", __func__); + (sshpam_device.free_ctx)(sshpam_ctxt); ++ sshpam_ctxt = sshpam_authok = NULL; + buffer_clear(m); + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; +- return (sshpam_authok == sshpam_ctxt); ++ return r; + } + #endif + diff --git a/main/openssh/CVE-2015-6565.patch b/main/openssh/CVE-2015-6565.patch new file mode 100644 index 00000000000..2b762de405a --- /dev/null +++ b/main/openssh/CVE-2015-6565.patch @@ -0,0 +1,35 @@ +From 6f941396b6835ad18018845f515b0c4fe20be21a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 30 Jul 2015 23:09:15 +0000 +Subject: upstream commit + +fix pty permissions; patch from Nikolay Edigaryev; ok + deraadt + +Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550 +--- + sshpty.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sshpty.c b/sshpty.c +index 7bb7641..15da8c6 100644 +--- a/sshpty.c ++++ b/sshpty.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */ ++/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty) + /* Determine the group to make the owner of the tty. */ + grp = getgrnam("tty"); + gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; +- mode = (grp != NULL) ? 0622 : 0600; ++ mode = (grp != NULL) ? 0620 : 0600; + + /* + * Change owner and mode of the tty as required. +-- +cgit v0.11.2 + |