main/openssh: backport security fix (CVE-2018-15473)

fixes #9321
author: Natanael Copa <ncopa@alpinelinux.org> 2018-08-22 08:56:21 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2018-09-20 12:30:19 +0200
commit: adb2a2ada250b5756ac84b9f8ccbef204cc545f4 (patch)
tree: b8800e306369a5d5ebc15e7c683204152ceb8844
parent: dd646650fecf6b0d42ffc26eed4a6da53a6040e5 (diff)
2 files changed, 122 insertions, 4 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index d02b8831283..7a08f017fa2 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -4,7 +4,7 @@
 pkgname=openssh
 pkgver=7.4_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=1
+pkgrel=2
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
@@ -25,10 +25,13 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
 	sshd.confd
 	openssh-sftp-interactive.diff
 	CVE-2017-15906.patch
+	CVE-2018-15473.patch
 	"
 # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
 
 # secfixes:
+#   7.4_p1-r2:
+#     - CVE-2018-15473
 #   7.4_p1-r1:
 #     - CVE-2017-15906
 #   7.4_p1-r0:
@@ -128,7 +131,8 @@ e21243d6ddff1bb929eed3676b4b9a2a  bsd-compatible-realpath.patch
 8ae02e304db5d42790b7269b03a8985f  sshd.initd
 ccff4ede2075bcdaa070940cb4eadba2  sshd.confd
 2dd7e366607e95f9762273067309fd6e  openssh-sftp-interactive.diff
-61f296cae7c04afd5a36b91207d23db8  CVE-2017-15906.patch"
+61f296cae7c04afd5a36b91207d23db8  CVE-2017-15906.patch
+7cc63b433def45d70bc285ddcdf70b82  CVE-2018-15473.patch"
 sha256sums="1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1  openssh-7.4p1.tar.gz
 bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249  openssh6.5-peaktput.diff
 861132af07c18f5e0ac7b64f389a929e61a051887bf44bda770a97e3afd9bfb6  openssh7.1-dynwindows.diff
@@ -137,7 +141,8 @@ a843cacd7002a68e9d09b5d8ea1466c9980fa35fa3ccd8d9357ac793017de2a6  bsd-compatible
 18521d52f5e38d5820732356d210fb45922f7b848b7c9ca0bb3823de9e088e1d  sshd.initd
 3342d2fc9b174f898f887237002f04fa9bc01c31e9a851e063ca7de8825ad0eb  sshd.confd
 4ce1ad5f767c0f4e854a0cfeef0e2e400f333c649e552df1ecc317e6a6557376  openssh-sftp-interactive.diff
-eef77728b13674b1cf10a4b5839844044cba6fbc3441e558ceb4b6605fad6f16  CVE-2017-15906.patch"
+eef77728b13674b1cf10a4b5839844044cba6fbc3441e558ceb4b6605fad6f16  CVE-2017-15906.patch
+d6a3d736d1c472e952e005d7e9546e2f5f5a20830bb2c840bc8fc92bfe04d096  CVE-2018-15473.patch"
 sha512sums="4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292  openssh-7.4p1.tar.gz
 e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1  openssh6.5-peaktput.diff
 72a7dc21d18388c635d14dda762ac50caeefd38f0153d8ea36d18e9d7c982e104f7b7a3af8c18fd479c31201fbdee1639f3a1ec60d035d4ca8721a8563fa11a0  openssh7.1-dynwindows.diff
@@ -146,4 +151,5 @@ f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1
 394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f  sshd.initd
 ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4  sshd.confd
 c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  openssh-sftp-interactive.diff
-e064acdb9b9990ac3e997b0110051150a0e0e86a128228d400707815957cb6414ae167c8992da049ee81f315ef19d0ba4d6f55aef197b1fa16fc7ebb8596d320  CVE-2017-15906.patch"
+e064acdb9b9990ac3e997b0110051150a0e0e86a128228d400707815957cb6414ae167c8992da049ee81f315ef19d0ba4d6f55aef197b1fa16fc7ebb8596d320  CVE-2017-15906.patch
+390b238ec6f037dcd684f3cbbfd9655aa264791a32d3cbd270773989cdda3896756ddd83e4088356a56e21c183b11052cc4cc7653506d4b46ba48f092f7c66ea  CVE-2018-15473.patch"
diff --git a/main/openssh/CVE-2018-15473.patch b/main/openssh/CVE-2018-15473.patch
new file mode 100644
index 00000000000..7ba1a3b4f9b
--- /dev/null
+++ b/main/openssh/CVE-2018-15473.patch
@@ -0,0 +1,112 @@
+diff -Naur -x '*~' -x '*.orig' -x '*.rej' openssh-7.5p1/auth2-gss.c openssh-7.5p1-CVE-2018-15473/auth2-gss.c
+--- openssh-7.5p1/auth2-gss.c	2018-08-22 19:17:35.750907742 +0200
++++ openssh-7.5p1-CVE-2018-15473/auth2-gss.c	2018-08-22 19:18:29.481548784 +0200
+@@ -103,9 +103,6 @@
+ 	u_int len;
+ 	u_char *doid = NULL;
+ 
+-	if (!authctxt->valid || authctxt->user == NULL)
+-		return (0);
+-
+ 	mechs = packet_get_int();
+ 	if (mechs == 0) {
+ 		debug("Mechanism negotiation is not supported");
+@@ -136,6 +133,12 @@
+ 		return (0);
+ 	}
+ 
++	if (!authctxt->valid || authctxt->user == NULL) {
++		debug2("%s: disabled because of invalid user", __func__);
++		free(doid);
++		return (0);
++	}
++
+ 	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+ 		if (ctxt != NULL)
+ 			ssh_gssapi_delete_ctx(&ctxt);
+diff -Naur -x '*~' -x '*.orig' -x '*.rej' openssh-7.5p1/auth2-hostbased.c openssh-7.5p1-CVE-2018-15473/auth2-hostbased.c
+--- openssh-7.5p1/auth2-hostbased.c	2018-08-22 19:17:35.751907735 +0200
++++ openssh-7.5p1-CVE-2018-15473/auth2-hostbased.c	2018-08-22 19:18:45.138444637 +0200
+@@ -66,10 +66,6 @@
+ 	int pktype;
+ 	int authenticated = 0;
+ 
+-	if (!authctxt->valid) {
+-		debug2("userauth_hostbased: disabled because of invalid user");
+-		return 0;
+-	}
+ 	pkalg = packet_get_string(&alen);
+ 	pkblob = packet_get_string(&blen);
+ 	chost = packet_get_string(NULL);
+@@ -115,6 +111,11 @@
+ 		goto done;
+ 	}
+ 
++	if (!authctxt->valid || authctxt->user == NULL) {
++		debug2("%s: disabled because of invalid user", __func__);
++		goto done;
++	}
++
+ 	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
+ 	    authctxt->service;
+ 	buffer_init(&b);
+--- ./auth2-pubkey.c.orig
++++ ./auth2-pubkey.c
+@@ -79,16 +79,12 @@
+ {
+ 	Buffer b;
+ 	Key *key = NULL;
+-	char *pkalg, *userstyle, *fp = NULL;
+-	u_char *pkblob, *sig;
++	char *pkalg = NULL, *userstyle = NULL, *fp = NULL;
++	u_char *pkblob = NULL, *sig = NULL;
+ 	u_int alen, blen, slen;
+ 	int have_sig, pktype;
+ 	int authenticated = 0;
+ 
+-	if (!authctxt->valid) {
+-		debug2("%s: disabled because of invalid user", __func__);
+-		return 0;
+-	}
+ 	have_sig = packet_get_char();
+ 	if (datafellows & SSH_BUG_PKAUTH) {
+ 		debug2("%s: SSH_BUG_PKAUTH", __func__);
+@@ -149,6 +145,12 @@
+ 		} else {
+ 			buffer_put_string(&b, session_id2, session_id2_len);
+ 		}
++		if (!authctxt->valid || authctxt->user == NULL) {
++			debug2("%s: disabled because of invalid user",
++			    __func__);
++			buffer_free(&b);
++			goto done;
++		}
+ 		/* reconstruct packet */
+ 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+ 		xasprintf(&userstyle, "%s%s%s", authctxt->user,
+@@ -184,12 +186,16 @@
+ 			key = NULL; /* Don't free below */
+ 		}
+ 		buffer_free(&b);
+-		free(sig);
+ 	} else {
+ 		debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
+ 		    __func__, sshkey_type(key), fp);
+ 		packet_check_eom();
+ 
++		if (!authctxt->valid || authctxt->user == NULL) {
++			debug2("%s: disabled because of invalid user",
++			    __func__);
++			goto done;
++		}
+ 		/* XXX fake reply and always send PK_OK ? */
+ 		/*
+ 		 * XXX this allows testing whether a user is allowed
+@@ -216,6 +222,7 @@
+ 	free(pkalg);
+ 	free(pkblob);
+ 	free(fp);
++	free(sig);
+ 	return authenticated;
+ }
+
author	Natanael Copa <ncopa@alpinelinux.org>	2018-08-22 08:56:21 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2018-09-20 12:30:19 +0200
commit	adb2a2ada250b5756ac84b9f8ccbef204cc545f4 (patch)
tree	b8800e306369a5d5ebc15e7c683204152ceb8844
parent	dd646650fecf6b0d42ffc26eed4a6da53a6040e5 (diff)