summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2018-08-24 13:42:06 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2018-08-24 13:42:19 +0000
commit69cb1a256fd74d5fc4c6ed6605a87a468574f34f (patch)
tree7eb0136ec80df6ef9b77843905b73f1f84194ca9
parentReleasing progress-linux version 1:7.4p1-10+deb9u3dschinn2. (diff)
downloadopenssh-69cb1a256fd74d5fc4c6ed6605a87a468574f34f.zip
openssh-69cb1a256fd74d5fc4c6ed6605a87a468574f34f.tar.xz
Merging debian version 1:7.4p1-10+deb9u4.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r--debian/changelog8
-rw-r--r--debian/patches/series1
-rw-r--r--debian/patches/upstream-delay-bailout-for-invalid-authenticating-user.patch147
3 files changed, 156 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 080eea7..7dce772 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openssh (1:7.4p1-10+deb9u4) stretch-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * CVE-2018-15473: fix username enumeration issue, initially reported
+ by Dariusz Tytko and Michal Sajdak (Closes: #906236)
+
+ -- Sebastien Delafond <seb@debian.org> Tue, 21 Aug 2018 05:14:18 +0200
+
openssh (1:7.4p1-10+deb9u3dschinn2) dschinn; urgency=medium
* Uploading to dschinn, remaining changes:
diff --git a/debian/patches/series b/debian/patches/series
index 7d75358..42de375 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -38,6 +38,7 @@ fix-incoming-compression-statistics.patch
winscp-dhgex-compat.patch
dash-dash-before-hostname.patch
CVE-2017-15906.patch
+upstream-delay-bailout-for-invalid-authenticating-user.patch
progress-linux/0001-ssh-keygen-rsa-size.patch
progress-linux/0002-ssh-keygen-ecdsa-size.patch
progress-linux/0003-ssh-config-protocol-1-removals.patch
diff --git a/debian/patches/upstream-delay-bailout-for-invalid-authenticating-user.patch b/debian/patches/upstream-delay-bailout-for-invalid-authenticating-user.patch
new file mode 100644
index 0000000..f02b3b1
--- /dev/null
+++ b/debian/patches/upstream-delay-bailout-for-invalid-authenticating-user.patch
@@ -0,0 +1,147 @@
+From c4ca1497658e0508e8595ad74978c07bc92a18e3 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 31 Jul 2018 03:10:27 +0000
+Subject: upstream: delay bailout for invalid authenticating user
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+... until after the packet containing the request has been fully parsed.
+Reported by Dariusz Tytko and Michał Sajdak; ok deraadt
+
+OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
+
+Origin: backport, http://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8
+Bug-Debian: https://bugs.debian.org/906236
+
+Last-Update: 2018-08-21
+
+Patch-Name: upstream-delay-bailout-for-invalid-authenticating-user.patch
+---
+ auth2-gss.c | 9 ++++++---
+ auth2-hostbased.c | 9 +++++----
+ auth2-pubkey.c | 22 ++++++++++++++--------
+ 3 files changed, 25 insertions(+), 15 deletions(-)
+
+commit 2a406637f4bdc9ad0e6002cd69200a58c56fae79
+Author: Sébastien Delafond <sdelafond@gmail.com>
+Date: Tue Aug 21 05:54:48 2018 +0200
+
+ CVE-2018-15473
+
+diff --git a/auth2-gss.c b/auth2-gss.c
+index 3b5036d..460cf98 100644
+--- a/auth2-gss.c
++++ b/auth2-gss.c
+@@ -102,9 +102,6 @@ userauth_gssapi(Authctxt *authctxt)
+ u_int len;
+ u_char *doid = NULL;
+
+- if (!authctxt->valid || authctxt->user == NULL)
+- return (0);
+-
+ mechs = packet_get_int();
+ if (mechs == 0) {
+ debug("Mechanism negotiation is not supported");
+@@ -135,6 +132,12 @@ userauth_gssapi(Authctxt *authctxt)
+ return (0);
+ }
+
++ if (!authctxt->valid || authctxt->user == NULL) {
++ debug2("%s: disabled because of invalid user", __func__);
++ free(doid);
++ return (0);
++ }
++
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+ if (ctxt != NULL)
+ ssh_gssapi_delete_ctx(&ctxt);
+diff --git a/auth2-hostbased.c b/auth2-hostbased.c
+index 1b3c3b2..2fa94d2 100644
+--- a/auth2-hostbased.c
++++ b/auth2-hostbased.c
+@@ -66,10 +66,6 @@ userauth_hostbased(Authctxt *authctxt)
+ int pktype;
+ int authenticated = 0;
+
+- if (!authctxt->valid) {
+- debug2("userauth_hostbased: disabled because of invalid user");
+- return 0;
+- }
+ pkalg = packet_get_string(&alen);
+ pkblob = packet_get_string(&blen);
+ chost = packet_get_string(NULL);
+@@ -115,6 +111,11 @@ userauth_hostbased(Authctxt *authctxt)
+ goto done;
+ }
+
++ if (!authctxt->valid || authctxt->user == NULL) {
++ debug2("%s: disabled because of invalid user", __func__);
++ goto done;
++ }
++
+ service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
+ authctxt->service;
+ buffer_init(&b);
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index add7713..40aae5b 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -79,16 +79,12 @@ userauth_pubkey(Authctxt *authctxt)
+ {
+ Buffer b;
+ Key *key = NULL;
+- char *pkalg, *userstyle, *fp = NULL;
+- u_char *pkblob, *sig;
++ char *pkalg = NULL, *userstyle = NULL, *fp = NULL;
++ u_char *pkblob = NULL, *sig = NULL;
+ u_int alen, blen, slen;
+ int have_sig, pktype;
+ int authenticated = 0;
+
+- if (!authctxt->valid) {
+- debug2("%s: disabled because of invalid user", __func__);
+- return 0;
+- }
+ have_sig = packet_get_char();
+ if (datafellows & SSH_BUG_PKAUTH) {
+ debug2("%s: SSH_BUG_PKAUTH", __func__);
+@@ -149,6 +145,12 @@ userauth_pubkey(Authctxt *authctxt)
+ } else {
+ buffer_put_string(&b, session_id2, session_id2_len);
+ }
++ if (!authctxt->valid || authctxt->user == NULL) {
++ debug2("%s: disabled because of invalid user",
++ __func__);
++ buffer_free(&b);
++ goto done;
++ }
+ /* reconstruct packet */
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+ xasprintf(&userstyle, "%s%s%s", authctxt->user,
+@@ -184,12 +186,16 @@ userauth_pubkey(Authctxt *authctxt)
+ key = NULL; /* Don't free below */
+ }
+ buffer_free(&b);
+- free(sig);
+ } else {
+ debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
+ __func__, sshkey_type(key), fp);
+ packet_check_eom();
+
++ if (!authctxt->valid || authctxt->user == NULL) {
++ debug2("%s: disabled because of invalid user",
++ __func__);
++ goto done;
++ }
+ /* XXX fake reply and always send PK_OK ? */
+ /*
+ * XXX this allows testing whether a user is allowed
+@@ -216,6 +222,7 @@ done:
+ free(pkalg);
+ free(pkblob);
+ free(fp);
++ free(sig);
+ return authenticated;
+ }
+