On 11/05/2015 04:00 PM, Joshua Lock wrote:
Thanks, I've pushed this change to my joshuagl/fido-next branch of
openembedded-core-contrib and am testing it now.
You can find instructions on testing the vulnerability at the following
URL. I forgot to include it in the change description.
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
Regards,
Joshua
1.
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=joshuagl/fido-next
Signed-off-by: Haris Okanovic <haris.okano...@ni.com>
Reviewed-by: Rich Tollerton <rich.toller...@ni.com>
Reviewed-by: Ken Sharp <ken.sh...@ni.com>
Natinst-ReviewBoard-ID: 115602
Natinst-CAR-ID: 541263
---
This patch only applies to Fido and earlier releases. Bug is already
fixed in Jethro which builds OpenSSH 7.1.
---
.../openssh/openssh/CVE-2015-5600.patch | 50
++++++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_6.7p1.bb | 1 +
2 files changed, 51 insertions(+)
create mode 100644
meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
diff --git
a/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
new file mode 100644
index 0000000..fa1c85e
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-5600.patch
@@ -0,0 +1,50 @@
+From b47bdee5621f95387c9ac5b999fd859ccb1213a9 Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" <d...@openbsd.org>
+Date: Sat, 18 Jul 2015 07:57:14 +0000
+Subject: [PATCH] CVE-2015-5600
+
+only query each keyboard-interactive device once per
+ authentication request regardless of how many times it is listed; ok
markus@
+
+Source:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u
+
+Upstream-Status: Backport
+---
+ auth2-chall.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/auth2-chall.c b/auth2-chall.c
+index
ea4eb6952f8c13928c3fc595007f2d844dde422f..065361d3ec22f4f131308d1b4497afada3c3cb78
100644
+--- a/auth2-chall.c
++++ b/auth2-chall.c
+@@ -83,6 +83,7 @@ struct KbdintAuthctxt
+ void *ctxt;
+ KbdintDevice *device;
+ u_int nreq;
++ u_int devices_done;
+ };
+
+ #ifdef USE_PAM
+@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt,
KbdintAuthctxt *kbdintctxt)
+ if (len == 0)
+ break;
+ for (i = 0; devices[i]; i++) {
+- if (!auth2_method_allowed(authctxt,
++ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++ !auth2_method_allowed(authctxt,
+ "keyboard-interactive", devices[i]->name))
+ continue;
+- if (strncmp(kbdintctxt->devices, devices[i]->name, len)
== 0)
++ if (strncmp(kbdintctxt->devices, devices[i]->name,
++ len) == 0) {
+ kbdintctxt->device = devices[i];
++ kbdintctxt->devices_done |= 1 << i;
++ }
+ }
+ t = kbdintctxt->devices;
+ kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+--
+2.6.2
+
diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
index aa71cc1..9246284 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
@@ -25,6 +25,7 @@ SRC_URI =
"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
file://CVE-2015-6563.patch \
file://CVE-2015-6564.patch \
file://CVE-2015-6565.patch \
+ file://CVE-2015-5600.patch \
"
PAM_SRC_URI = "file://sshd"
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
