New file |
| | |
| | | From c4ca1497658e0508e8595ad74978c07bc92a18e3 Mon Sep 17 00:00:00 2001 |
| | | From: "djm@openbsd.org" <djm@openbsd.org> |
| | | Date: Tue, 31 Jul 2018 03:10:27 +0000 |
| | | Subject: upstream: delay bailout for invalid authenticating user |
| | | MIME-Version: 1.0 |
| | | Content-Type: text/plain; charset=UTF-8 |
| | | Content-Transfer-Encoding: 8bit |
| | | |
| | | ... until after the packet containing the request has been fully parsed. |
| | | Reported by Dariusz Tytko and Michał Sajdak; ok deraadt |
| | | |
| | | OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d |
| | | |
| | | Origin: backport, http://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8 |
| | | Bug-Debian: https://bugs.debian.org/906236 |
| | | |
| | | Last-Update: 2018-08-21 |
| | | |
| | | Patch-Name: upstream-delay-bailout-for-invalid-authenticating-user.patch |
| | | --- |
| | | auth2-gss.c | 9 ++++++--- |
| | | auth2-hostbased.c | 9 +++++---- |
| | | auth2-pubkey.c | 22 ++++++++++++++-------- |
| | | 3 files changed, 25 insertions(+), 15 deletions(-) |
| | | |
| | | commit 2a406637f4bdc9ad0e6002cd69200a58c56fae79 |
| | | Author: Sébastien Delafond <sdelafond@gmail.com> |
| | | Date: Tue Aug 21 05:54:48 2018 +0200 |
| | | |
| | | CVE-2018-15473 |
| | | |
| | | diff --git a/auth2-gss.c b/auth2-gss.c |
| | | index 3b5036d..460cf98 100644 |
| | | --- a/auth2-gss.c |
| | | +++ b/auth2-gss.c |
| | | @@ -102,9 +102,6 @@ userauth_gssapi(Authctxt *authctxt) |
| | | u_int len; |
| | | u_char *doid = NULL; |
| | | |
| | | - if (!authctxt->valid || authctxt->user == NULL) |
| | | - return (0); |
| | | - |
| | | mechs = packet_get_int(); |
| | | if (mechs == 0) { |
| | | debug("Mechanism negotiation is not supported"); |
| | | @@ -135,6 +132,12 @@ userauth_gssapi(Authctxt *authctxt) |
| | | return (0); |
| | | } |
| | | |
| | | + if (!authctxt->valid || authctxt->user == NULL) { |
| | | + debug2("%s: disabled because of invalid user", __func__); |
| | | + free(doid); |
| | | + return (0); |
| | | + } |
| | | + |
| | | if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { |
| | | if (ctxt != NULL) |
| | | ssh_gssapi_delete_ctx(&ctxt); |
| | | diff --git a/auth2-hostbased.c b/auth2-hostbased.c |
| | | index 1b3c3b2..2fa94d2 100644 |
| | | --- a/auth2-hostbased.c |
| | | +++ b/auth2-hostbased.c |
| | | @@ -66,10 +66,6 @@ userauth_hostbased(Authctxt *authctxt) |
| | | int pktype; |
| | | int authenticated = 0; |
| | | |
| | | - if (!authctxt->valid) { |
| | | - debug2("userauth_hostbased: disabled because of invalid user"); |
| | | - return 0; |
| | | - } |
| | | pkalg = packet_get_string(&alen); |
| | | pkblob = packet_get_string(&blen); |
| | | chost = packet_get_string(NULL); |
| | | @@ -115,6 +111,11 @@ userauth_hostbased(Authctxt *authctxt) |
| | | goto done; |
| | | } |
| | | |
| | | + if (!authctxt->valid || authctxt->user == NULL) { |
| | | + debug2("%s: disabled because of invalid user", __func__); |
| | | + goto done; |
| | | + } |
| | | + |
| | | service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : |
| | | authctxt->service; |
| | | buffer_init(&b); |
| | | diff --git a/auth2-pubkey.c b/auth2-pubkey.c |
| | | index add7713..40aae5b 100644 |
| | | --- a/auth2-pubkey.c |
| | | +++ b/auth2-pubkey.c |
| | | @@ -79,16 +79,12 @@ userauth_pubkey(Authctxt *authctxt) |
| | | { |
| | | Buffer b; |
| | | Key *key = NULL; |
| | | - char *pkalg, *userstyle, *fp = NULL; |
| | | - u_char *pkblob, *sig; |
| | | + char *pkalg = NULL, *userstyle = NULL, *fp = NULL; |
| | | + u_char *pkblob = NULL, *sig = NULL; |
| | | u_int alen, blen, slen; |
| | | int have_sig, pktype; |
| | | int authenticated = 0; |
| | | |
| | | - if (!authctxt->valid) { |
| | | - debug2("%s: disabled because of invalid user", __func__); |
| | | - return 0; |
| | | - } |
| | | have_sig = packet_get_char(); |
| | | if (datafellows & SSH_BUG_PKAUTH) { |
| | | debug2("%s: SSH_BUG_PKAUTH", __func__); |
| | | @@ -149,6 +145,12 @@ userauth_pubkey(Authctxt *authctxt) |
| | | } else { |
| | | buffer_put_string(&b, session_id2, session_id2_len); |
| | | } |
| | | + if (!authctxt->valid || authctxt->user == NULL) { |
| | | + debug2("%s: disabled because of invalid user", |
| | | + __func__); |
| | | + buffer_free(&b); |
| | | + goto done; |
| | | + } |
| | | /* reconstruct packet */ |
| | | buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); |
| | | xasprintf(&userstyle, "%s%s%s", authctxt->user, |
| | | @@ -184,12 +186,16 @@ userauth_pubkey(Authctxt *authctxt) |
| | | key = NULL; /* Don't free below */ |
| | | } |
| | | buffer_free(&b); |
| | | - free(sig); |
| | | } else { |
| | | debug("%s: test whether pkalg/pkblob are acceptable for %s %s", |
| | | __func__, sshkey_type(key), fp); |
| | | packet_check_eom(); |
| | | |
| | | + if (!authctxt->valid || authctxt->user == NULL) { |
| | | + debug2("%s: disabled because of invalid user", |
| | | + __func__); |
| | | + goto done; |
| | | + } |
| | | /* XXX fake reply and always send PK_OK ? */ |
| | | /* |
| | | * XXX this allows testing whether a user is allowed |
| | | @@ -216,6 +222,7 @@ done: |
| | | free(pkalg); |
| | | free(pkblob); |
| | | free(fp); |
| | | + free(sig); |
| | | return authenticated; |
| | | } |
| | | |