diff options
author | Armin Kuster <akuster@mvista.com> | 2015-09-08 17:22:26 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-18 19:21:44 +0100 |
commit | 259df232b513367a0a18b17e3e377260a770288f (patch) | |
tree | 56fc41bfc18c3fdac2d46b68fccc5001686bf9d3 /meta | |
parent | 16e80afe187c173e00b734c757a05157855ed504 (diff) | |
download | openembedded-core-259df232b513367a0a18b17e3e377260a770288f.tar.gz openembedded-core-259df232b513367a0a18b17e3e377260a770288f.tar.bz2 openembedded-core-259df232b513367a0a18b17e3e377260a770288f.zip |
openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
three security fixes.
CVE-2015-6563 (Low) openssh: Privilege separation weakness related to PAM support
CVE-2015-6564 (medium) openssh: Use-after-free bug related to PAM support
CVE-2015-6565 (High) openssh: Incorrectly set TTYs to be world-writable
Signed-off-by: Armin Kuster <akuster@mvista.com>
Diffstat (limited to 'meta')
4 files changed, 110 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch new file mode 100644 index 0000000000..19cea410dc --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch @@ -0,0 +1,36 @@ +CVE-2015-6563 + +Don't resend username to PAM; it already has it. +Pointed out by Moritz Jodeit; ok dtucker@ + +Upstream-Status: Backport +https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: openssh-6.7p1/monitor.c +=================================================================== +--- openssh-6.7p1.orig/monitor.c ++++ openssh-6.7p1/monitor.c +@@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device; + int + mm_answer_pam_init_ctx(int sock, Buffer *m) + { +- + debug3("%s", __func__); +- authctxt->user = buffer_get_string(m, NULL); + sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); + sshpam_authok = NULL; + buffer_clear(m); +Index: openssh-6.7p1/monitor_wrap.c +=================================================================== +--- openssh-6.7p1.orig/monitor_wrap.c ++++ openssh-6.7p1/monitor_wrap.c +@@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) + + debug3("%s", __func__); + buffer_init(&m); +- buffer_put_cstring(&m, authctxt->user); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch new file mode 100644 index 0000000000..588d42d766 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch @@ -0,0 +1,34 @@ +CVE-2015-6564 + + set sshpam_ctxt to NULL after free + + Avoids use-after-free in monitor when privsep child is compromised. + Reported by Moritz Jodeit; ok dtucker@ + +Upstream-Status: Backport +https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: openssh-6.7p1/monitor.c +=================================================================== +--- openssh-6.7p1.orig/monitor.c ++++ openssh-6.7p1/monitor.c +@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer * + int + mm_answer_pam_free_ctx(int sock, Buffer *m) + { ++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; + + debug3("%s", __func__); + (sshpam_device.free_ctx)(sshpam_ctxt); ++ sshpam_ctxt = sshpam_authok = NULL; + buffer_clear(m); + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; +- return (sshpam_authok == sshpam_ctxt); ++ return r; + } + #endif + diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch new file mode 100644 index 0000000000..42667b05a0 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch @@ -0,0 +1,35 @@ +CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable + +fix pty permissions; patch from Nikolay Edigaryev; ok deraadt + +Upstream-Status: Backport + +merged two changes into one. +[1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2 +tighten permissions on pty when the "tty" group does not exist; pointed out by Corinna Vinschen; ok markus + +[2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941396b6835ad18018845f515b0c4fe20be21a +fix pty permissions; patch from Nikolay Edigaryev; ok deraadt + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: openssh-6.7p1/sshpty.c +=================================================================== +--- openssh-6.7p1.orig/sshpty.c ++++ openssh-6.7p1/sshpty.c +@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch + + /* Determine the group to make the owner of the tty. */ + grp = getgrnam("tty"); +- if (grp) { +- gid = grp->gr_gid; +- mode = S_IRUSR | S_IWUSR | S_IWGRP; +- } else { +- gid = pw->pw_gid; +- mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH; +- } ++ gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; ++ mode = (grp != NULL) ? 0620 : 0600; + + /* + * Change owner and mode of the tty as required. diff --git a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb index a2726291fe..aa71cc1ef4 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.7p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb @@ -21,7 +21,11 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. file://volatiles.99_sshd \ file://add-test-support-for-busybox.patch \ file://run-ptest \ - file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch" + file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch \ + file://CVE-2015-6563.patch \ + file://CVE-2015-6564.patch \ + file://CVE-2015-6565.patch \ + " PAM_SRC_URI = "file://sshd" |