61 lines
1.9 KiB
Diff
61 lines
1.9 KiB
Diff
|
From abde8dda29c2db2405d6fbca2fe022430e2c1177 Mon Sep 17 00:00:00 2001
|
||
|
From: Darren Tucker <dtucker@zip.com.au>
|
||
|
Date: Thu, 21 Jul 2016 14:17:31 +1000
|
||
|
Subject: Search users for one with a valid salt.
|
||
|
|
||
|
If the root account is locked (eg password "!!" or "*LK*") keep looking
|
||
|
until we find a user with a valid salt to use for crypting passwords of
|
||
|
invalid users. ok djm@
|
||
|
|
||
|
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=dbf788b4d9d9490a5fff08a7b09888272bb10fcc
|
||
|
Bug-Debian: https://bugs.debian.org/831902
|
||
|
Last-Update: 2016-07-22
|
||
|
|
||
|
Patch-Name: CVE-2016-6210-3.patch
|
||
|
---
|
||
|
openbsd-compat/xcrypt.c | 24 +++++++++++++++---------
|
||
|
1 file changed, 15 insertions(+), 9 deletions(-)
|
||
|
|
||
|
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
|
||
|
index 8913bb8..cf6a9b9 100644
|
||
|
--- a/openbsd-compat/xcrypt.c
|
||
|
+++ b/openbsd-compat/xcrypt.c
|
||
|
@@ -65,7 +65,9 @@
|
||
|
|
||
|
/*
|
||
|
* Pick an appropriate password encryption type and salt for the running
|
||
|
- * system.
|
||
|
+ * system by searching through accounts until we find one that has a valid
|
||
|
+ * salt. Usually this will be root unless the root account is locked out.
|
||
|
+ * If we don't find one we return a traditional DES-based salt.
|
||
|
*/
|
||
|
static const char *
|
||
|
pick_salt(void)
|
||
|
@@ -78,14 +80,18 @@ pick_salt(void)
|
||
|
if (salt[0] != '\0')
|
||
|
return salt;
|
||
|
strlcpy(salt, "xx", sizeof(salt));
|
||
|
- if ((pw = getpwuid(0)) == NULL)
|
||
|
- return salt;
|
||
|
- passwd = shadow_pw(pw);
|
||
|
- if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
|
||
|
- return salt; /* no $, DES */
|
||
|
- typelen = p - passwd + 1;
|
||
|
- strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
|
||
|
- explicit_bzero(passwd, strlen(passwd));
|
||
|
+ setpwent();
|
||
|
+ while ((pw = getpwent()) != NULL) {
|
||
|
+ passwd = shadow_pw(pw);
|
||
|
+ if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
|
||
|
+ typelen = p - passwd + 1;
|
||
|
+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
|
||
|
+ explicit_bzero(passwd, strlen(passwd));
|
||
|
+ goto out;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ out:
|
||
|
+ endpwent();
|
||
|
return salt;
|
||
|
}
|
||
|
|