gnu: OpenSSH: Update to 7.8p1.
* gnu/packages/ssh.scm (openssh): Update to 7.8p1. [source]: Remove 'openssh-CVE-2018-15473.patch'. * gnu/packages/patches/openssh-CVE-2018-15473.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it.
This commit is contained in:
parent
841ede7f87
commit
36a8d5cdf4
|
@ -997,7 +997,6 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/openldap-CVE-2017-9287.patch \
|
%D%/packages/patches/openldap-CVE-2017-9287.patch \
|
||||||
%D%/packages/patches/openocd-nrf52.patch \
|
%D%/packages/patches/openocd-nrf52.patch \
|
||||||
%D%/packages/patches/opensmtpd-fix-crash.patch \
|
%D%/packages/patches/opensmtpd-fix-crash.patch \
|
||||||
%D%/packages/patches/openssh-CVE-2018-15473.patch \
|
|
||||||
%D%/packages/patches/openssl-runpath.patch \
|
%D%/packages/patches/openssl-runpath.patch \
|
||||||
%D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch \
|
%D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch \
|
||||||
%D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch \
|
%D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch \
|
||||||
|
|
|
@ -1,165 +0,0 @@
|
||||||
Fix CVE-2018-15473, a method by which remote clients can enumerate
|
|
||||||
usernames on the server:
|
|
||||||
|
|
||||||
http://seclists.org/oss-sec/2018/q3/124
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473
|
|
||||||
|
|
||||||
Patch adapted from upstream source repository:
|
|
||||||
|
|
||||||
https://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8
|
|
||||||
|
|
||||||
From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
|
||||||
Date: Tue, 31 Jul 2018 03:10:27 +0000
|
|
||||||
Subject: [PATCH] upstream: delay bailout for invalid authentic
|
|
||||||
|
|
||||||
=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
|
|
||||||
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
|
|
||||||
=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
|
|
||||||
---
|
|
||||||
auth2-gss.c | 11 +++++++----
|
|
||||||
auth2-hostbased.c | 11 ++++++-----
|
|
||||||
auth2-pubkey.c | 25 +++++++++++++++----------
|
|
||||||
3 files changed, 28 insertions(+), 19 deletions(-)
|
|
||||||
|
|
||||||
# Adapted from upstream to apply to OpenSSH 7.7p1.
|
|
||||||
diff --git a/auth2-gss.c b/auth2-gss.c
|
|
||||||
index 589283b7..1d7cfb39 100644
|
|
||||||
--- a/auth2-gss.c
|
|
||||||
+++ b/auth2-gss.c
|
|
||||||
@@ -69,9 +69,6 @@ userauth_gssapi(struct ssh *ssh)
|
|
||||||
u_int len;
|
|
||||||
u_char *doid = NULL;
|
|
||||||
|
|
||||||
- if (!authctxt->valid || authctxt->user == NULL)
|
|
||||||
- return (0);
|
|
||||||
-
|
|
||||||
mechs = packet_get_int();
|
|
||||||
if (mechs == 0) {
|
|
||||||
debug("Mechanism negotiation is not supported");
|
|
||||||
diff --git a/auth2-gss.c b/auth2-gss.c
|
|
||||||
index 47308c5c..9351e042 100644
|
|
||||||
--- a/auth2-gss.c
|
|
||||||
+++ b/auth2-gss.c
|
|
||||||
@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh)
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|
||||||
+ debug2("%s: disabled because of invalid user", __func__);
|
|
||||||
+ free(doid);
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
|
|
||||||
if (ctxt != NULL)
|
|
||||||
ssh_gssapi_delete_ctx(&ctxt);
|
|
||||||
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
|
||||||
index 60159a56..35939329 100644
|
|
||||||
--- a/auth2-hostbased.c
|
|
||||||
+++ b/auth2-hostbased.c
|
|
||||||
@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
|
|
||||||
size_t alen, blen, slen;
|
|
||||||
int r, pktype, authenticated = 0;
|
|
||||||
|
|
||||||
- if (!authctxt->valid) {
|
|
||||||
- debug2("%s: disabled because of invalid user", __func__);
|
|
||||||
- return 0;
|
|
||||||
- }
|
|
||||||
/* XXX use sshkey_froms() */
|
|
||||||
if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
|
|
||||||
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
|
|
||||||
@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|
||||||
+ debug2("%s: disabled because of invalid user", __func__);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if ((b = sshbuf_new()) == NULL)
|
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
/* reconstruct packet */
|
|
||||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
|
||||||
index c4d0f790..e1c15040 100644
|
|
||||||
--- a/auth2-pubkey.c
|
|
||||||
+++ b/auth2-pubkey.c
|
|
||||||
@@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh)
|
|
||||||
{
|
|
||||||
Authctxt *authctxt = ssh->authctxt;
|
|
||||||
struct passwd *pw = authctxt->pw;
|
|
||||||
- struct sshbuf *b;
|
|
||||||
+ struct sshbuf *b = NULL;
|
|
||||||
struct sshkey *key = NULL;
|
|
||||||
- char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
|
|
||||||
- u_char *pkblob, *sig, have_sig;
|
|
||||||
+ char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
|
|
||||||
+ u_char *pkblob = NULL, *sig = NULL, have_sig;
|
|
||||||
size_t blen, slen;
|
|
||||||
int r, pktype;
|
|
||||||
int authenticated = 0;
|
|
||||||
struct sshauthopt *authopts = NULL;
|
|
||||||
|
|
||||||
- if (!authctxt->valid) {
|
|
||||||
- debug2("%s: disabled because of invalid user", __func__);
|
|
||||||
- return 0;
|
|
||||||
- }
|
|
||||||
if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
|
|
||||||
(r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
|
|
||||||
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
|
|
||||||
@@ -167,6 +163,11 @@ userauth_pubkey(struct ssh *ssh)
|
|
||||||
fatal("%s: sshbuf_put_string session id: %s",
|
|
||||||
__func__, ssh_err(r));
|
|
||||||
}
|
|
||||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|
||||||
+ debug2("%s: disabled because of invalid user",
|
|
||||||
+ __func__);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
/* reconstruct packet */
|
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
|
||||||
authctxt->style ? ":" : "",
|
|
||||||
@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh)
|
|
||||||
#ifdef DEBUG_PK
|
|
||||||
sshbuf_dump(b, stderr);
|
|
||||||
#endif
|
|
||||||
-
|
|
||||||
/* test for correct signature */
|
|
||||||
authenticated = 0;
|
|
||||||
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
|
||||||
@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)
|
|
||||||
authenticated = 1;
|
|
||||||
}
|
|
||||||
sshbuf_free(b);
|
|
||||||
- free(sig);
|
|
||||||
auth2_record_key(authctxt, authenticated, key);
|
|
||||||
} else {
|
|
||||||
debug("%s: test pkalg %s pkblob %s%s%s",
|
|
||||||
@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh)
|
|
||||||
if ((r = sshpkt_get_end(ssh)) != 0)
|
|
||||||
fatal("%s: %s", __func__, ssh_err(r));
|
|
||||||
|
|
||||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|
||||||
+ debug2("%s: disabled because of invalid user",
|
|
||||||
+ __func__);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
/* XXX fake reply and always send PK_OK ? */
|
|
||||||
/*
|
|
||||||
* XXX this allows testing whether a user is allowed
|
|
||||||
@@ -238,6 +242,7 @@ done:
|
|
||||||
free(pkblob);
|
|
||||||
free(key_s);
|
|
||||||
free(ca_s);
|
|
||||||
+ free(sig);
|
|
||||||
return authenticated;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.18.0
|
|
|
@ -148,15 +148,14 @@ a server that supports the SSH-2 protocol.")
|
||||||
(define-public openssh
|
(define-public openssh
|
||||||
(package
|
(package
|
||||||
(name "openssh")
|
(name "openssh")
|
||||||
(version "7.7p1")
|
(version "7.8p1")
|
||||||
(source (origin
|
(source (origin
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append "mirror://openbsd/OpenSSH/portable/"
|
(uri (string-append "mirror://openbsd/OpenSSH/portable/"
|
||||||
name "-" version ".tar.gz"))
|
name "-" version ".tar.gz"))
|
||||||
(patches (search-patches "openssh-CVE-2018-15473.patch"))
|
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"13vbbrvj3mmfhj83qyrg5c0ipr6bzw5s65dy4k8gr7p9hkkfffyp"))))
|
"1jj4f586r9lhakp2w0zv7j616d6x62m15q8l4nxq7haja6qlnj0s"))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(native-inputs `(("groff" ,groff)))
|
(native-inputs `(("groff" ,groff)))
|
||||||
(inputs `(("openssl" ,openssl)
|
(inputs `(("openssl" ,openssl)
|
||||||
|
|
Loading…
Reference in New Issue