From 6cd2c4a83cc2baa387d04979b489bee2429cc39d Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 15 Aug 2018 16:28:25 -0400 Subject: gnu: openssh: Don't allow remote username enumeration [fixes CVE-2018-15473]. * gnu/packages/patches/openssh-CVE-2018-15473.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/ssh.scm (openssh)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/openssh-CVE-2018-15473.patch | 165 ++++++++++++++++++++++ gnu/packages/ssh.scm | 1 + 3 files changed, 167 insertions(+) create mode 100644 gnu/packages/patches/openssh-CVE-2018-15473.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index 4013803b0b..eb0862448f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -997,6 +997,7 @@ dist_patch_DATA = \ %D%/packages/patches/openldap-CVE-2017-9287.patch \ %D%/packages/patches/openocd-nrf52.patch \ %D%/packages/patches/opensmtpd-fix-crash.patch \ + %D%/packages/patches/openssh-CVE-2018-15473.patch \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch \ diff --git a/gnu/packages/patches/openssh-CVE-2018-15473.patch b/gnu/packages/patches/openssh-CVE-2018-15473.patch new file mode 100644 index 0000000000..26b2dc59c3 --- /dev/null +++ b/gnu/packages/patches/openssh-CVE-2018-15473.patch @@ -0,0 +1,165 @@ +Fix CVE-2018-15473, a method by which remote clients can enumerate +usernames on the server: + +http://seclists.org/oss-sec/2018/q3/124 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473 + +Patch adapted from upstream source repository: + +https://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8 + +From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 31 Jul 2018 03:10:27 +0000 +Subject: [PATCH] upstream: delay bailout for invalid authentic + +=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?= +=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?= +=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d +--- + auth2-gss.c | 11 +++++++---- + auth2-hostbased.c | 11 ++++++----- + auth2-pubkey.c | 25 +++++++++++++++---------- + 3 files changed, 28 insertions(+), 19 deletions(-) + +# Adapted from upstream to apply to OpenSSH 7.7p1. +diff --git a/auth2-gss.c b/auth2-gss.c +index 589283b7..1d7cfb39 100644 +--- a/auth2-gss.c ++++ b/auth2-gss.c +@@ -69,9 +69,6 @@ userauth_gssapi(struct ssh *ssh) + u_int len; + u_char *doid = NULL; + +- if (!authctxt->valid || authctxt->user == NULL) +- return (0); +- + mechs = packet_get_int(); + if (mechs == 0) { + debug("Mechanism negotiation is not supported"); +diff --git a/auth2-gss.c b/auth2-gss.c +index 47308c5c..9351e042 100644 +--- a/auth2-gss.c ++++ b/auth2-gss.c +@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh) + return (0); + } + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", __func__); ++ free(doid); ++ return (0); ++ } ++ + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { + if (ctxt != NULL) + ssh_gssapi_delete_ctx(&ctxt); +diff --git a/auth2-hostbased.c b/auth2-hostbased.c +index 60159a56..35939329 100644 +--- a/auth2-hostbased.c ++++ b/auth2-hostbased.c +@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh) + size_t alen, blen, slen; + int r, pktype, authenticated = 0; + +- if (!authctxt->valid) { +- debug2("%s: disabled because of invalid user", __func__); +- return 0; +- } + /* XXX use sshkey_froms() */ + if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || + (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || +@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh) + goto done; + } + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", __func__); ++ goto done; ++ } ++ + if ((b = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + /* reconstruct packet */ +diff --git a/auth2-pubkey.c b/auth2-pubkey.c +index c4d0f790..e1c15040 100644 +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c +@@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh) + { + Authctxt *authctxt = ssh->authctxt; + struct passwd *pw = authctxt->pw; +- struct sshbuf *b; ++ struct sshbuf *b = NULL; + struct sshkey *key = NULL; +- char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; +- u_char *pkblob, *sig, have_sig; ++ char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; ++ u_char *pkblob = NULL, *sig = NULL, have_sig; + size_t blen, slen; + int r, pktype; + int authenticated = 0; + struct sshauthopt *authopts = NULL; + +- if (!authctxt->valid) { +- debug2("%s: disabled because of invalid user", __func__); +- return 0; +- } + if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || + (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || + (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) +@@ -167,6 +163,11 @@ userauth_pubkey(struct ssh *ssh) + fatal("%s: sshbuf_put_string session id: %s", + __func__, ssh_err(r)); + } ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", ++ __func__); ++ goto done; ++ } + /* reconstruct packet */ + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", +@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh) + #ifdef DEBUG_PK + sshbuf_dump(b, stderr); + #endif +- + /* test for correct signature */ + authenticated = 0; + if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && +@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh) + authenticated = 1; + } + sshbuf_free(b); +- free(sig); + auth2_record_key(authctxt, authenticated, key); + } else { + debug("%s: test pkalg %s pkblob %s%s%s", +@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh) + if ((r = sshpkt_get_end(ssh)) != 0) + fatal("%s: %s", __func__, ssh_err(r)); + ++ if (!authctxt->valid || authctxt->user == NULL) { ++ debug2("%s: disabled because of invalid user", ++ __func__); ++ goto done; ++ } + /* XXX fake reply and always send PK_OK ? */ + /* + * XXX this allows testing whether a user is allowed +@@ -238,6 +242,7 @@ done: + free(pkblob); + free(key_s); + free(ca_s); ++ free(sig); + return authenticated; + } + +-- +2.18.0 diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 90205fa93d..876993e166 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -153,6 +153,7 @@ a server that supports the SSH-2 protocol.") (method url-fetch) (uri (string-append "mirror://openbsd/OpenSSH/portable/" name "-" version ".tar.gz")) + (patches (search-patches "openssh-CVE-2018-15473.patch")) (sha256 (base32 "13vbbrvj3mmfhj83qyrg5c0ipr6bzw5s65dy4k8gr7p9hkkfffyp")))) -- cgit 1.4.1