gnu: openssh: Update to 7.3p1.

* gnu/packages/ssh.scm (openssh): Update to 7.3p1.
[source]: Remove patches.
* gnu/packages/patches/openssh-CVE-2015-8325.patch,
gnu/packages/patches/openssh-CVE-2016-6210-1.patch,
gnu/packages/patches/openssh-CVE-2016-6210-2.patch,
gnu/packages/patches/openssh-CVE-2016-6210-3.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
Mark H Weaver 2016-08-01 14:02:17 -04:00
parent 660e005c21
commit 742effef56
No known key found for this signature in database
GPG key ID: 7CEF29847562C516
6 changed files with 2 additions and 326 deletions

View file

@ -694,10 +694,6 @@ dist_patch_DATA = \
%D%/packages/patches/openexr-missing-samples.patch \
%D%/packages/patches/openjpeg-CVE-2015-6581.patch \
%D%/packages/patches/openjpeg-use-after-free-fix.patch \
%D%/packages/patches/openssh-CVE-2015-8325.patch \
%D%/packages/patches/openssh-CVE-2016-6210-1.patch \
%D%/packages/patches/openssh-CVE-2016-6210-2.patch \
%D%/packages/patches/openssh-CVE-2016-6210-3.patch \
%D%/packages/patches/openssl-runpath.patch \
%D%/packages/patches/openssl-c-rehash-in.patch \
%D%/packages/patches/openssl-CVE-2016-2177.patch \

View file

@ -1,31 +0,0 @@
From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 13 Apr 2016 10:39:57 +1000
Subject: ignore PAM environment vars when UseLogin=yes
If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.
CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
---
session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/session.c b/session.c
index 4859245..4653b09 100644
--- a/session.c
+++ b/session.c
@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell)
* Pull in any environment variables that may have
* been set by PAM.
*/
- if (options.use_pam) {
+ if (options.use_pam && !options.use_login) {
char **p;
p = fetch_pam_child_environment();
--
cgit v0.11.2

View file

@ -1,114 +0,0 @@
From e5ef9d3942cebda819a6fd81647b51c8d87d23df Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Fri, 15 Jul 2016 13:32:45 +1000
Subject: Determine appropriate salt for invalid users.
When sshd is processing a non-PAM login for a non-existent user it uses
the string from the fakepw structure as the salt for crypt(3)ing the
password supplied by the client. That string has a Blowfish prefix, so on
systems that don't understand that crypt will fail fast due to an invalid
salt, and even on those that do it may have significantly different timing
from the hash methods used for real accounts (eg sha512). This allows
user enumeration by, eg, sending large password strings. This was noted
by EddieEzra.Harari at verint.com (CVE-2016-6210).
To mitigate, use the same hash algorithm that root uses for hashing
passwords for users that do not exist on the system. ok djm@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=9286875a73b2de7736b5e50692739d314cd8d9dc
Bug-Debian: https://bugs.debian.org/831902
Last-Update: 2016-07-22
Patch-Name: CVE-2016-6210-1.patch
---
auth-passwd.c | 12 ++++++++----
openbsd-compat/xcrypt.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/auth-passwd.c b/auth-passwd.c
index 63ccf3c..530b5d4 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -193,7 +193,7 @@ int
sys_auth_passwd(Authctxt *authctxt, const char *password)
{
struct passwd *pw = authctxt->pw;
- char *encrypted_password;
+ char *encrypted_password, *salt = NULL;
/* Just use the supplied fake password if authctxt is invalid */
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
@@ -202,9 +202,13 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
return (1);
- /* Encrypt the candidate password using the proper salt. */
- encrypted_password = xcrypt(password,
- (pw_password[0] && pw_password[1]) ? pw_password : "xx");
+ /*
+ * Encrypt the candidate password using the proper salt, or pass a
+ * NULL and let xcrypt pick one.
+ */
+ if (authctxt->valid && pw_password[0] && pw_password[1])
+ salt = pw_password;
+ encrypted_password = xcrypt(password, salt);
/*
* Authentication is accepted if the encrypted passwords
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index 8577cbd..8913bb8 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -25,6 +25,7 @@
#include "includes.h"
#include <sys/types.h>
+#include <string.h>
#include <unistd.h>
#include <pwd.h>
@@ -62,11 +63,44 @@
# define crypt DES_crypt
# endif
+/*
+ * Pick an appropriate password encryption type and salt for the running
+ * system.
+ */
+static const char *
+pick_salt(void)
+{
+ struct passwd *pw;
+ char *passwd, *p;
+ size_t typelen;
+ static char salt[32];
+
+ if (salt[0] != '\0')
+ return salt;
+ strlcpy(salt, "xx", sizeof(salt));
+ if ((pw = getpwuid(0)) == NULL)
+ return salt;
+ passwd = shadow_pw(pw);
+ if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
+ return salt; /* no $, DES */
+ typelen = p - passwd + 1;
+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+ explicit_bzero(passwd, strlen(passwd));
+ return salt;
+}
+
char *
xcrypt(const char *password, const char *salt)
{
char *crypted;
+ /*
+ * If we don't have a salt we are encrypting a fake password for
+ * for timing purposes. Pick an appropriate salt.
+ */
+ if (salt == NULL)
+ salt = pick_salt();
+
# ifdef HAVE_MD5_PASSWORDS
if (is_md5_salt(salt))
crypted = md5_crypt(password, salt);

View file

@ -1,111 +0,0 @@
From dde63f7f998ac3812a26bbb2c1b2947f24fcd060 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Fri, 15 Jul 2016 13:49:44 +1000
Subject: Mitigate timing of disallowed users PAM logins.
When sshd decides to not allow a login (eg PermitRootLogin=no) and
it's using PAM, it sends a fake password to PAM so that the timing for
the failure is not noticeably different whether or not the password
is correct. This behaviour can be detected by sending a very long
password string which is slower to hash than the fake password.
Mitigate by constructing an invalid password that is the same length
as the one from the client and thus takes the same time to hash.
Diff from djm@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=283b97ff33ea2c641161950849931bd578de6946
Bug-Debian: https://bugs.debian.org/831902
Last-Update: 2016-07-22
Patch-Name: CVE-2016-6210-2.patch
---
auth-pam.c | 35 +++++++++++++++++++++++++++++++----
1 file changed, 31 insertions(+), 4 deletions(-)
diff --git a/auth-pam.c b/auth-pam.c
index 8425af1..abd6a5e 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -232,7 +232,6 @@ static int sshpam_account_status = -1;
static char **sshpam_env = NULL;
static Authctxt *sshpam_authctxt = NULL;
static const char *sshpam_password = NULL;
-static char badpw[] = "\b\n\r\177INCORRECT";
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
@@ -810,12 +809,35 @@ sshpam_query(void *ctx, char **name, char **info,
return (-1);
}
+/*
+ * Returns a junk password of identical length to that the user supplied.
+ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
+ * vary processing time in proportion to password length.
+ */
+static char *
+fake_password(const char *wire_password)
+{
+ const char junk[] = "\b\n\r\177INCORRECT";
+ char *ret = NULL;
+ size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
+
+ if (l >= INT_MAX)
+ fatal("%s: password length too long: %zu", __func__, l);
+
+ ret = malloc(l + 1);
+ for (i = 0; i < l; i++)
+ ret[i] = junk[i % (sizeof(junk) - 1)];
+ ret[i] = '\0';
+ return ret;
+}
+
/* XXX - see also comment in auth-chall.c:verify_response */
static int
sshpam_respond(void *ctx, u_int num, char **resp)
{
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
+ char *fake;
debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
@@ -836,8 +858,11 @@ sshpam_respond(void *ctx, u_int num, char **resp)
(sshpam_authctxt->pw->pw_uid != 0 ||
options.permit_root_login == PERMIT_YES))
buffer_put_cstring(&buffer, *resp);
- else
- buffer_put_cstring(&buffer, badpw);
+ else {
+ fake = fake_password(*resp);
+ buffer_put_cstring(&buffer, fake);
+ free(fake);
+ }
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
buffer_free(&buffer);
return (-1);
@@ -1181,6 +1206,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
{
int flags = (options.permit_empty_passwd == 0 ?
PAM_DISALLOW_NULL_AUTHTOK : 0);
+ char *fake = NULL;
if (!options.use_pam || sshpam_handle == NULL)
fatal("PAM: %s called when PAM disabled or failed to "
@@ -1196,7 +1222,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
*/
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
options.permit_root_login != PERMIT_YES))
- sshpam_password = badpw;
+ sshpam_password = fake = fake_password(password);
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&passwd_conv);
@@ -1206,6 +1232,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
sshpam_err = pam_authenticate(sshpam_handle, flags);
sshpam_password = NULL;
+ free(fake);
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
authctxt->user);

View file

@ -1,60 +0,0 @@
From abde8dda29c2db2405d6fbca2fe022430e2c1177 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Thu, 21 Jul 2016 14:17:31 +1000
Subject: Search users for one with a valid salt.
If the root account is locked (eg password "!!" or "*LK*") keep looking
until we find a user with a valid salt to use for crypting passwords of
invalid users. ok djm@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=dbf788b4d9d9490a5fff08a7b09888272bb10fcc
Bug-Debian: https://bugs.debian.org/831902
Last-Update: 2016-07-22
Patch-Name: CVE-2016-6210-3.patch
---
openbsd-compat/xcrypt.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index 8913bb8..cf6a9b9 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -65,7 +65,9 @@
/*
* Pick an appropriate password encryption type and salt for the running
- * system.
+ * system by searching through accounts until we find one that has a valid
+ * salt. Usually this will be root unless the root account is locked out.
+ * If we don't find one we return a traditional DES-based salt.
*/
static const char *
pick_salt(void)
@@ -78,14 +80,18 @@ pick_salt(void)
if (salt[0] != '\0')
return salt;
strlcpy(salt, "xx", sizeof(salt));
- if ((pw = getpwuid(0)) == NULL)
- return salt;
- passwd = shadow_pw(pw);
- if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
- return salt; /* no $, DES */
- typelen = p - passwd + 1;
- strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
- explicit_bzero(passwd, strlen(passwd));
+ setpwent();
+ while ((pw = getpwent()) != NULL) {
+ passwd = shadow_pw(pw);
+ if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
+ typelen = p - passwd + 1;
+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+ explicit_bzero(passwd, strlen(passwd));
+ goto out;
+ }
+ }
+ out:
+ endpwent();
return salt;
}

View file

@ -124,7 +124,7 @@ (define-public libssh2
(define-public openssh
(package
(name "openssh")
(version "7.2p2")
(version "7.3p1")
(source (origin
(method url-fetch)
(uri (let ((tail (string-append name "-" version ".tar.gz")))
@ -135,11 +135,7 @@ (define-public openssh
(string-append "http://ftp2.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable/"
tail))))
(sha256 (base32
"132lh9aanb0wkisji1d6cmsxi520m8nh7c7i9wi6m1s3l38q29x7"))
(patches (search-patches "openssh-CVE-2015-8325.patch"
"openssh-CVE-2016-6210-1.patch"
"openssh-CVE-2016-6210-2.patch"
"openssh-CVE-2016-6210-3.patch"))))
"1k5y1wi29d47cgizbryxrhc1fbjsba2x8l5mqfa9b9nadnd9iyrz"))))
(build-system gnu-build-system)
(inputs `(("groff" ,groff)
("openssl" ,openssl)