Bug#906236: openssh: CVE-2018-15473: delay bailout for invalid authenticating user until after the packet
Hi,
> openssh: CVE-2018-15473: delay bailout for invalid authenticating
> user until after the packet
I've started on a patch for wheezy (WIP attached).
Would the security team be interested in one for stretch? If so, I can
return with a proposed debdiff.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
--- openssh-6.7p1.orig/auth2-gss.c
+++ openssh-6.7p1/auth2-gss.c
@@ -102,9 +102,6 @@ userauth_gssapi(Authctxt *authctxt)
u_int len;
u_char *doid = NULL;
- if (!authctxt->valid || authctxt->user == NULL)
- return (0);
-
mechs = packet_get_int();
if (mechs == 0) {
debug("Mechanism negotiation is not supported");
@@ -135,6 +132,12 @@ userauth_gssapi(Authctxt *authctxt)
return (0);
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user", __func__);
+ free(doid);
+ return (0);
+ }
+
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
if (ctxt != NULL)
ssh_gssapi_delete_ctx(&ctxt);
--- openssh-6.7p1.orig/auth2-hostbased.c
+++ openssh-6.7p1/auth2-hostbased.c
@@ -65,10 +65,6 @@ userauth_hostbased(Authctxt *authctxt)
int pktype;
int authenticated = 0;
- if (!authctxt->valid) {
- debug2("userauth_hostbased: disabled because of invalid user");
- return 0;
- }
pkalg = packet_get_string(&alen);
pkblob = packet_get_string(&blen);
chost = packet_get_string(NULL);
@@ -107,6 +103,11 @@ userauth_hostbased(Authctxt *authctxt)
"signature format");
goto done;
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user", __func__);
+ goto done;
+ }
+
service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
authctxt->service;
buffer_init(&b);
--- openssh-6.7p1.orig/auth2-pubkey.c
+++ openssh-6.7p1/auth2-pubkey.c
@@ -76,15 +76,11 @@ userauth_pubkey(Authctxt *authctxt)
Buffer b;
Key *key = NULL;
char *pkalg, *userstyle;
- u_char *pkblob, *sig;
+ u_char *pkblob, *sig = NULL;
u_int alen, blen, slen;
int have_sig, pktype;
int authenticated = 0;
- if (!authctxt->valid) {
- debug2("userauth_pubkey: disabled because of invalid user");
- return 0;
- }
have_sig = packet_get_char();
if (datafellows & SSH_BUG_PKAUTH) {
debug2("userauth_pubkey: SSH_BUG_PKAUTH");
@@ -131,6 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
} else {
buffer_put_string(&b, session_id2, session_id2_len);
}
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user",
+ __func__);
+ goto done;
+ }
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
xasprintf(&userstyle, "%s%s%s", authctxt->user,
@@ -162,11 +163,14 @@ userauth_pubkey(Authctxt *authctxt)
buffer_len(&b))) == 1)
authenticated = 1;
buffer_free(&b);
- free(sig);
} else {
debug("test whether pkalg/pkblob are acceptable");
packet_check_eom();
-
+ if (!authctxt->valid || authctxt->user == NULL) {
+ debug2("%s: disabled because of invalid user",
+ __func__);
+ goto done;
+ }
/* XXX fake reply and always send PK_OK ? */
/*
* XXX this allows testing whether a user is allowed
@@ -192,6 +196,7 @@ done:
key_free(key);
free(pkalg);
free(pkblob);
+ free(sig);
return authenticated;
}
Reply to: