From 6c861e0b33f48ec44398b1064ad176671b931849b9a6c2c541db959e496c9647 Mon Sep 17 00:00:00 2001 From: Petr Cerny Date: Fri, 7 Oct 2016 15:57:29 +0000 Subject: [PATCH] Accepting request 433779 from home:pcerny:factory - remaining patches that were still missing since the update to 7.2p2 (FATE#319675): [openssh-7.2p2-disable_openssl_abi_check.patch] - fix forwarding with IPv6 addresses in DISPLAY (bnc#847710) [openssh-7.2p2-IPv6_X_forwarding.patch] - ignore PAM environment when using login (bsc#975865, CVE-2015-8325) [openssh-7.2p2-ignore_PAM_with_UseLogin.patch] - limit accepted password length (prevents possible DoS) (bsc#992533, CVE-2016-6515) [openssh-7.2p2-limit_password_length.patch] - Prevent user enumeration through the timing of password processing (bsc#989363, CVE-2016-6210) [openssh-7.2p2-prevent_timing_user_enumeration.patch] - Add auditing for PRNG re-seeding [openssh-7.2p2-audit_seed_prng.patch] OBS-URL: https://build.opensuse.org/request/show/433779 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=113 --- openssh-7.2p2-IPv6_X_forwarding.patch | 72 +++++ openssh-7.2p2-X11_trusted_forwarding.patch | 2 +- ...h-7.2p2-X_forward_with_disabled_ipv6.patch | 2 +- openssh-7.2p2-additional_seccomp_archs.patch | 4 +- openssh-7.2p2-allow_DSS_by_default.patch | 2 +- openssh-7.2p2-allow_root_password_login.patch | 2 +- openssh-7.2p2-audit.patch | 5 +- openssh-7.2p2-audit_seed_prng.patch | 116 ++++++++ openssh-7.2p2-blocksigalrm.patch | 2 +- ...nssh-7.2p2-disable_openssl_abi_check.patch | 2 +- ...sh-7.2p2-disable_short_DH_parameters.patch | 2 +- openssh-7.2p2-dont_use_pthreads_in_PAM.patch | 2 +- openssh-7.2p2-eal3.patch | 2 +- openssh-7.2p2-enable_PAM_by_default.patch | 2 +- openssh-7.2p2-fips.patch | 2 +- openssh-7.2p2-gssapi_key_exchange.patch | 2 +- openssh-7.2p2-host_ident.patch | 2 +- ...2-hostname_changes_when_forwarding_X.patch | 2 +- openssh-7.2p2-ignore_PAM_with_UseLogin.patch | 33 +++ openssh-7.2p2-lastlog.patch | 2 +- openssh-7.2p2-ldap.patch | 2 +- openssh-7.2p2-limit_password_length.patch | 52 ++++ openssh-7.2p2-login_options.patch | 2 +- openssh-7.2p2-no_fork-no_pid_file.patch | 4 +- openssh-7.2p2-pam_check_locks.patch | 2 +- ....2p2-prevent_timing_user_enumeration.patch | 264 ++++++++++++++++++ openssh-7.2p2-pts_names_formatting.patch | 2 +- ...h-7.2p2-remove_xauth_cookies_on_exit.patch | 2 +- openssh-7.2p2-seccomp_getuid.patch | 2 +- openssh-7.2p2-seccomp_stat.patch | 2 +- openssh-7.2p2-seed-prng.patch | 2 +- openssh-7.2p2-send_locale.patch | 2 +- openssh-7.2p2-sftp_force_permissions.patch | 2 +- openssh-7.2p2-sftp_homechroot.patch | 2 +- openssh.changes | 17 +- openssh.spec | 32 ++- 36 files changed, 605 insertions(+), 46 deletions(-) create mode 100644 openssh-7.2p2-IPv6_X_forwarding.patch create mode 100644 openssh-7.2p2-audit_seed_prng.patch rename openssh-7.2p2-disable-openssl-abi-check.patch => openssh-7.2p2-disable_openssl_abi_check.patch (97%) create mode 100644 openssh-7.2p2-ignore_PAM_with_UseLogin.patch create mode 100644 openssh-7.2p2-limit_password_length.patch create mode 100644 openssh-7.2p2-prevent_timing_user_enumeration.patch diff --git a/openssh-7.2p2-IPv6_X_forwarding.patch b/openssh-7.2p2-IPv6_X_forwarding.patch new file mode 100644 index 0000000..067f644 --- /dev/null +++ b/openssh-7.2p2-IPv6_X_forwarding.patch @@ -0,0 +1,72 @@ +# HG changeset patch +# Parent 8c4cb20b9633595de68131224b2d434e8dc41e17 +Correctly parse DISPLAY variable for cases where it contains an IPv6 address +(which should - but not always is - in (square) brackets). + +bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710 + +diff --git a/openssh-7.2p2/channels.c b/openssh-7.2p2/channels.c +--- a/openssh-7.2p2/channels.c ++++ b/openssh-7.2p2/channels.c +@@ -4049,18 +4049,19 @@ x11_connect_display(void) + /* OK, we now have a connection to the display. */ + return sock; + } + #endif + /* + * Check if it is a unix domain socket. Unix domain displays are in + * one of the following formats: unix:d[.s], :d[.s], ::d[.s] + */ ++ cp = strrchr(display, ':'); + if (strncmp(display, "unix:", 5) == 0 || +- display[0] == ':') { ++ (display[0] == ':' && ((cp - display) < 2)) ) { + /* Connect to the unix domain socket. */ + if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) { + error("Could not parse display number from DISPLAY: %.100s", + display); + return -1; + } + /* Create a socket. */ + sock = connect_local_xsocket(display_number); +@@ -4068,30 +4069,39 @@ x11_connect_display(void) + return -1; + + /* OK, we now have a connection to the display. */ + return sock; + } + /* + * Connect to an inet socket. The DISPLAY value is supposedly + * hostname:d[.s], where hostname may also be numeric IP address. ++ * Note that IPv6 numberic addresses contain colons (e.g. ::1:0) + */ + strlcpy(buf, display, sizeof(buf)); +- cp = strchr(buf, ':'); ++ cp = strrchr(buf, ':'); + if (!cp) { + error("Could not find ':' in DISPLAY: %.100s", display); + return -1; + } + *cp = 0; + /* buf now contains the host name. But first we parse the display number. */ + if (sscanf(cp + 1, "%u", &display_number) != 1) { + error("Could not parse display number from DISPLAY: %.100s", + display); + return -1; + } ++ ++ /* Remove brackets surrounding IPv6 addresses if there are any. */ ++ if (buf[0] == '[' && (cp = strchr(buf, ']'))) { ++ *cp = 0; ++ cp = buf + 1; ++ } else { ++ cp = buf; ++ } + + /* Look up the host address */ + memset(&hints, 0, sizeof(hints)); + hints.ai_family = IPv4or6; + hints.ai_socktype = SOCK_STREAM; + snprintf(strport, sizeof strport, "%u", 6000 + display_number); + if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { + error("%.100s: unknown host. (%s)", buf, diff --git a/openssh-7.2p2-X11_trusted_forwarding.patch b/openssh-7.2p2-X11_trusted_forwarding.patch index e6522c1..95b8d04 100644 --- a/openssh-7.2p2-X11_trusted_forwarding.patch +++ b/openssh-7.2p2-X11_trusted_forwarding.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent d11948586a6da11e968278f55b48318b2263802b +# Parent 7197d7a6b7c90566c68e980b5f8b937c183e79d0 # enable trusted X11 forwarding by default in both sshd and sshsystem-wide # configuration # bnc#50836 (was suse #35836) diff --git a/openssh-7.2p2-X_forward_with_disabled_ipv6.patch b/openssh-7.2p2-X_forward_with_disabled_ipv6.patch index 9c92da3..6b83f3b 100644 --- a/openssh-7.2p2-X_forward_with_disabled_ipv6.patch +++ b/openssh-7.2p2-X_forward_with_disabled_ipv6.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 3d4efb38a918055f977a08aa7d1486a04bee6e11 +# Parent 28e8840bbf49c6e603bf2b55a08ed9050a60f9fb Do not throw away already open sockets for X11 forwarding if another socket family is not available for bind() diff --git a/openssh-7.2p2-additional_seccomp_archs.patch b/openssh-7.2p2-additional_seccomp_archs.patch index f1c743f..a410f8d 100644 --- a/openssh-7.2p2-additional_seccomp_archs.patch +++ b/openssh-7.2p2-additional_seccomp_archs.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 27b9bd4a1a53a28b5e9eda0a9c013d98f821149b +# Parent e7bdbc5ea8971599466becf01bff12b9fcb5df3e Enable the seccomp-bpf sandbox on more architectures upstream commit: b9c50614eba9d90939b2b119b6e1b7e03b462278 (7.3p1) @@ -7,7 +7,7 @@ Author: Damien Miller Date: Fri Jul 8 13:59:13 2016 +1000 whitelist more architectures for seccomp-bpf - + bz#2590 - testing and patch from Jakub Jelen diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac diff --git a/openssh-7.2p2-allow_DSS_by_default.patch b/openssh-7.2p2-allow_DSS_by_default.patch index 84ae721..ad19e35 100644 --- a/openssh-7.2p2-allow_DSS_by_default.patch +++ b/openssh-7.2p2-allow_DSS_by_default.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent ec31f6a59145c0db748855bd5bc178161591dae9 +# Parent d33bce122aa351a56ce457be35feda52171f9088 Enable DSS authentication by default to maintain compatibility with older versions. diff --git a/openssh-7.2p2-allow_root_password_login.patch b/openssh-7.2p2-allow_root_password_login.patch index 145e0f8..9500ee5 100644 --- a/openssh-7.2p2-allow_root_password_login.patch +++ b/openssh-7.2p2-allow_root_password_login.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent aab6d99cb51e48a9046c3d7be8443b83b8ee5127 +# Parent c43ae523939377778762e81743b77b3c75eb4bd1 Allow root login with password by default. While less secure than upstream default of forbidding access to the root account with a password, we are temporarily introducing this change to keep the default used in older OpenSSH diff --git a/openssh-7.2p2-audit.patch b/openssh-7.2p2-audit.patch index 819cd48..d8c570a 100644 --- a/openssh-7.2p2-audit.patch +++ b/openssh-7.2p2-audit.patch @@ -1,7 +1,6 @@ # HG changeset patch -# Parent cca48c52e3c70244e7f52d4fb3f86f920d5c8e0f -Extended auditing through Linux Audit subsystem -bz#1402 +# Parent af5c4026e36e7aa181c164d2eca72b7e2a8a897a +Extended auditing through the Linux Auditing subsystem diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in --- a/openssh-7.2p2/Makefile.in diff --git a/openssh-7.2p2-audit_seed_prng.patch b/openssh-7.2p2-audit_seed_prng.patch new file mode 100644 index 0000000..372f43e --- /dev/null +++ b/openssh-7.2p2-audit_seed_prng.patch @@ -0,0 +1,116 @@ +# HG changeset patch +# Parent 3aad88a155050008275527c0624ae6fa05d0cdad +Audit PRNG re-seeding + +diff --git a/openssh-7.2p2/audit-bsm.c b/openssh-7.2p2/audit-bsm.c +--- a/openssh-7.2p2/audit-bsm.c ++++ b/openssh-7.2p2/audit-bsm.c +@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char + /* not implemented */ + } + + void + audit_generate_ephemeral_server_key(const char *fp) + { + /* not implemented */ + } ++ ++void ++audit_linux_prng_seed(long bytes, const char *rf) ++{ ++ /* not implemented */ ++} + #endif /* BSM */ +diff --git a/openssh-7.2p2/audit-linux.c b/openssh-7.2p2/audit-linux.c +--- a/openssh-7.2p2/audit-linux.c ++++ b/openssh-7.2p2/audit-linux.c +@@ -402,9 +402,31 @@ audit_generate_ephemeral_server_key(cons + } + audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, + buf, NULL, 0, NULL, 1); + audit_close(audit_fd); + /* do not abort if the error is EPERM and sshd is run as non root user */ + if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0))) + error("cannot write into audit"); + } ++ ++void ++audit_linux_prng_seed(long bytes, const char *rf) ++{ ++ char buf[AUDIT_LOG_SIZE]; ++ int audit_fd, audit_ok; ++ ++ snprintf(buf, sizeof(buf), "op=prng_seed kind=server bytes=%li source=%s ", bytes, rf); ++ audit_fd = audit_open(); ++ if (audit_fd < 0) { ++ if (errno != EINVAL && errno != EPROTONOSUPPORT && ++ errno != EAFNOSUPPORT) ++ error("cannot open audit"); ++ return; ++ } ++ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_PARAM_CHANGE_USER, ++ buf, NULL, 0, NULL, 1); ++ audit_close(audit_fd); ++ /* do not abort if the error is EPERM and sshd is run as non root user */ ++ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0))) ++ error("cannot write into audit"); ++} + #endif /* USE_LINUX_AUDIT */ +diff --git a/openssh-7.2p2/audit.c b/openssh-7.2p2/audit.c +--- a/openssh-7.2p2/audit.c ++++ b/openssh-7.2p2/audit.c +@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char + /* + * This will be called on generation of the ephemeral server key + */ + void + audit_generate_ephemeral_server_key(const char *) + { + debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp); + } ++ ++void ++audit_linux_prng_seed(long bytes, const char *rf) ++{ ++ debug("audit PRNG seed euid %d bytes %li source %s", geteuid(), bytes, rf); ++} + # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ + #endif /* SSH_AUDIT_EVENTS */ +diff --git a/openssh-7.2p2/audit.h b/openssh-7.2p2/audit.h +--- a/openssh-7.2p2/audit.h ++++ b/openssh-7.2p2/audit.h +@@ -69,10 +69,11 @@ void audit_key(int, int *, const Key *); + void audit_unsupported(int); + void audit_kex(int, char *, char *, char *, char *); + void audit_unsupported_body(int); + void audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t); + void audit_session_key_free(int ctos); + void audit_session_key_free_body(int ctos, pid_t, uid_t); + void audit_destroy_sensitive_data(const char *, pid_t, uid_t); + void audit_generate_ephemeral_server_key(const char *); ++void audit_linux_prng_seed(long, const char *); + + #endif /* _SSH_AUDIT_H */ +diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c +--- a/openssh-7.2p2/sshd.c ++++ b/openssh-7.2p2/sshd.c +@@ -1421,16 +1421,19 @@ server_accept_loop(int *sock_in, int *so + if (maxfd < startup_p[0]) + maxfd = startup_p[0]; + startups++; + break; + } + if(!(--re_seeding_counter)) { + re_seeding_counter = RESEED_AFTER; + linux_seed(); ++#ifdef SSH_AUDIT_EVENTS ++ audit_linux_prng_seed(rand_bytes, rand_file); ++#endif + } + + /* + * Got connection. Fork a child to handle it, unless + * we are in debugging mode. + */ + if (debug_flag) { + /* diff --git a/openssh-7.2p2-blocksigalrm.patch b/openssh-7.2p2-blocksigalrm.patch index 8f5ace7..c2350b1 100644 --- a/openssh-7.2p2-blocksigalrm.patch +++ b/openssh-7.2p2-blocksigalrm.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 0c50460ce313d041c2484d21ab810c8ee487cded +# Parent 0bfb5dd4b190b546a3e40a59483b2b2884a47c39 block SIGALRM while logging through syslog to prevent deadlocks (through grace_alarm_handler()) diff --git a/openssh-7.2p2-disable-openssl-abi-check.patch b/openssh-7.2p2-disable_openssl_abi_check.patch similarity index 97% rename from openssh-7.2p2-disable-openssl-abi-check.patch rename to openssh-7.2p2-disable_openssl_abi_check.patch index 258d861..ff077dd 100644 --- a/openssh-7.2p2-disable-openssl-abi-check.patch +++ b/openssh-7.2p2-disable_openssl_abi_check.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 2d4a91c3c6c5b161f21511712889c2906fa158a4 +# Parent 16c4937db837ab7cdbe0422b81de0e7a9a8479cd disable run-time check for OpenSSL ABI by version number as that is not a reliable indicator of ABI changes and doesn't make much sense in a distribution package diff --git a/openssh-7.2p2-disable_short_DH_parameters.patch b/openssh-7.2p2-disable_short_DH_parameters.patch index 06013c6..b08abba 100644 --- a/openssh-7.2p2-disable_short_DH_parameters.patch +++ b/openssh-7.2p2-disable_short_DH_parameters.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 69bdfde8282f9ab67c29e431a74916c045301ff5 +# Parent 7b5f436e0026923299fdd1994f8da8fd9948be7c Raise minimal size of DH group parameters to 2048 bits like upstream did in 7.2. 1024b values are believed to be in breaking range for state adversaries diff --git a/openssh-7.2p2-dont_use_pthreads_in_PAM.patch b/openssh-7.2p2-dont_use_pthreads_in_PAM.patch index 495c85a..f382f6a 100644 --- a/openssh-7.2p2-dont_use_pthreads_in_PAM.patch +++ b/openssh-7.2p2-dont_use_pthreads_in_PAM.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 93f67586b27e7f018c5b34e33f8156df772e980d +# Parent e4886597a8984ae1594b6866fe1b232370b23529 # posix threads are generally not supported nor safe # (see upstream log from 2005-05-24) # --used to be called '-pam-fix3' diff --git a/openssh-7.2p2-eal3.patch b/openssh-7.2p2-eal3.patch index c19944a..201a239 100644 --- a/openssh-7.2p2-eal3.patch +++ b/openssh-7.2p2-eal3.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 8e5876ee9478740b83887db9fc6e3b1605848534 +# Parent f19426f2fa9c634474e635bf33b86acea0518f6d fix paths and references in sshd man pages diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8 diff --git a/openssh-7.2p2-enable_PAM_by_default.patch b/openssh-7.2p2-enable_PAM_by_default.patch index f37f78e..93bda5c 100644 --- a/openssh-7.2p2-enable_PAM_by_default.patch +++ b/openssh-7.2p2-enable_PAM_by_default.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent a51f9cba48652fc5df45b9ac8bd238268c70673c +# Parent 980f301b2920c09b30577dd722546bca85d25fc1 # force PAM in defaullt install (this was removed from upstream in 3.8p1) # bnc#46749 # --used to be called '-pam-fix2' diff --git a/openssh-7.2p2-fips.patch b/openssh-7.2p2-fips.patch index eaf96c4..8df737a 100644 --- a/openssh-7.2p2-fips.patch +++ b/openssh-7.2p2-fips.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 0c3e1f1c3b2ab533f9cb1c82fb75ff247a9c71b1 +# Parent 3e1393b771d6430ae09ae30741a3b9b382e3e041 FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved algorithms. diff --git a/openssh-7.2p2-gssapi_key_exchange.patch b/openssh-7.2p2-gssapi_key_exchange.patch index 2717dcb..7bc2da3 100644 --- a/openssh-7.2p2-gssapi_key_exchange.patch +++ b/openssh-7.2p2-gssapi_key_exchange.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 9240088fbf80624f62dc79bcf5f3113a1b6dddd8 +# Parent 84a6252b7ac18855cf188e5911bdf8a757d4460a GSSAPI Key Exchange implementation diff --git a/openssh-7.2p2/ChangeLog.gssapi b/openssh-7.2p2/ChangeLog.gssapi diff --git a/openssh-7.2p2-host_ident.patch b/openssh-7.2p2-host_ident.patch index 9a17313..5800abd 100644 --- a/openssh-7.2p2-host_ident.patch +++ b/openssh-7.2p2-host_ident.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent fe2618b7337c0d97483dc98a6b53636c89f3d371 +# Parent 605a6220fcc2c96e9196681fe480fab16b505ee1 Suggest command line for removal of offending keys from known_hosts file diff --git a/openssh-7.2p2/sshconnect.c b/openssh-7.2p2/sshconnect.c diff --git a/openssh-7.2p2-hostname_changes_when_forwarding_X.patch b/openssh-7.2p2-hostname_changes_when_forwarding_X.patch index 3768bd9..4714d67 100644 --- a/openssh-7.2p2-hostname_changes_when_forwarding_X.patch +++ b/openssh-7.2p2-hostname_changes_when_forwarding_X.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 7e84e692f90c19e76a4180d54c7fdda2752c6c41 +# Parent f7ba2081f120bd1e44dbe68737c898f078725aab # -- uset do be called '-xauthlocalhostname' handle hostname changes when forwarding X diff --git a/openssh-7.2p2-ignore_PAM_with_UseLogin.patch b/openssh-7.2p2-ignore_PAM_with_UseLogin.patch new file mode 100644 index 0000000..78bd3e8 --- /dev/null +++ b/openssh-7.2p2-ignore_PAM_with_UseLogin.patch @@ -0,0 +1,33 @@ +# HG changeset patch +# Parent cb9be7363a9f32133f0d105d515149dd77cc8cd3 + +Do not import PAM environment variables when using login, since it may have +security implications. + +CVE-2015-8325 +bsc#975865 + +Backport of upstream commit 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 + +diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c +--- a/openssh-7.2p2/session.c ++++ b/openssh-7.2p2/session.c +@@ -1351,17 +1351,17 @@ do_setup_env(Session *s, const char *she + child_set_env(&env, &envsize, "KRB5CCNAME", + s->authctxt->krb5_ccname); + #endif + #ifdef USE_PAM + /* + * Pull in any environment variables that may have + * been set by PAM. + */ +- if (options.use_pam) { ++ if (options.use_pam && !options.use_login) { + char **p; + + p = fetch_pam_child_environment(); + copy_environment(p, &env, &envsize); + free_pam_environment(p); + + p = fetch_pam_environment(); + copy_environment(p, &env, &envsize); diff --git a/openssh-7.2p2-lastlog.patch b/openssh-7.2p2-lastlog.patch index 998ed0c..2accb74 100644 --- a/openssh-7.2p2-lastlog.patch +++ b/openssh-7.2p2-lastlog.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 3007da75cc9c93ead70a4971b9057d230178511c +# Parent 79c00e0f450c33b3f545ef104112b55186290e2c # set uid for functions that use it to seek in lastlog and wtmp files # bnc#18024 (was suse #3024) diff --git a/openssh-7.2p2-ldap.patch b/openssh-7.2p2-ldap.patch index 79fab89..db4613a 100644 --- a/openssh-7.2p2-ldap.patch +++ b/openssh-7.2p2-ldap.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent fac59d81a8fba12278aea6a7b8a88b02fe02155a +# Parent b8135c449e59282a8926ff44fcb4670baf8f158e # Helper app for retrieving keys from a LDAP server # by Jan F. Chadima # diff --git a/openssh-7.2p2-limit_password_length.patch b/openssh-7.2p2-limit_password_length.patch new file mode 100644 index 0000000..c600b4a --- /dev/null +++ b/openssh-7.2p2-limit_password_length.patch @@ -0,0 +1,52 @@ +# HG changeset patch +# Parent e351203d2784230a3b56b8e3dd6955403ed10ca4 +Limit accepted passwords length to prevent DoS by resource consumption +(via crypt() eating CPU cycles). + +CVE-2016-6515 +bsc#992533 + +upstream commit: fcd135c9df440bcd2d5870405ad3311743d78d97 + +diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c +--- a/openssh-7.2p2/auth-passwd.c ++++ b/openssh-7.2p2/auth-passwd.c +@@ -61,16 +61,18 @@ extern ServerOptions options; + #ifdef HAVE_LOGIN_CAP + extern login_cap_t *lc; + #endif + + + #define DAY (24L * 60 * 60) /* 1 day in seconds */ + #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ + ++#define MAX_PASSWORD_LEN 1024 ++ + void + disable_forwarding(void) + { + no_port_forwarding_flag = 1; + no_agent_forwarding_flag = 1; + no_x11_forwarding_flag = 1; + } + +@@ -82,16 +84,19 @@ int + auth_password(Authctxt *authctxt, const char *password) + { + struct passwd * pw = authctxt->pw; + int result, ok = authctxt->valid; + #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) + static int expire_checked = 0; + #endif + ++ if (strlen(password) > MAX_PASSWORD_LEN) ++ return 0; ++ + #ifndef HAVE_CYGWIN + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + ok = 0; + #endif + if (*password == '\0' && options.permit_empty_passwd == 0) + return 0; + + #ifdef KRB5 diff --git a/openssh-7.2p2-login_options.patch b/openssh-7.2p2-login_options.patch index 225e034..23abf8c 100644 --- a/openssh-7.2p2-login_options.patch +++ b/openssh-7.2p2-login_options.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent a2ec408c99eefdd4c23f01eafddb0ce786514f50 +# Parent 295ae9c5f5da12d273f3b91e90145b449984a7dc # HG changeset patch # Parent b262fd34c8ecd55e93d457b3ca5593abce716856 # login-pam cannot handle the option terminator "--" as login from util-linux diff --git a/openssh-7.2p2-no_fork-no_pid_file.patch b/openssh-7.2p2-no_fork-no_pid_file.patch index 85f7848..8ae51d6 100644 --- a/openssh-7.2p2-no_fork-no_pid_file.patch +++ b/openssh-7.2p2-no_fork-no_pid_file.patch @@ -1,11 +1,11 @@ # HG changeset patch -# Parent 09a93433f5bb8baff0dce629c75f96357e3b1055 +# Parent 7ce81a30bb196401c63782b646d8a6d511ddec4b Do not write a PID file when not daemonizing (e.g. when running from systemd) diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c --- a/openssh-7.2p2/sshd.c +++ b/openssh-7.2p2/sshd.c -@@ -2104,17 +2104,17 @@ main(int ac, char **av) +@@ -2107,17 +2107,17 @@ main(int ac, char **av) signal(SIGCHLD, main_sigchld_handler); signal(SIGTERM, sigterm_handler); signal(SIGQUIT, sigterm_handler); diff --git a/openssh-7.2p2-pam_check_locks.patch b/openssh-7.2p2-pam_check_locks.patch index 621126c..ac8a767 100644 --- a/openssh-7.2p2-pam_check_locks.patch +++ b/openssh-7.2p2-pam_check_locks.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 2b2855c68e979299aee899a7cb6e4aa57a828668 +# Parent ac7f843cd7ebec413691d51823cdc67b611abdff new option UsePAMCheckLocks to enforce checking for locked accounts while UsePAM is used diff --git a/openssh-7.2p2-prevent_timing_user_enumeration.patch b/openssh-7.2p2-prevent_timing_user_enumeration.patch new file mode 100644 index 0000000..857749f --- /dev/null +++ b/openssh-7.2p2-prevent_timing_user_enumeration.patch @@ -0,0 +1,264 @@ +# HG changeset patch +# Parent 323ac0fc20b1d5e9bf7037e020adfd760dd2d5f2 +Prevent user enumeration through password processing timing +CVE-2016-6210 +bsc#989363 + +non-PAM part: +upstream commit: 9286875a73b2de7736b5e50692739d314cd8d9dc + +PAM part: +upstream commit: 283b97ff33ea2c641161950849931bd578de6946 + +diff --git a/openssh-7.2p2/auth-pam.c b/openssh-7.2p2/auth-pam.c +--- a/openssh-7.2p2/auth-pam.c ++++ b/openssh-7.2p2/auth-pam.c +@@ -227,17 +227,16 @@ static pam_handle_t *sshpam_handle = NUL + static int sshpam_err = 0; + static int sshpam_authenticated = 0; + static int sshpam_session_open = 0; + static int sshpam_cred_established = 0; + static int sshpam_account_status = -1; + static char **sshpam_env = NULL; + static Authctxt *sshpam_authctxt = NULL; + static const char *sshpam_password = NULL; +-static char badpw[] = "\b\n\r\177INCORRECT"; + + /* Some PAM implementations don't implement this */ + #ifndef HAVE_PAM_GETENVLIST + static char ** + pam_getenvlist(pam_handle_t *pamh) + { + /* + * XXX - If necessary, we can still support envrionment passing +@@ -807,22 +806,45 @@ sshpam_query(void *ctx, char **name, cha + free(msg); + ctxt->pam_done = -1; + return (-1); + } + } + return (-1); + } + ++/* ++ * Returns a junk password of identical length to that the user supplied. ++ * Used to mitigate timing attacks against crypt(3)/PAM stacks that ++ * vary processing time in proportion to password length. ++ */ ++static char * ++fake_password(const char *wire_password) ++{ ++ const char junk[] = "\b\n\r\177INCORRECT"; ++ char *ret = NULL; ++ size_t i, l = wire_password != NULL ? strlen(wire_password) : 0; ++ ++ if (l >= INT_MAX) ++ fatal("%s: password length too long: %zu", __func__, l); ++ ++ ret = xmalloc(l + 1); ++ for (i = 0; i < l; i++) ++ ret[i] = junk[i % (sizeof(junk) - 1)]; ++ ret[i] = '\0'; ++ return ret; ++} ++ + /* XXX - see also comment in auth-chall.c:verify_response */ + static int + sshpam_respond(void *ctx, u_int num, char **resp) + { + Buffer buffer; + struct pam_ctxt *ctxt = ctx; ++ char *fake; + + debug2("PAM: %s entering, %u responses", __func__, num); + switch (ctxt->pam_done) { + case 1: + sshpam_authenticated = 1; + return (0); + case 0: + break; +@@ -833,18 +855,21 @@ sshpam_respond(void *ctx, u_int num, cha + error("PAM: expected one response, got %u", num); + return (-1); + } + buffer_init(&buffer); + if (sshpam_authctxt->valid && + (sshpam_authctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) + buffer_put_cstring(&buffer, *resp); +- else +- buffer_put_cstring(&buffer, badpw); ++ else { ++ fake = fake_password(*resp); ++ buffer_put_cstring(&buffer, fake); ++ free(fake); ++ } + if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { + buffer_free(&buffer); + return (-1); + } + buffer_free(&buffer); + return (1); + } + +@@ -1178,41 +1203,43 @@ static struct pam_conv passwd_conv = { s + /* + * Attempt password authentication via PAM + */ + int + sshpam_auth_passwd(Authctxt *authctxt, const char *password) + { + int flags = (options.permit_empty_passwd == 0 ? + PAM_DISALLOW_NULL_AUTHTOK : 0); ++ char *fake = NULL; + + if (!options.use_pam || sshpam_handle == NULL) + fatal("PAM: %s called when PAM disabled or failed to " + "initialise.", __func__); + + sshpam_password = password; + sshpam_authctxt = authctxt; + + /* + * If the user logging in is invalid, or is root but is not permitted + * by PermitRootLogin, use an invalid password to prevent leaking + * information via timing (eg if the PAM config has a delay on fail). + */ + if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && + options.permit_root_login != PERMIT_YES)) +- sshpam_password = badpw; ++ sshpam_password = fake = fake_password(password); + + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + (const void *)&passwd_conv); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: %s: failed to set PAM_CONV: %s", __func__, + pam_strerror(sshpam_handle, sshpam_err)); + + sshpam_err = pam_authenticate(sshpam_handle, flags); + sshpam_password = NULL; ++ free(fake); + if (sshpam_err == PAM_SUCCESS && authctxt->valid) { + debug("PAM: password authentication accepted for %.100s", + authctxt->user); + return 1; + } else { + debug("PAM: password authentication failed for %.100s: %s", + authctxt->valid ? authctxt->user : "an illegal user", + pam_strerror(sshpam_handle, sshpam_err)); +diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c +--- a/openssh-7.2p2/auth-passwd.c ++++ b/openssh-7.2p2/auth-passwd.c +@@ -188,28 +188,32 @@ sys_auth_passwd(Authctxt *authctxt, cons + return (auth_close(as)); + } + } + #elif !defined(CUSTOM_SYS_AUTH_PASSWD) + int + sys_auth_passwd(Authctxt *authctxt, const char *password) + { + struct passwd *pw = authctxt->pw; +- char *encrypted_password; ++ char *encrypted_password, *salt = NULL; + + /* Just use the supplied fake password if authctxt is invalid */ + char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; + + /* Check for users with no password. */ + if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) + return (1); + +- /* Encrypt the candidate password using the proper salt. */ +- encrypted_password = xcrypt(password, +- (pw_password[0] && pw_password[1]) ? pw_password : "xx"); ++ /* ++ * Encrypt the candidate password using the proper salt, or pass a ++ * NULL and let xcrypt pick one. ++ */ ++ if (authctxt->valid && pw_password[0] && pw_password[1]) ++ salt = pw_password; ++ encrypted_password = xcrypt(password, salt); + + /* + * Authentication is accepted if the encrypted passwords + * are identical. + */ + return encrypted_password != NULL && + strcmp(encrypted_password, pw_password) == 0; + } +diff --git a/openssh-7.2p2/openbsd-compat/xcrypt.c b/openssh-7.2p2/openbsd-compat/xcrypt.c +--- a/openssh-7.2p2/openbsd-compat/xcrypt.c ++++ b/openssh-7.2p2/openbsd-compat/xcrypt.c +@@ -20,16 +20,17 @@ + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + + #include "includes.h" + + #include ++#include + #include + #include + + # if defined(HAVE_CRYPT_H) && !defined(HAVE_SECUREWARE) + # include + # endif + + # ifdef __hpux +@@ -57,21 +58,54 @@ + # include "md5crypt.h" + # endif + + # if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) + # include + # define crypt DES_crypt + # endif + ++/* ++ * Pick an appropriate password encryption type and salt for the running ++ * system. ++ */ ++static const char * ++pick_salt(void) ++{ ++ struct passwd *pw; ++ char *passwd, *p; ++ size_t typelen; ++ static char salt[32]; ++ ++ if (salt[0] != '\0') ++ return salt; ++ strlcpy(salt, "xx", sizeof(salt)); ++ if ((pw = getpwuid(0)) == NULL) ++ return salt; ++ passwd = shadow_pw(pw); ++ if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL) ++ return salt; /* no $, DES */ ++ typelen = p - passwd + 1; ++ strlcpy(salt, passwd, MIN(typelen, sizeof(salt))); ++ explicit_bzero(passwd, strlen(passwd)); ++ return salt; ++} ++ + char * + xcrypt(const char *password, const char *salt) + { + char *crypted; + ++ /* ++ * If we don't have a salt we are encrypting a fake password for ++ * for timing purposes. Pick an appropriate salt. ++ */ ++ if (salt == NULL) ++ salt = pick_salt(); ++ + # ifdef HAVE_MD5_PASSWORDS + if (is_md5_salt(salt)) + crypted = md5_crypt(password, salt); + else + crypted = crypt(password, salt); + # elif defined(__hpux) && !defined(HAVE_SECUREWARE) + if (iscomsec()) + crypted = bigcrypt(password, salt); diff --git a/openssh-7.2p2-pts_names_formatting.patch b/openssh-7.2p2-pts_names_formatting.patch index 8e2ed79..3973e17 100644 --- a/openssh-7.2p2-pts_names_formatting.patch +++ b/openssh-7.2p2-pts_names_formatting.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent c08afc8b92580b589ea02d84cf3d29be257ec103 +# Parent 787bc0aab11e5a7b6510c8dbf771958743ca25b0 # use same lines naming as utempter (prevents problems with using different # formats in ?tmp? files) # --used to be called '-pts' diff --git a/openssh-7.2p2-remove_xauth_cookies_on_exit.patch b/openssh-7.2p2-remove_xauth_cookies_on_exit.patch index 426504a..47a3fdd 100644 --- a/openssh-7.2p2-remove_xauth_cookies_on_exit.patch +++ b/openssh-7.2p2-remove_xauth_cookies_on_exit.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent ff8f0a192e120430204441cdcd18ff130f85a61e +# Parent 18c2690afd988b9cb0fd0fa927d02cf5336dce9c # --used to be called '-xauth' try to remove xauth cookies on logout diff --git a/openssh-7.2p2-seccomp_getuid.patch b/openssh-7.2p2-seccomp_getuid.patch index 953ea6c..05acb22 100644 --- a/openssh-7.2p2-seccomp_getuid.patch +++ b/openssh-7.2p2-seccomp_getuid.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 80f5b9b81269880fbc12bcbc5830fe2044baf894 +# Parent c66097e5e31cd607bf2206b2da95730cce518b7a add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread from being killed by the seccomp filter diff --git a/openssh-7.2p2-seccomp_stat.patch b/openssh-7.2p2-seccomp_stat.patch index c263a7e..2926ff2 100644 --- a/openssh-7.2p2-seccomp_stat.patch +++ b/openssh-7.2p2-seccomp_stat.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent f8357691112e6b15424f506f7ab6c417f5aa6f9e +# Parent def949a57b8101691c79ecce6366cc7ae1685b07 Allow the stat() syscall for OpenSSL re-seed patch (which causes OpenSSL use stat() on some file) diff --git a/openssh-7.2p2-seed-prng.patch b/openssh-7.2p2-seed-prng.patch index 8a052ad..8f9f690 100644 --- a/openssh-7.2p2-seed-prng.patch +++ b/openssh-7.2p2-seed-prng.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent ea1ef0bb63e77f14c91b2b417f1b8c3383b2835f +# Parent 6ece65e11f754d75dd33d72b6f8e487a9d047f2e # extended support for (re-)seeding the OpenSSL PRNG from /dev/random # bnc#703221, FATE#312172 diff --git a/openssh-7.2p2-send_locale.patch b/openssh-7.2p2-send_locale.patch index f1af844..ac6aa63 100644 --- a/openssh-7.2p2-send_locale.patch +++ b/openssh-7.2p2-send_locale.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 5bcf5f230ccaec7b9c9398cc6b4193574559861d +# Parent dfcac093fca4d826a806b9d1c0bdc26e7ae8ee8e send locales in default configuration bnc#65747 diff --git a/openssh-7.2p2-sftp_force_permissions.patch b/openssh-7.2p2-sftp_force_permissions.patch index 6b1373f..c419220 100644 --- a/openssh-7.2p2-sftp_force_permissions.patch +++ b/openssh-7.2p2-sftp_force_permissions.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 7951ad8c720728b382cfaa32e3d7a549126a1496 +# Parent efa850d8312ceef224dbec0f2ae1002201afabd9 additional option for sftp-server to force file mode for new files FATE#312774 http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html diff --git a/openssh-7.2p2-sftp_homechroot.patch b/openssh-7.2p2-sftp_homechroot.patch index a4f54cd..8c59d75 100644 --- a/openssh-7.2p2-sftp_homechroot.patch +++ b/openssh-7.2p2-sftp_homechroot.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 2f269fe1cd176bc5ff833819e1b04f1d96f13144 +# Parent 9b1033f35a6cb173fbc13416065ed40c4b14e656 run sftp sessions inside a chroot diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c diff --git a/openssh.changes b/openssh.changes index 29680b8..75dcc5a 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,6 +1,8 @@ ------------------------------------------------------------------- Thu Sep 29 23:27:49 UTC 2016 - pcerny@suse.com +- remaining patches that were still missing + since the update to 7.2p2 (FATE#319675): - allow X forwarding over IPv4 when IPv6 sockets is not available [openssh-7.2p2-X_forward_with_disabled_ipv6.patch] - do not write PID file when not daemonizing @@ -13,7 +15,7 @@ Thu Sep 29 23:27:49 UTC 2016 - pcerny@suse.com - allow forcing permissions over sftp [openssh-7.2p2-sftp_force_permissions.patch] - do not perform run-time checks for OpenSSL API/ABI change - [openssh-7.2p2-disable-openssl-abi-check.patch] + [openssh-7.2p2-disable_openssl_abi_check.patch] - suggest commands for cleaning known hosts file [openssh-7.2p2-host_ident.patch] - sftp home chroot patch @@ -22,6 +24,19 @@ Thu Sep 29 23:27:49 UTC 2016 - pcerny@suse.com [openssh-7.2p2-audit.patch] - enable seccomp sandbox on additional architectures [openssh-7.2p2-additional_seccomp_archs.patch] +- fix forwarding with IPv6 addresses in DISPLAY (bnc#847710) + [openssh-7.2p2-IPv6_X_forwarding.patch] +- ignore PAM environment when using login + (bsc#975865, CVE-2015-8325) + [openssh-7.2p2-ignore_PAM_with_UseLogin.patch] +- limit accepted password length (prevents possible DoS) + (bsc#992533, CVE-2016-6515) + [openssh-7.2p2-limit_password_length.patch] +- Prevent user enumeration through the timing of password + processing (bsc#989363, CVE-2016-6210) + [openssh-7.2p2-prevent_timing_user_enumeration.patch] +- Add auditing for PRNG re-seeding + [openssh-7.2p2-audit_seed_prng.patch] ------------------------------------------------------------------- Fri Sep 16 12:45:11 UTC 2016 - pcerny@suse.com diff --git a/openssh.spec b/openssh.spec index c3b560d..8a0d1f6 100644 --- a/openssh.spec +++ b/openssh.spec @@ -53,11 +53,9 @@ %endif %define sandbox_seccomp 0 -%ifarch %ix86 x86_64 %if 0%{?suse_version} > 1220 %define sandbox_seccomp 1 %endif -%endif %define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d %define _fwdefdir %{_fwdir}/services @@ -132,15 +130,20 @@ Patch16: openssh-7.2p2-fips.patch Patch17: openssh-7.2p2-seed-prng.patch Patch18: openssh-7.2p2-gssapi_key_exchange.patch Patch19: openssh-7.2p2-audit.patch -Patch20: openssh-7.2p2-login_options.patch -Patch21: openssh-7.2p2-disable-openssl-abi-check.patch -Patch22: openssh-7.2p2-no_fork-no_pid_file.patch -Patch23: openssh-7.2p2-host_ident.patch -Patch24: openssh-7.2p2-sftp_homechroot.patch -Patch25: openssh-7.2p2-sftp_force_permissions.patch -Patch26: openssh-7.2p2-X_forward_with_disabled_ipv6.patch -Patch27: openssh-7.2p2-ldap.patch -Patch28: openssh-7.2p2-additional_seccomp_archs.patch +Patch20: openssh-7.2p2-audit_seed_prng.patch +Patch21: openssh-7.2p2-login_options.patch +Patch22: openssh-7.2p2-disable_openssl_abi_check.patch +Patch23: openssh-7.2p2-no_fork-no_pid_file.patch +Patch24: openssh-7.2p2-host_ident.patch +Patch25: openssh-7.2p2-sftp_homechroot.patch +Patch26: openssh-7.2p2-sftp_force_permissions.patch +Patch27: openssh-7.2p2-X_forward_with_disabled_ipv6.patch +Patch28: openssh-7.2p2-ldap.patch +Patch29: openssh-7.2p2-additional_seccomp_archs.patch +Patch30: openssh-7.2p2-IPv6_X_forwarding.patch +Patch31: openssh-7.2p2-ignore_PAM_with_UseLogin.patch +Patch32: openssh-7.2p2-prevent_timing_user_enumeration.patch +Patch33: openssh-7.2p2-limit_password_length.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Conflicts: nonfreessh Recommends: audit @@ -221,13 +224,18 @@ FIPS140 CAVS tests related parts of the OpenSSH package %patch26 -p2 %patch27 -p2 %patch28 -p2 +%patch29 -p2 +%patch30 -p2 +%patch31 -p2 +%patch32 -p2 +%patch33 -p2 cp %{SOURCE3} %{SOURCE4} %{SOURCE11} . %build # set libexec dir in the LDAP patch sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ $( grep -Rl @LIBEXECDIR@ \ - $( grep "^+++" %{PATCH27} | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) + $( grep "^+++" %{PATCH28} | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) ) autoreconf -fiv