Add patches to fix the problem reported by Secunia Advisory SA22091 (also

CVS-2006-4924); "OpenSSH Identical Blocks Denial of Service Vulnerability"
referring to OpenBSD's CVS repository.

Bump PKGREVISION.

3 files changed, 158 insertions, 0 deletions

diff --git a/security/openssh/patches/patch-ax b/security/openssh/patches/patch-ax
new file mode 100644
index 00000000000..4f5282ce59f
--- /dev/null
+++ b/security/openssh/patches/patch-ax
@@ -0,0 +1,107 @@
+$NetBSD: patch-ax,v 1.1 2006/09/27 16:10:59 taca Exp $
+
+Secunia Advisory SA22091
+
+--- deattack.c.orig	Mon Sep 22 20:04:23 2003
++++ deattack.c
+@@ -27,6 +27,24 @@ RCSID("$OpenBSD: deattack.c,v 1.19 2003/
+ #include "xmalloc.h"
+ #include "deattack.h"
+ 
++/*
++ * CRC attack detection has a worst-case behaviour that is O(N^3) over
++ * the number of identical blocks in a packet. This behaviour can be 
++ * exploited to create a limited denial of service attack. 
++ * 
++ * However, because we are dealing with encrypted data, identical
++ * blocks should only occur every 2^35 maximally-sized packets or so. 
++ * Consequently, we can detect this DoS by looking for identical blocks
++ * in a packet.
++ *
++ * The parameter below determines how many identical blocks we will
++ * accept in a single packet, trading off between attack detection and
++ * likelihood of terminating a legitimate connection. A value of 32 
++ * corresponds to an average of 2^40 messages before an attack is
++ * misdetected
++ */
++#define MAX_IDENTICAL	32
++
+ /* SSH Constants */
+ #define SSH_MAXBLOCKS	(32 * 1024)
+ #define SSH_BLOCKSIZE	(8)
+@@ -56,17 +74,12 @@ crc_update(u_int32_t *a, u_int32_t b)
+ 
+ /* detect if a block is used in a particular pattern */
+ static int
+-check_crc(u_char *S, u_char *buf, u_int32_t len,
+-	  u_char *IV)
++check_crc(u_char *S, u_char *buf, u_int32_t len)
+ {
+ 	u_int32_t crc;
+ 	u_char *c;
+ 
+ 	crc = 0;
+-	if (IV && !CMP(S, IV)) {
+-		crc_update(&crc, 1);
+-		crc_update(&crc, 0);
+-	}
+ 	for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
+ 		if (!CMP(S, c)) {
+ 			crc_update(&crc, 1);
+@@ -82,12 +95,12 @@ check_crc(u_char *S, u_char *buf, u_int3
+ 
+ /* Detect a crc32 compensation attack on a packet */
+ int
+-detect_attack(u_char *buf, u_int32_t len, u_char *IV)
++detect_attack(u_char *buf, u_int32_t len)
+ {
+ 	static u_int16_t *h = (u_int16_t *) NULL;
+ 	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ 	u_int32_t i, j;
+-	u_int32_t l;
++	u_int32_t l, same;
+ 	u_char *c;
+ 	u_char *d;
+ 
+@@ -111,15 +124,9 @@ detect_attack(u_char *buf, u_int32_t len
+ 
+ 	if (len <= HASH_MINBLOCKS) {
+ 		for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
+-			if (IV && (!CMP(c, IV))) {
+-				if ((check_crc(c, buf, len, IV)))
+-					return (DEATTACK_DETECTED);
+-				else
+-					break;
+-			}
+ 			for (d = buf; d < c; d += SSH_BLOCKSIZE) {
+ 				if (!CMP(c, d)) {
+-					if ((check_crc(c, buf, len, IV)))
++					if ((check_crc(c, buf, len)))
+ 						return (DEATTACK_DETECTED);
+ 					else
+ 						break;
+@@ -130,21 +137,11 @@ detect_attack(u_char *buf, u_int32_t len
+ 	}
+ 	memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
+ 
+-	if (IV)
+-		h[HASH(IV) & (n - 1)] = HASH_IV;
+-
+-	for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
++	for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+ 		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
+ 		    i = (i + 1) & (n - 1)) {
+-			if (h[i] == HASH_IV) {
+-				if (!CMP(c, IV)) {
+-					if (check_crc(c, buf, len, IV))
+-						return (DEATTACK_DETECTED);
+-					else
+-						break;
+-				}
+-			} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
+-				if (check_crc(c, buf, len, IV))
++			if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
++				if (check_crc(c, buf, len))
+ 					return (DEATTACK_DETECTED);
+ 				else
+ 					break;
diff --git a/security/openssh/patches/patch-ay b/security/openssh/patches/patch-ay
new file mode 100644
index 00000000000..ec36f5da855
--- /dev/null
+++ b/security/openssh/patches/patch-ay
@@ -0,0 +1,15 @@
+$NetBSD: patch-ay,v 1.1 2006/09/27 16:10:59 taca Exp $
+
+Secunia Advisory SA22091
+
+--- deattack.h.orig	Wed Jul  4 13:46:57 2001
++++ deattack.h
+@@ -25,6 +25,7 @@
+ /* Return codes */
+ #define DEATTACK_OK		0
+ #define DEATTACK_DETECTED	1
++#define DEATTACK_DOS_DETECTED	2
+ 
+-int	 detect_attack(u_char *, u_int32_t, u_char[8]);
++int	 detect_attack(u_char *, u_int32_t);
+ #endif
diff --git a/security/openssh/patches/patch-az b/security/openssh/patches/patch-az
new file mode 100644
index 00000000000..ee002ae4158
--- /dev/null
+++ b/security/openssh/patches/patch-az
@@ -0,0 +1,36 @@
+$NetBSD: patch-az,v 1.1 2006/09/27 16:10:59 taca Exp $
+
+Secunia Advisory SA22091 + one more OpenBSD's CVS update 1.144-1.145
+
+--- packet.c.orig	Sat Nov  5 13:15:00 2005
++++ packet.c
+@@ -669,6 +669,9 @@ packet_enable_delayed_compress(void)
+ 	 */
+ 	after_authentication = 1;
+ 	for (mode = 0; mode < MODE_MAX; mode++) {
++		/* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
++		if (newkeys[mode] == NULL)
++			continue;
+ 		comp = &newkeys[mode]->comp;
+ 		if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
+ 			packet_init_compression();
+@@ -978,9 +981,16 @@ packet_read_poll1(void)
+ 	 * (C)1998 CORE-SDI, Buenos Aires Argentina
+ 	 * Ariel Futoransky(futo@core-sdi.com)
+ 	 */
+-	if (!receive_context.plaintext &&
+-	    detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED)
+-		packet_disconnect("crc32 compensation attack: network attack detected");
++	if (!receive_context.plaintext) {
++		switch (detect_attack(buffer_ptr(&input), padded_len)) {
++		case DEATTACK_DETECTED:
++			packet_disconnect("crc32 compensation attack: "
++			    "network attack detected");
++		case DEATTACK_DOS_DETECTED:
++			packet_disconnect("deattack denial of "
++			    "service detected");
++		}
++	}
+ 
+ 	/* Decrypt data to incoming_packet. */
+ 	buffer_clear(&incoming_packet);