From 2442cc74998eaf2a5d47223c5857add075414ab0 Mon Sep 17 00:00:00 2001 From: tonnerre Date: Thu, 3 Apr 2008 07:59:08 +0000 Subject: Fix two vulnerabilities in OpenSSH: - X11 forwarding information disclosure (CVE-2008-1483) - ForceCommand bypass vulnerability --- security/openssh/Makefile | 4 ++-- security/openssh/distinfo | 5 +++-- security/openssh/patches/patch-ao | 37 +++++++++++++++++++++++++++++-------- security/openssh/patches/patch-ax | 18 ++++++++++++++++++ 4 files changed, 52 insertions(+), 12 deletions(-) create mode 100644 security/openssh/patches/patch-ax diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 41ac038232a..1409e032c2f 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.186 2008/01/18 05:09:39 tnn Exp $ +# $NetBSD: Makefile,v 1.187 2008/04/03 07:59:08 tonnerre Exp $ DISTNAME= openssh-4.7p1 PKGNAME= openssh-4.7.1 -PKGREVISION= 2 +PKGREVISION= 3 SVR4_PKGNAME= ossh CATEGORIES= security MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 12dbcd838c6..99c040501d5 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.66 2007/09/19 13:42:02 taca Exp $ +$NetBSD: distinfo,v 1.67 2008/04/03 07:59:08 tonnerre Exp $ SHA1 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 8ab61d12b5bcf70d0ffe9cb1d157136d20ebb22c RMD160 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 7b35eb1a3f6f3b703ac7f155f620bff63a900a0e @@ -20,7 +20,7 @@ SHA1 (patch-ak) = 3720afb4e95356d5310762cda881820d524dcffc SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7 SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38 SHA1 (patch-an) = 2f955b8891bedd79986490d282eb09acd4910250 -SHA1 (patch-ao) = a70da4f5942553a42fa935b82172e601b29951df +SHA1 (patch-ao) = 1061066758f7fe2fca630b15a55cbdc1ab041758 SHA1 (patch-ap) = 2c0c092637661328046b71292a7412d09e92bb2a SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34 SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d @@ -28,3 +28,4 @@ SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3 SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365 SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30 +SHA1 (patch-ax) = 1ddf59636b6f3b544850f787ca63287fd93cae88 diff --git a/security/openssh/patches/patch-ao b/security/openssh/patches/patch-ao index 5533c0d999f..103c10ac9eb 100644 --- a/security/openssh/patches/patch-ao +++ b/security/openssh/patches/patch-ao @@ -1,8 +1,17 @@ -$NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $ +$NetBSD: patch-ao,v 1.10 2008/04/03 07:59:08 tonnerre Exp $ ---- session.c.orig 2006-10-29 17:01:29.000000000 +0900 +--- session.c.orig 2007-08-16 13:28:04.000000000 +0000 +++ session.c -@@ -956,7 +956,7 @@ read_etc_default_login(char ***env, u_in +@@ -347,7 +347,7 @@ do_authenticated1(Authctxt *authctxt) + break; + } + debug("Received TCP/IP port forwarding request."); +- if (channel_input_port_forward_request(s->pw->pw_uid == 0, ++ if (channel_input_port_forward_request(s->pw->pw_uid == ROOTUID, + options.gateway_ports) < 0) { + debug("Port forwarding failed."); + break; +@@ -954,7 +954,7 @@ read_etc_default_login(char ***env, u_in if (tmpenv == NULL) return; @@ -11,7 +20,7 @@ $NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $ var = child_get_env(tmpenv, "SUPATH"); else var = child_get_env(tmpenv, "PATH"); -@@ -1065,7 +1065,7 @@ do_setup_env(Session *s, const char *she +@@ -1063,7 +1063,7 @@ do_setup_env(Session *s, const char *she # endif /* HAVE_ETC_DEFAULT_LOGIN */ if (path == NULL || *path == '\0') { child_set_env(&env, &envsize, "PATH", @@ -20,7 +29,7 @@ $NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $ SUPERUSER_PATH : _PATH_STDPATH); } # endif /* HAVE_CYGWIN */ -@@ -1179,6 +1179,18 @@ do_setup_env(Session *s, const char *she +@@ -1177,6 +1177,18 @@ do_setup_env(Session *s, const char *she strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); read_environment_file(&env, &envsize, buf); } @@ -39,7 +48,19 @@ $NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $ if (debug_flag) { /* dump the environment */ fprintf(stderr, "Environment:\n"); -@@ -1289,9 +1301,9 @@ do_nologin(struct passwd *pw) +@@ -1201,8 +1213,9 @@ do_rc_files(Session *s, const char *shel + do_xauth = + s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; + +- /* ignore _PATH_SSH_USER_RC for subsystems */ +- if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { ++ /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ ++ if (!s->is_subsystem && options.adm_forced_command == NULL && ++ (stat(_PATH_SSH_USER_RC, &st) >= 0)) { + snprintf(cmd, sizeof cmd, "%s -c '%s %s'", + shell, _PATH_BSHELL, _PATH_SSH_USER_RC); + if (debug_flag) +@@ -1287,9 +1300,9 @@ do_nologin(struct passwd *pw) void do_setusercontext(struct passwd *pw) { @@ -51,7 +72,7 @@ $NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $ { #ifdef HAVE_SETPCRED -@@ -1333,11 +1345,13 @@ do_setusercontext(struct passwd *pw) +@@ -1331,11 +1344,13 @@ do_setusercontext(struct passwd *pw) perror("setgid"); exit(1); } @@ -65,7 +86,7 @@ $NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $ endgrent(); #ifdef GSSAPI if (options.gss_authentication) { -@@ -2095,7 +2109,7 @@ session_pty_cleanup2(Session *s) +@@ -2086,7 +2101,7 @@ session_pty_cleanup2(Session *s) record_logout(s->pid, s->tty, s->pw->pw_name); /* Release the pseudo-tty. */ diff --git a/security/openssh/patches/patch-ax b/security/openssh/patches/patch-ax new file mode 100644 index 00000000000..581b9f1afab --- /dev/null +++ b/security/openssh/patches/patch-ax @@ -0,0 +1,18 @@ +$NetBSD: patch-ax,v 1.5 2008/04/03 07:59:08 tonnerre Exp $ + +Don't deadlock on exit with multiple X forwarded channels. +Don't use X11 port which can't be bound on all IP families. +Fixes CVE-2008-1483. + +--- channels.c.orig 2007-06-25 09:04:47.000000000 +0000 ++++ channels.c +@@ -2905,9 +2905,6 @@ x11_create_display_inet(int x11_display_ + debug2("bind port %d: %.100s", port, strerror(errno)); + close(sock); + +- if (ai->ai_next) +- continue; +- + for (n = 0; n < num_socks; n++) { + close(socks[n]); + } -- cgit v1.2.3