Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
This is the jessie version of #865986. The WinSCP change isn't applicable to jessie, but the fixes for #865770 and #873201 are. I had to do some minor git surgery to integrate the previous security updates into git-dpm's view of the world (including changing one patch to have a proper name rather than an automatically-generated one); apologies for the resulting noise, but I think it's still short enough to be reasonably reviewable. I ran the "git-dpm update-patches" step in a jessie chroot to avoid further noise from patches generated by different git versions. diff -Nru openssh-6.7p1/debian/.git-dpm openssh-6.7p1/debian/.git-dpm --- openssh-6.7p1/debian/.git-dpm 2016-04-14 18:53:01.000000000 +0100 +++ openssh-6.7p1/debian/.git-dpm 2017-11-18 10:52:00.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -d6139ee6bbf3bda83ebefc73d8079d0897488d1d -d6139ee6bbf3bda83ebefc73d8079d0897488d1d +1ec1d66c12c333a99a10d399b5f47e5636d2bcff +1ec1d66c12c333a99a10d399b5f47e5636d2bcff 487bdb3a5ef6075887b830ccb8a0b14f6da78e93 487bdb3a5ef6075887b830ccb8a0b14f6da78e93 openssh_6.7p1.orig.tar.gz diff -Nru openssh-6.7p1/debian/changelog openssh-6.7p1/debian/changelog --- openssh-6.7p1/debian/changelog 2016-07-22 18:22:20.000000000 +0100 +++ openssh-6.7p1/debian/changelog 2017-11-18 10:56:29.000000000 +0000 @@ -1,3 +1,12 @@ +openssh (1:6.7p1-5+deb8u4) jessie; urgency=medium + + * Test configuration before starting or reloading sshd under systemd + (closes: #865770). + * Make "--" before the hostname terminate argument processing after the + hostname too (closes: #873201). + + -- Colin Watson <cjwat...@debian.org> Sat, 18 Nov 2017 10:56:29 +0000 + openssh (1:6.7p1-5+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru openssh-6.7p1/debian/openssh-server.ssh.service openssh-6.7p1/debian/openssh-server.ssh.service --- openssh-6.7p1/debian/openssh-server.ssh.service 2016-04-14 18:53:01.000000000 +0100 +++ openssh-6.7p1/debian/openssh-server.ssh.service 2017-11-18 10:52:00.000000000 +0000 @@ -5,7 +5,9 @@ [Service] EnvironmentFile=-/etc/default/ssh +ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D $SSHD_OPTS +ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure diff -Nru openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch --- openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch 2016-04-14 18:53:01.000000000 +0100 +++ openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,36 +0,0 @@ -From d6139ee6bbf3bda83ebefc73d8079d0897488d1d Mon Sep 17 00:00:00 2001 -From: Yves-Alexis Perez <cor...@debian.org> -Date: Tue, 12 Jan 2016 17:14:33 -0800 -Subject: disable roaming in ssh client - -SSH roaming implementation in openssh client is vulnerable to an -information leak (CVE-2016-0777) and heap-based buffer overflow -(CVE-2016-0778). The information leak is somehow attacker-controller, -and it is for example possible to extract the ssh client private keys. ---- - readconf.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/readconf.c b/readconf.c -index 29338b6..337d914 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -1640,7 +1640,7 @@ initialize_options(Options * options) - options->tun_remote = -1; - options->local_command = NULL; - options->permit_local_command = -1; -- options->use_roaming = -1; -+ options->use_roaming = 0; - options->visual_host_key = -1; - options->ip_qos_interactive = -1; - options->ip_qos_bulk = -1; -@@ -1822,8 +1822,7 @@ fill_default_options(Options * options) - options->tun_remote = SSH_TUNID_ANY; - if (options->permit_local_command == -1) - options->permit_local_command = 0; -- if (options->use_roaming == -1) -- options->use_roaming = 1; -+ options->use_roaming = 0; - if (options->visual_host_key == -1) - options->visual_host_key = 0; - if (options->ip_qos_interactive == -1) diff -Nru openssh-6.7p1/debian/patches/CVE-2015-8325.patch openssh-6.7p1/debian/patches/CVE-2015-8325.patch --- openssh-6.7p1/debian/patches/CVE-2015-8325.patch 2016-04-14 18:53:01.000000000 +0100 +++ openssh-6.7p1/debian/patches/CVE-2015-8325.patch 2017-11-18 10:52:00.000000000 +0000 @@ -1,7 +1,7 @@ -From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001 +From df02ed53cf4f3df6ef0bba7fd271d72360b19b0a Mon Sep 17 00:00:00 2001 From: Damien Miller <d...@mindrot.org> Date: Wed, 13 Apr 2016 10:39:57 +1000 -Subject: [PATCH] ignore PAM environment vars when UseLogin=yes +Subject: ignore PAM environment vars when UseLogin=yes If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may @@ -9,13 +9,17 @@ set via PAM. CVE-2015-8325, found by Shayan Sadigh, via Colin Watson + +Patch-Name: CVE-2015-8325.patch --- session.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) +diff --git a/session.c b/session.c +index 6250c20..e341512 100644 --- a/session.c +++ b/session.c -@@ -1301,7 +1301,7 @@ do_setup_env(Session *s, const char *she +@@ -1301,7 +1301,7 @@ do_setup_env(Session *s, const char *shell) * Pull in any environment variables that may have * been set by PAM. */ diff -Nru openssh-6.7p1/debian/patches/CVE-2016-6210-1.patch openssh-6.7p1/debian/patches/CVE-2016-6210-1.patch --- openssh-6.7p1/debian/patches/CVE-2016-6210-1.patch 2016-07-22 18:20:48.000000000 +0100 +++ openssh-6.7p1/debian/patches/CVE-2016-6210-1.patch 2017-11-18 10:52:00.000000000 +0000 @@ -1,4 +1,4 @@ -From 9286875a73b2de7736b5e50692739d314cd8d9dc Mon Sep 17 00:00:00 2001 +From 3f40a5c09c405270a7f118855cc959dc8beac835 Mon Sep 17 00:00:00 2001 From: Darren Tucker <dtuc...@zip.com.au> Date: Fri, 15 Jul 2016 13:32:45 +1000 Subject: Determine appropriate salt for invalid users. @@ -14,6 +14,8 @@ To mitigate, use the same hash algorithm that root uses for hashing passwords for users that do not exist on the system. ok djm@ + +Patch-Name: CVE-2016-6210-1.patch --- auth-passwd.c | 12 ++++++++---- openbsd-compat/xcrypt.c | 34 ++++++++++++++++++++++++++++++++++ @@ -50,7 +52,7 @@ /* * Authentication is accepted if the encrypted passwords diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c -index 8577cbd..8913bb8 100644 +index c8aea46..53cb9c8 100644 --- a/openbsd-compat/xcrypt.c +++ b/openbsd-compat/xcrypt.c @@ -25,6 +25,7 @@ @@ -106,6 +108,3 @@ # ifdef HAVE_MD5_PASSWORDS if (is_md5_salt(salt)) crypted = md5_crypt(password, salt); --- -cgit v0.12 - diff -Nru openssh-6.7p1/debian/patches/CVE-2016-6210-2.patch openssh-6.7p1/debian/patches/CVE-2016-6210-2.patch --- openssh-6.7p1/debian/patches/CVE-2016-6210-2.patch 2016-07-22 18:20:48.000000000 +0100 +++ openssh-6.7p1/debian/patches/CVE-2016-6210-2.patch 2017-11-18 10:52:00.000000000 +0000 @@ -1,4 +1,4 @@ -From 283b97ff33ea2c641161950849931bd578de6946 Mon Sep 17 00:00:00 2001 +From 0be96ff6eb447fb8b249c54211fd2f637ba1a989 Mon Sep 17 00:00:00 2001 From: Darren Tucker <dtuc...@zip.com.au> Date: Fri, 15 Jul 2016 13:49:44 +1000 Subject: Mitigate timing of disallowed users PAM logins. @@ -12,12 +12,14 @@ Mitigate by constructing an invalid password that is the same length as the one from the client and thus takes the same time to hash. Diff from djm@ + +Patch-Name: CVE-2016-6210-2.patch --- auth-pam.c | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/auth-pam.c b/auth-pam.c -index 451de78..465b5a7 100644 +index d789bad..55cd77a 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -231,7 +231,6 @@ static int sshpam_account_status = -1; @@ -103,6 +105,3 @@ if (sshpam_err == PAM_SUCCESS && authctxt->valid) { debug("PAM: password authentication accepted for %.100s", authctxt->user); --- -cgit v0.12 - diff -Nru openssh-6.7p1/debian/patches/CVE-2016-6210-3.patch openssh-6.7p1/debian/patches/CVE-2016-6210-3.patch --- openssh-6.7p1/debian/patches/CVE-2016-6210-3.patch 2016-07-22 18:20:48.000000000 +0100 +++ openssh-6.7p1/debian/patches/CVE-2016-6210-3.patch 2017-11-18 10:52:00.000000000 +0000 @@ -1,4 +1,4 @@ -From dbf788b4d9d9490a5fff08a7b09888272bb10fcc Mon Sep 17 00:00:00 2001 +From 625547cd45e339b60949dd79d4692ac76fc457a0 Mon Sep 17 00:00:00 2001 From: Darren Tucker <dtuc...@zip.com.au> Date: Thu, 21 Jul 2016 14:17:31 +1000 Subject: Search users for one with a valid salt. @@ -6,12 +6,14 @@ If the root account is locked (eg password "!!" or "*LK*") keep looking until we find a user with a valid salt to use for crypting passwords of invalid users. ok djm@ + +Patch-Name: CVE-2016-6210-3.patch --- openbsd-compat/xcrypt.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c -index 8913bb8..cf6a9b9 100644 +index 53cb9c8..7a72345 100644 --- a/openbsd-compat/xcrypt.c +++ b/openbsd-compat/xcrypt.c @@ -65,7 +65,9 @@ @@ -52,6 +54,3 @@ return salt; } --- -cgit v0.12 - diff -Nru openssh-6.7p1/debian/patches/dash-dash-before-hostname.patch openssh-6.7p1/debian/patches/dash-dash-before-hostname.patch --- openssh-6.7p1/debian/patches/dash-dash-before-hostname.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-6.7p1/debian/patches/dash-dash-before-hostname.patch 2017-11-18 10:52:00.000000000 +0000 @@ -0,0 +1,63 @@ +From 1ec1d66c12c333a99a10d399b5f47e5636d2bcff Mon Sep 17 00:00:00 2001 +From: "d...@openbsd.org" <d...@openbsd.org> +Date: Sat, 12 Aug 2017 06:46:01 +0000 +Subject: Make "--" before hostname end option processing + +make "--" before the hostname terminate command-line +option processing completely; previous behaviour would not prevent further +options appearing after the hostname (ssh has a supported options after the +hostname for >20 years, so that's too late to change). + +ok deraadt@ + +Upstream-ID: ef5ee50571b98ad94dcdf8282204e877ec88ad89 + +Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=643c2ad82910691b2240551ea8b14472f60b5078 +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2766 +Bug-Debian: https://bugs.debian.org/873201 +Last-Update: 2017-11-18 + +Patch-Name: dash-dash-before-hostname.patch +--- + ssh.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ssh.c b/ssh.c +index 5bce695..9d70230 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -414,13 +414,13 @@ process_config_files(struct passwd *pw) + int + main(int ac, char **av) + { +- int i, r, opt, exit_status, use_syslog; ++ int i, r, opt, exit_status, use_syslog, timeout_ms; ++ int opt_terminated = 0; + char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg, *logfile; + char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; + char cname[NI_MAXHOST]; + struct stat st; + struct passwd *pw; +- int timeout_ms; + extern int optind, optreset; + extern char *optarg; + struct Forward fwd; +@@ -813,6 +813,9 @@ main(int ac, char **av) + } + } + ++ if (optind > 1 && strcmp(av[optind - 1], "--") == 0) ++ opt_terminated = 1; ++ + ac -= optind; + av += optind; + +@@ -827,7 +830,7 @@ main(int ac, char **av) + host = xstrdup(++cp); + } else + host = xstrdup(*av); +- if (ac > 1) { ++ if (ac > 1 && !opt_terminated) { + optind = optreset = 1; + goto again; + } diff -Nru openssh-6.7p1/debian/patches/disable-roaming.patch openssh-6.7p1/debian/patches/disable-roaming.patch --- openssh-6.7p1/debian/patches/disable-roaming.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-6.7p1/debian/patches/disable-roaming.patch 2017-11-18 10:52:00.000000000 +0000 @@ -0,0 +1,38 @@ +From beb5d60922b914b095b75b1ce30196062e574d87 Mon Sep 17 00:00:00 2001 +From: Yves-Alexis Perez <cor...@debian.org> +Date: Tue, 12 Jan 2016 17:14:33 -0800 +Subject: disable roaming in ssh client + +SSH roaming implementation in openssh client is vulnerable to an +information leak (CVE-2016-0777) and heap-based buffer overflow +(CVE-2016-0778). The information leak is somehow attacker-controller, +and it is for example possible to extract the ssh client private keys. + +Patch-Name: disable-roaming.patch +--- + readconf.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 29338b6..337d914 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1640,7 +1640,7 @@ initialize_options(Options * options) + options->tun_remote = -1; + options->local_command = NULL; + options->permit_local_command = -1; +- options->use_roaming = -1; ++ options->use_roaming = 0; + options->visual_host_key = -1; + options->ip_qos_interactive = -1; + options->ip_qos_bulk = -1; +@@ -1822,8 +1822,7 @@ fill_default_options(Options * options) + options->tun_remote = SSH_TUNID_ANY; + if (options->permit_local_command == -1) + options->permit_local_command = 0; +- if (options->use_roaming == -1) +- options->use_roaming = 1; ++ options->use_roaming = 0; + if (options->visual_host_key == -1) + options->visual_host_key = 0; + if (options->ip_qos_interactive == -1) diff -Nru openssh-6.7p1/debian/patches/series openssh-6.7p1/debian/patches/series --- openssh-6.7p1/debian/patches/series 2016-07-22 18:20:48.000000000 +0100 +++ openssh-6.7p1/debian/patches/series 2017-11-18 10:52:00.000000000 +0000 @@ -27,8 +27,9 @@ gnome-ssh-askpass2-icon.patch sigstop.patch debian-config.patch -0030-disable-roaming-in-ssh-client.patch +disable-roaming.patch CVE-2015-8325.patch CVE-2016-6210-1.patch CVE-2016-6210-2.patch CVE-2016-6210-3.patch +dash-dash-before-hostname.patch diff -Nru openssh-6.7p1/debian/systemd/ssh.service openssh-6.7p1/debian/systemd/ssh.service --- openssh-6.7p1/debian/systemd/ssh.service 2016-04-14 18:53:01.000000000 +0100 +++ openssh-6.7p1/debian/systemd/ssh.service 2017-11-18 10:52:00.000000000 +0000 @@ -5,7 +5,9 @@ [Service] EnvironmentFile=-/etc/default/ssh +ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D $SSHD_OPTS +ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure Thanks, -- Colin Watson [cjwat...@debian.org]