Hi, > openssh: CVE-2018-15473: delay bailout for invalid authenticating > user until after the packet
I've started on a patch for wheezy (WIP attached). Would the security team be interested in one for stretch? If so, I can return with a proposed debdiff. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- openssh-6.7p1.orig/auth2-gss.c +++ openssh-6.7p1/auth2-gss.c @@ -102,9 +102,6 @@ userauth_gssapi(Authctxt *authctxt) u_int len; u_char *doid = NULL; - if (!authctxt->valid || authctxt->user == NULL) - return (0); - mechs = packet_get_int(); if (mechs == 0) { debug("Mechanism negotiation is not supported"); @@ -135,6 +132,12 @@ userauth_gssapi(Authctxt *authctxt) return (0); } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", __func__); + free(doid); + return (0); + } + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { if (ctxt != NULL) ssh_gssapi_delete_ctx(&ctxt); --- openssh-6.7p1.orig/auth2-hostbased.c +++ openssh-6.7p1/auth2-hostbased.c @@ -65,10 +65,6 @@ userauth_hostbased(Authctxt *authctxt) int pktype; int authenticated = 0; - if (!authctxt->valid) { - debug2("userauth_hostbased: disabled because of invalid user"); - return 0; - } pkalg = packet_get_string(&alen); pkblob = packet_get_string(&blen); chost = packet_get_string(NULL); @@ -107,6 +103,11 @@ userauth_hostbased(Authctxt *authctxt) "signature format"); goto done; } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", __func__); + goto done; + } + service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; buffer_init(&b); --- openssh-6.7p1.orig/auth2-pubkey.c +++ openssh-6.7p1/auth2-pubkey.c @@ -76,15 +76,11 @@ userauth_pubkey(Authctxt *authctxt) Buffer b; Key *key = NULL; char *pkalg, *userstyle; - u_char *pkblob, *sig; + u_char *pkblob, *sig = NULL; u_int alen, blen, slen; int have_sig, pktype; int authenticated = 0; - if (!authctxt->valid) { - debug2("userauth_pubkey: disabled because of invalid user"); - return 0; - } have_sig = packet_get_char(); if (datafellows & SSH_BUG_PKAUTH) { debug2("userauth_pubkey: SSH_BUG_PKAUTH"); @@ -131,6 +127,11 @@ userauth_pubkey(Authctxt *authctxt) } else { buffer_put_string(&b, session_id2, session_id2_len); } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", + __func__); + goto done; + } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); xasprintf(&userstyle, "%s%s%s", authctxt->user, @@ -162,11 +163,14 @@ userauth_pubkey(Authctxt *authctxt) buffer_len(&b))) == 1) authenticated = 1; buffer_free(&b); - free(sig); } else { debug("test whether pkalg/pkblob are acceptable"); packet_check_eom(); - + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", + __func__); + goto done; + } /* XXX fake reply and always send PK_OK ? */ /* * XXX this allows testing whether a user is allowed @@ -192,6 +196,7 @@ done: key_free(key); free(pkalg); free(pkblob); + free(sig); return authenticated; }