rpms/openssh/devel openssh-4.3p2-cve-2006-5794.patch, NONE, 1.1 openssh.spec, 1.98, 1.99

Fri Nov 10 10:00:18 UTC 2006

Author: tmraz

Update of /cvs/dist/rpms/openssh/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv32226

Modified Files:
	openssh.spec 
Added Files:
	openssh-4.3p2-cve-2006-5794.patch 
Log Message:
* Fri Nov 10 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-12
- CVE-2006-5794 - properly detect failed key verify in monitor (#214641)


openssh-4.3p2-cve-2006-5794.patch:
 monitor.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

--- NEW FILE openssh-4.3p2-cve-2006-5794.patch ---
Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authenication. This bug is not known to be
exploitable in the absence of additional vulnerabilities.

--- openssh-4.3p2/monitor.c.verify	2006-11-10 10:40:37.000000000 +0100
+++ openssh-4.3p2/monitor.c	2006-11-10 10:42:32.000000000 +0100
@@ -330,7 +330,7 @@
 	/* The first few requests do not require asynchronous access */
 	while (!authenticated) {
 		auth_method = "unknown";
-		authenticated = monitor_read(pmonitor, mon_dispatch, &ent);
+		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
 		if (authenticated) {
 			if (!(ent->flags & MON_AUTHDECIDE))
 				fatal("%s: unexpected authentication from %d",
@@ -1214,7 +1214,7 @@
 
 	verified = key_verify(key, signature, signaturelen, data, datalen);
 	debug3("%s: key %p signature %s",
-	    __func__, key, verified ? "verified" : "unverified");
+	    __func__, key, (verified == 1) ? "verified" : "unverified");
 
 	key_free(key);
 	xfree(blob);
@@ -1229,7 +1229,7 @@
 	buffer_put_int(m, verified);
 	mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m);
 
-	return (verified);
+	return (verified == 1);
 }
 
 static void


Index: openssh.spec
===================================================================
RCS file: /cvs/dist/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.98
retrieving revision 1.99
diff -u -r1.98 -r1.99
--- openssh.spec	2 Nov 2006 13:33:37 -0000	1.98
+++ openssh.spec	10 Nov 2006 10:00:04 -0000	1.99
@@ -61,7 +61,7 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 4.3p2
-Release: 11%{?dist}%{?rescue_rel}
+Release: 12%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@@ -96,6 +96,7 @@
 Patch44: openssh-4.3p2-allow-ip-opts.patch
 Patch45: openssh-4.3p2-cve-2006-4924.patch
 Patch46: openssh-3.9p1-cve-2006-5051.patch
+Patch47: openssh-4.3p2-cve-2006-5794.patch
 License: BSD
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
@@ -229,6 +230,7 @@
 %patch44 -p1 -b .ip-opts
 %patch45 -p1 -b .deattack-dos
 %patch46 -p1 -b .sig-no-cleanup
+%patch47 -p1 -b .verify
 
 autoreconf
 
@@ -473,6 +475,9 @@
 %endif
 
 %changelog
+* Fri Nov 10 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-12
+- CVE-2006-5794 - properly detect failed key verify in monitor (#214641)
+
 * Thu Nov  2 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-11
 - merge sshd initscript patches
 - kill all ssh sessions when stop is called in halt or reboot runlevel


