rpms/openssh/devel openssh-3.9p1-cve-2006-5051.patch, NONE, 1.1 openssh-4.3p2-cve-2006-4924.patch, NONE, 1.1 openssh-4.3p2-gssapi-no-spnego.patch, 1.1, 1.2 openssh.spec, 1.96, 1.97
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Oct 2 17:35:52 UTC 2006
- Previous message (by thread): rpms/firstboot/devel .cvsignore, 1.65, 1.66 firstboot.spec, 1.86, 1.87 sources, 1.82, 1.83
- Next message (by thread): rpms/pyspi/devel x11-exception.patch,NONE,1.1 pyspi.spec,1.2,1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/dist/rpms/openssh/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv31801
Modified Files:
openssh-4.3p2-gssapi-no-spnego.patch openssh.spec
Added Files:
openssh-3.9p1-cve-2006-5051.patch
openssh-4.3p2-cve-2006-4924.patch
Log Message:
* Mon Oct 2 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-10
- improve gssapi-no-spnego patch (#208102)
- CVE-2006-4924 - prevent DoS on deattack detector (#207957)
- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
openssh-3.9p1-cve-2006-5051.patch:
sshd.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE openssh-3.9p1-cve-2006-5051.patch ---
--- openssh-3.9p1/sshd.c.sig-no-cleanup 2006-09-27 13:33:35.000000000 +0200
+++ openssh-3.9p1/sshd.c 2006-09-28 09:58:35.000000000 +0200
@@ -317,7 +317,7 @@
if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
kill(pmonitor->m_pid, SIGALRM);
- cleanup_exit(SIGALRM);
+ _exit(SIGALRM);
}
/*
openssh-4.3p2-cve-2006-4924.patch:
deattack.c | 24 ++++++++++++++++++++++--
deattack.h | 1 +
packet.c | 16 +++++++++++++---
3 files changed, 36 insertions(+), 5 deletions(-)
--- NEW FILE openssh-4.3p2-cve-2006-4924.patch ---
--- openssh-4.3p2/deattack.c.deattack-dos 2003-09-22 13:04:23.000000000 +0200
+++ openssh-4.3p2/deattack.c 2006-09-27 13:31:08.000000000 +0200
@@ -27,6 +27,24 @@
#include "xmalloc.h"
#include "deattack.h"
+/*
+ * CRC attack detection has a worst-case behaviour that is O(N^3) over
+ * the number of identical blocks in a packet. This behaviour can be
+ * exploited to create a limited denial of service attack.
+ *
+ * However, because we are dealing with encrypted data, identical
+ * blocks should only occur every 2^35 maximally-sized packets or so.
+ * Consequently, we can detect this DoS by looking for identical blocks
+ * in a packet.
+ *
+ * The parameter below determines how many identical blocks we will
+ * accept in a single packet, trading off between attack detection and
+ * likelihood of terminating a legitimate connection. A value of 32
+ * corresponds to an average of 2^40 messages before an attack is
+ * misdetected
+ */
+#define MAX_IDENTICAL 32
+
/* SSH Constants */
#define SSH_MAXBLOCKS (32 * 1024)
#define SSH_BLOCKSIZE (8)
@@ -87,7 +105,7 @@
static u_int16_t *h = (u_int16_t *) NULL;
static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
u_int32_t i, j;
- u_int32_t l;
+ u_int32_t l, same;
u_char *c;
u_char *d;
@@ -133,7 +151,7 @@
if (IV)
h[HASH(IV) & (n - 1)] = HASH_IV;
- for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+ for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
i = (i + 1) & (n - 1)) {
if (h[i] == HASH_IV) {
@@ -144,6 +162,8 @@
break;
}
} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
+ if (++same > MAX_IDENTICAL)
+ return (DEATTACK_DOS_DETECTED);
if (check_crc(c, buf, len, IV))
return (DEATTACK_DETECTED);
else
--- openssh-4.3p2/deattack.h.deattack-dos 2001-07-04 06:46:57.000000000 +0200
+++ openssh-4.3p2/deattack.h 2006-09-27 13:31:08.000000000 +0200
@@ -25,6 +25,7 @@
/* Return codes */
#define DEATTACK_OK 0
#define DEATTACK_DETECTED 1
+#define DEATTACK_DOS_DETECTED 2
int detect_attack(u_char *, u_int32_t, u_char[8]);
#endif
--- openssh-4.3p2/packet.c.deattack-dos 2005-11-05 05:15:00.000000000 +0100
+++ openssh-4.3p2/packet.c 2006-09-27 13:32:48.000000000 +0200
@@ -669,6 +669,9 @@
*/
after_authentication = 1;
for (mode = 0; mode < MODE_MAX; mode++) {
+ /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
+ if (newkeys[mode] == NULL)
+ continue;
comp = &newkeys[mode]->comp;
if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
packet_init_compression();
@@ -978,9 +981,16 @@
* (C)1998 CORE-SDI, Buenos Aires Argentina
* Ariel Futoransky(futo at core-sdi.com)
*/
- if (!receive_context.plaintext &&
- detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED)
- packet_disconnect("crc32 compensation attack: network attack detected");
+ if (!receive_context.plaintext) {
+ switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) {
+ case DEATTACK_DETECTED:
+ packet_disconnect("crc32 compensation attack: "
+ "network attack detected");
+ case DEATTACK_DOS_DETECTED:
+ packet_disconnect("deattack denial of "
+ "service detected");
+ }
+ }
/* Decrypt data to incoming_packet. */
buffer_clear(&incoming_packet);
openssh-4.3p2-gssapi-no-spnego.patch:
gss-genr.c | 30 ++++++++++++++++++++++++++++++
ssh-gss.h | 1 +
sshconnect2.c | 9 ++-------
3 files changed, 33 insertions(+), 7 deletions(-)
Index: openssh-4.3p2-gssapi-no-spnego.patch
===================================================================
RCS file: /cvs/dist/rpms/openssh/devel/openssh-4.3p2-gssapi-no-spnego.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- openssh-4.3p2-gssapi-no-spnego.patch 23 Aug 2006 21:06:38 -0000 1.1
+++ openssh-4.3p2-gssapi-no-spnego.patch 2 Oct 2006 17:35:50 -0000 1.2
@@ -1,11 +1,9 @@
---- openssh/gss-genr.c 2006/08/05 02:39:40 1.15
-+++ openssh/gss-genr.c 2006/08/18 14:33:34 1.16
-@@ -289,6 +289,35 @@
- ssh_gssapi_build_ctx(ctx);
- ssh_gssapi_set_oid(*ctx, oid);
+--- openssh-4.3p2/gss-genr.c.no-spnego 2006-09-27 11:40:35.000000000 +0200
++++ openssh-4.3p2/gss-genr.c 2006-09-27 11:47:28.000000000 +0200
+@@ -285,4 +285,34 @@
return (ssh_gssapi_acquire_cred(*ctx));
-+}
-+
+ }
+
+int
+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
+{
@@ -25,30 +23,21 @@
+ major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
+ NULL);
+ gss_release_buffer(&minor, &token);
-+ gss_delete_sec_context(&minor, &(*ctx)->context,
-+ GSS_C_NO_BUFFER);
++ if ((*ctx)->context != GSS_C_NO_CONTEXT)
++ gss_delete_sec_context(&minor, &(*ctx)->context,
++ GSS_C_NO_BUFFER);
+ }
+
+ if (GSS_ERROR(major))
+ ssh_gssapi_delete_ctx(ctx);
+
+ return (!GSS_ERROR(major));
- }
-
++}
++
#endif /* GSSAPI */
---- openssh/ssh-gss.h 2006/08/05 02:39:40 1.9
-+++ openssh/ssh-gss.h 2006/08/18 14:33:34 1.10
-@@ -118,6 +118,7 @@
- OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
- OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
- void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
-+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
-
- /* In the server */
- int ssh_gssapi_userok(char *name);
---- openssh/sshconnect2.c 2006/08/05 02:39:41 1.150
-+++ openssh/sshconnect2.c 2006/08/18 14:33:34 1.151
-@@ -508,15 +508,10 @@
+--- openssh-4.3p2/sshconnect2.c.no-spnego 2005-11-05 05:07:33.000000000 +0100
++++ openssh-4.3p2/sshconnect2.c 2006-09-27 11:40:35.000000000 +0200
+@@ -494,15 +494,10 @@
/* Check to see if the mechanism is usable before we offer it */
while (mech < gss_supported->count && !ok) {
@@ -66,3 +55,13 @@
ok = 1; /* Mechanism works */
} else {
mech++;
+--- openssh-4.3p2/ssh-gss.h.no-spnego 2004-06-22 04:56:02.000000000 +0200
++++ openssh-4.3p2/ssh-gss.h 2006-09-27 11:40:35.000000000 +0200
+@@ -120,6 +120,7 @@
+ OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
+ OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
+ void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
++int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
+
+ /* In the server */
+ int ssh_gssapi_userok(char *name);
Index: openssh.spec
===================================================================
RCS file: /cvs/dist/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.96
retrieving revision 1.97
diff -u -r1.96 -r1.97
--- openssh.spec 23 Aug 2006 21:06:38 -0000 1.96
+++ openssh.spec 2 Oct 2006 17:35:50 -0000 1.97
@@ -61,7 +61,7 @@
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 4.3p2
-Release: 9%{?rescue_rel}
+Release: 10%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@@ -96,6 +96,8 @@
Patch42: openssh-4.3p2-no-dup-logs.patch
Patch43: openssh-4.3p2-localtime.patch
Patch44: openssh-4.3p2-allow-ip-opts.patch
+Patch45: openssh-4.3p2-cve-2006-4924.patch
+Patch46: openssh-3.9p1-cve-2006-5051.patch
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
@@ -229,6 +231,8 @@
%patch42 -p1 -b .no-dups
%patch43 -p1 -b .localtime
%patch44 -p1 -b .ip-opts
+%patch45 -p1 -b .deattack-dos
+%patch46 -p1 -b .sig-no-cleanup
autoreconf
@@ -473,6 +477,11 @@
%endif
%changelog
+* Mon Oct 2 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-10
+- improve gssapi-no-spnego patch (#208102)
+- CVE-2006-4924 - prevent DoS on deattack detector (#207957)
+- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
+
* Wed Aug 23 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-9
- don't report duplicate syslog messages, use correct local time (#189158)
- don't allow spnego as gssapi mechanism (from upstream)
- Previous message (by thread): rpms/firstboot/devel .cvsignore, 1.65, 1.66 firstboot.spec, 1.86, 1.87 sources, 1.82, 1.83
- Next message (by thread): rpms/pyspi/devel x11-exception.patch,NONE,1.1 pyspi.spec,1.2,1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list