rpms/openssh/FC-5 openssh-3.9p1-cve-2006-5051.patch, NONE, 1.1 openssh-4.3p2-cve-2006-4924.patch, NONE, 1.1 openssh-4.3p2-gssapi-no-spnego.patch, 1.1, 1.2 openssh.spec, 1.91, 1.92

Tue Oct 3 18:27:47 UTC 2006

Author: tmraz

Update of /cvs/dist/rpms/openssh/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv10665

Modified Files:
	openssh-4.3p2-gssapi-no-spnego.patch openssh.spec 
Added Files:
	openssh-3.9p1-cve-2006-5051.patch 
	openssh-4.3p2-cve-2006-4924.patch 
Log Message:
* Mon Oct  2 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4.10
- improve gssapi-no-spnego patch (#208102)
- CVE-2006-4924 - prevent DoS on deattack detector (#207957)
- CVE-2006-5051 - don't call cleanups from signal handler (#208459)


openssh-3.9p1-cve-2006-5051.patch:
 sshd.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE openssh-3.9p1-cve-2006-5051.patch ---
--- openssh-3.9p1/sshd.c.sig-no-cleanup	2006-09-27 13:33:35.000000000 +0200
+++ openssh-3.9p1/sshd.c	2006-09-28 09:58:35.000000000 +0200
@@ -317,7 +317,7 @@
 	if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
 		kill(pmonitor->m_pid, SIGALRM);
 
-	cleanup_exit(SIGALRM);
+	_exit(SIGALRM);
 }
 
 /*

openssh-4.3p2-cve-2006-4924.patch:
 deattack.c |   24 ++++++++++++++++++++++--
 deattack.h |    1 +
 packet.c   |   16 +++++++++++++---
 3 files changed, 36 insertions(+), 5 deletions(-)

--- NEW FILE openssh-4.3p2-cve-2006-4924.patch ---
--- openssh-4.3p2/deattack.c.deattack-dos	2003-09-22 13:04:23.000000000 +0200
+++ openssh-4.3p2/deattack.c	2006-09-27 13:31:08.000000000 +0200
@@ -27,6 +27,24 @@
 #include "xmalloc.h"
 #include "deattack.h"
 
+/*
+ * CRC attack detection has a worst-case behaviour that is O(N^3) over
+ * the number of identical blocks in a packet. This behaviour can be 
+ * exploited to create a limited denial of service attack. 
+ * 
+ * However, because we are dealing with encrypted data, identical
+ * blocks should only occur every 2^35 maximally-sized packets or so. 
+ * Consequently, we can detect this DoS by looking for identical blocks
+ * in a packet.
+ *
+ * The parameter below determines how many identical blocks we will
+ * accept in a single packet, trading off between attack detection and
+ * likelihood of terminating a legitimate connection. A value of 32 
+ * corresponds to an average of 2^40 messages before an attack is
+ * misdetected
+ */
+#define MAX_IDENTICAL	32
+
 /* SSH Constants */
 #define SSH_MAXBLOCKS	(32 * 1024)
 #define SSH_BLOCKSIZE	(8)
@@ -87,7 +105,7 @@
 	static u_int16_t *h = (u_int16_t *) NULL;
 	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
 	u_int32_t i, j;
-	u_int32_t l;
+	u_int32_t l, same;
 	u_char *c;
 	u_char *d;
 
@@ -133,7 +151,7 @@
 	if (IV)
 		h[HASH(IV) & (n - 1)] = HASH_IV;
 
-	for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+	for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
 		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
 		    i = (i + 1) & (n - 1)) {
 			if (h[i] == HASH_IV) {
@@ -144,6 +162,8 @@
 						break;
 				}
 			} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
+				if (++same > MAX_IDENTICAL)
+					return (DEATTACK_DOS_DETECTED);
 				if (check_crc(c, buf, len, IV))
 					return (DEATTACK_DETECTED);
 				else
--- openssh-4.3p2/deattack.h.deattack-dos	2001-07-04 06:46:57.000000000 +0200
+++ openssh-4.3p2/deattack.h	2006-09-27 13:31:08.000000000 +0200
@@ -25,6 +25,7 @@
 /* Return codes */
 #define DEATTACK_OK		0
 #define DEATTACK_DETECTED	1
+#define DEATTACK_DOS_DETECTED	2
 
 int	 detect_attack(u_char *, u_int32_t, u_char[8]);
 #endif
--- openssh-4.3p2/packet.c.deattack-dos	2005-11-05 05:15:00.000000000 +0100
+++ openssh-4.3p2/packet.c	2006-09-27 13:32:48.000000000 +0200
@@ -669,6 +669,9 @@
 	 */
 	after_authentication = 1;
 	for (mode = 0; mode < MODE_MAX; mode++) {
+		/* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
+		if (newkeys[mode] == NULL)
+			continue;
 		comp = &newkeys[mode]->comp;
 		if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
 			packet_init_compression();
@@ -978,9 +981,16 @@
 	 * (C)1998 CORE-SDI, Buenos Aires Argentina
 	 * Ariel Futoransky(futo at core-sdi.com)
 	 */
-	if (!receive_context.plaintext &&
-	    detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED)
-		packet_disconnect("crc32 compensation attack: network attack detected");
+	if (!receive_context.plaintext) {
+		switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) {
+		case DEATTACK_DETECTED:
+			packet_disconnect("crc32 compensation attack: "
+				"network attack detected");
+		case DEATTACK_DOS_DETECTED:
+			packet_disconnect("deattack denial of "
+				"service detected");
+		}
+	}
 
 	/* Decrypt data to incoming_packet. */
 	buffer_clear(&incoming_packet);

openssh-4.3p2-gssapi-no-spnego.patch:
 gss-genr.c    |   30 ++++++++++++++++++++++++++++++
 ssh-gss.h     |    1 +
 sshconnect2.c |    9 ++-------
 3 files changed, 33 insertions(+), 7 deletions(-)

Index: openssh-4.3p2-gssapi-no-spnego.patch
===================================================================
RCS file: /cvs/dist/rpms/openssh/FC-5/openssh-4.3p2-gssapi-no-spnego.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- openssh-4.3p2-gssapi-no-spnego.patch	13 Sep 2006 11:29:49 -0000	1.1
+++ openssh-4.3p2-gssapi-no-spnego.patch	3 Oct 2006 18:27:45 -0000	1.2
@@ -1,11 +1,9 @@
---- openssh/gss-genr.c	2006/08/05 02:39:40	1.15
-+++ openssh/gss-genr.c	2006/08/18 14:33:34	1.16
-@@ -289,6 +289,35 @@
- 	ssh_gssapi_build_ctx(ctx);
- 	ssh_gssapi_set_oid(*ctx, oid);
+--- openssh-4.3p2/gss-genr.c.no-spnego	2006-09-27 11:40:35.000000000 +0200
++++ openssh-4.3p2/gss-genr.c	2006-09-27 11:47:28.000000000 +0200
+@@ -285,4 +285,34 @@
  	return (ssh_gssapi_acquire_cred(*ctx));
-+}
-+
+ }
+ 
 +int
 +ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
 +{
@@ -25,30 +23,21 @@
 +		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
 +		    NULL);
 +		gss_release_buffer(&minor, &token);
-+		gss_delete_sec_context(&minor, &(*ctx)->context, 
-+		    GSS_C_NO_BUFFER);
++		if ((*ctx)->context != GSS_C_NO_CONTEXT)
++			gss_delete_sec_context(&minor, &(*ctx)->context,
++			    GSS_C_NO_BUFFER);
 +	}
 +
 +	if (GSS_ERROR(major)) 
 +		ssh_gssapi_delete_ctx(ctx);
 +
 +	return (!GSS_ERROR(major));
- }
- 
++}
++
  #endif /* GSSAPI */
---- openssh/ssh-gss.h	2006/08/05 02:39:40	1.9
-+++ openssh/ssh-gss.h	2006/08/18 14:33:34	1.10
-@@ -118,6 +118,7 @@
- OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
- OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
- void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
-+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
- 
- /* In the server */
- int ssh_gssapi_userok(char *name);
---- openssh/sshconnect2.c	2006/08/05 02:39:41	1.150
-+++ openssh/sshconnect2.c	2006/08/18 14:33:34	1.151
-@@ -508,15 +508,10 @@
+--- openssh-4.3p2/sshconnect2.c.no-spnego	2005-11-05 05:07:33.000000000 +0100
++++ openssh-4.3p2/sshconnect2.c	2006-09-27 11:40:35.000000000 +0200
+@@ -494,15 +494,10 @@
  
  	/* Check to see if the mechanism is usable before we offer it */
  	while (mech < gss_supported->count && !ok) {
@@ -66,3 +55,13 @@
  			ok = 1; /* Mechanism works */
  		} else {
  			mech++;
+--- openssh-4.3p2/ssh-gss.h.no-spnego	2004-06-22 04:56:02.000000000 +0200
++++ openssh-4.3p2/ssh-gss.h	2006-09-27 11:40:35.000000000 +0200
+@@ -120,6 +120,7 @@
+ OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
+ OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
+ void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
++int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
+ 
+ /* In the server */
+ int ssh_gssapi_userok(char *name);


Index: openssh.spec
===================================================================
RCS file: /cvs/dist/rpms/openssh/FC-5/openssh.spec,v
retrieving revision 1.91
retrieving revision 1.92
diff -u -r1.91 -r1.92
--- openssh.spec	13 Sep 2006 11:29:49 -0000	1.91
+++ openssh.spec	3 Oct 2006 18:27:45 -0000	1.92
@@ -61,7 +61,7 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 4.3p2
-Release: 4.1%{?rescue_rel}
+Release: 4.10%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@@ -96,6 +96,8 @@
 Patch42: openssh-4.3p2-no-dup-logs.patch
 Patch43: openssh-4.3p2-localtime.patch
 Patch44: openssh-4.3p2-allow-ip-opts.patch
+Patch45: openssh-4.3p2-cve-2006-4924.patch
+Patch46: openssh-3.9p1-cve-2006-5051.patch
 License: BSD
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
@@ -229,6 +231,8 @@
 %patch42 -p1 -b .no-dups
 %patch43 -p1 -b .localtime
 %patch44 -p1 -b .ip-opts
+%patch45 -p1 -b .deattack-dos
+%patch46 -p1 -b .sig-no-cleanup
 
 autoreconf
 
@@ -473,6 +477,11 @@
 %endif
 
 %changelog
+* Mon Oct  2 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4.10
+- improve gssapi-no-spnego patch (#208102)
+- CVE-2006-4924 - prevent DoS on deattack detector (#207957)
+- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
+
 * Wed Sep 13 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4.1
 - sync with FC6 version
 - build for FC5


