OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 01-Oct-2006 10:24:21
Branch: OPENPKG_2_5_SOLID Handle: 2006100109242100
Modified files: (Branch: OPENPKG_2_5_SOLID)
openpkg-src/openssh openssh.patch openssh.spec
Log:
Security Fixes (CVE-2006-4924, CVE-2006-4925, CVE-2006-5051)
Summary:
Revision Changes Path
1.14.2.3 +206 -0 openpkg-src/openssh/openssh.patch
1.153.2.5 +1 -1 openpkg-src/openssh/openssh.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/openssh/openssh.patch
============================================================================
$ cvs diff -u -r1.14.2.2 -r1.14.2.3 openssh.patch
--- openpkg-src/openssh/openssh.patch 20 Feb 2006 13:38:30 -0000 1.14.2.2
+++ openpkg-src/openssh/openssh.patch 1 Oct 2006 08:24:21 -0000 1.14.2.3
@@ -340,3 +340,209 @@
err = interactive_loop(in, out, file1, file2);
+-----------------------------------------------------------------------------
+
+Security Fixes (CVE-2006-4924)
+
+Index: deattack.c
+--- deattack.c.orig 2003-09-22 13:04:23 +0200
++++ deattack.c 2006-09-29 19:56:07 +0200
+@@ -27,6 +27,24 @@
+ #include "xmalloc.h"
+ #include "deattack.h"
+
++/*
++ * CRC attack detection has a worst-case behaviour that is O(N^3) over
++ * the number of identical blocks in a packet. This behaviour can be
++ * exploited to create a limited denial of service attack.
++ *
++ * However, because we are dealing with encrypted data, identical
++ * blocks should only occur every 2^35 maximally-sized packets or so.
++ * Consequently, we can detect this DoS by looking for identical blocks
++ * in a packet.
++ *
++ * The parameter below determines how many identical blocks we will
++ * accept in a single packet, trading off between attack detection and
++ * likelihood of terminating a legitimate connection. A value of 32
++ * corresponds to an average of 2^40 messages before an attack is
++ * misdetected
++ */
++#define MAX_IDENTICAL 32
++
+ /* SSH Constants */
+ #define SSH_MAXBLOCKS (32 * 1024)
+ #define SSH_BLOCKSIZE (8)
+@@ -87,7 +105,7 @@
+ static u_int16_t *h = (u_int16_t *) NULL;
+ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ u_int32_t i, j;
+- u_int32_t l;
++ u_int32_t l, same;
+ u_char *c;
+ u_char *d;
+
+@@ -133,11 +151,13 @@
+ if (IV)
+ h[HASH(IV) & (n - 1)] = HASH_IV;
+
+- for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
++ for (c = buf, same = j = -1; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+ for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
+ i = (i + 1) & (n - 1)) {
+ if (h[i] == HASH_IV) {
+ if (!CMP(c, IV)) {
++ if (++same > MAX_IDENTICAL)
++ return (DEATTACK_DOS_DETECTED);
+ if (check_crc(c, buf, len, IV))
+ return (DEATTACK_DETECTED);
+ else
+Index: deattack.h
+--- deattack.h.orig 2001-07-04 06:46:57 +0200
++++ deattack.h 2006-09-29 19:54:32 +0200
+@@ -25,6 +25,7 @@
+ /* Return codes */
+ #define DEATTACK_OK 0
+ #define DEATTACK_DETECTED 1
++#define DEATTACK_DOS_DETECTED 2
+
+ int detect_attack(u_char *, u_int32_t, u_char[8]);
+ #endif
+Index: packet.c
+--- packet.c.orig 2005-08-12 14:10:29 +0200
++++ packet.c 2006-09-29 19:57:25 +0200
+@@ -978,9 +978,16 @@
+ * (C)1998 CORE-SDI, Buenos Aires Argentina
+ * Ariel Futoransky([EMAIL PROTECTED])
+ */
+- if (!receive_context.plaintext &&
+- detect_attack(buffer_ptr(&input), padded_len, NULL) ==
DEATTACK_DETECTED)
+- packet_disconnect("crc32 compensation attack: network attack
detected");
++ if (!receive_context.plaintext) {
++ switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) {
++ case DEATTACK_DETECTED:
++ packet_disconnect("crc32 compensation attack: "
++ "network attack detected");
++ case DEATTACK_DOS_DETECTED:
++ packet_disconnect("deattack denial of "
++ "service detected");
++ }
++ }
+
+ /* Decrypt data to incoming_packet. */
+ buffer_clear(&incoming_packet);
+
+-----------------------------------------------------------------------------
+
+Security Fixes (CVE-2006-4925)
+
+Index: packet.c
+--- packet.c.orig 2005-08-12 14:10:29 +0200
++++ packet.c 2006-09-29 19:58:02 +0200
+@@ -669,6 +669,9 @@
+ */
+ after_authentication = 1;
+ for (mode = 0; mode < MODE_MAX; mode++) {
++ /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
++ if (newkeys[mode] == NULL)
++ continue;
+ comp = &newkeys[mode]->comp;
+ if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
+ packet_init_compression();
+
+-----------------------------------------------------------------------------
+
+Security Fixes (CVE-2006-5051)
+
+Index: auth.h
+--- auth.h.orig 2005-07-07 03:50:20 +0200
++++ auth.h 2006-10-01 10:05:56 +0200
+@@ -49,6 +49,7 @@
+
+ struct Authctxt {
+ int success;
++ int authenticated; /* authenticated and alarms cancelled */
+ int postponed; /* authentication needs another step */
+ int valid; /* user exists and is allowed to login
*/
+ int attempt;
+Index: defines.h
+--- defines.h.orig 2005-08-31 18:59:49 +0200
++++ defines.h 2006-10-01 10:05:56 +0200
+@@ -540,6 +540,11 @@
+ # undef HAVE_UPDWTMPX
+ #endif
+
++#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) && \
++ defined(SYSLOG_R_SAFE_IN_SIGHAND)
++# define DO_LOG_SAFE_IN_SIGHAND
++#endif
++
+ #if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY)
+ # define memmove(s1, s2, n) bcopy((s2), (s1), (n))
+ #endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */
+Index: log.c
+--- log.c.orig 2005-03-09 10:12:48 +0100
++++ log.c 2006-10-01 10:05:56 +0200
+@@ -130,6 +130,20 @@
+ va_end(args);
+ }
+
++void
++sigdie(const char *fmt,...)
++{
++#ifdef DO_LOG_SAFE_IN_SIGHAND
++ va_list args;
++
++ va_start(args, fmt);
++ do_log(SYSLOG_LEVEL_FATAL, fmt, args);
++ va_end(args);
++#endif
++ _exit(1);
++}
++
++
+ /* Log this message (information that usually should go to the log). */
+
+ void
+Index: log.h
+--- log.h.orig 2004-06-22 04:57:44 +0200
++++ log.h 2006-10-01 10:05:56 +0200
+@@ -55,6 +55,7 @@
+
+ void fatal(const char *, ...) __dead __attribute__((format(printf, 1,
2)));
+ void error(const char *, ...) __attribute__((format(printf, 1, 2)));
++void sigdie(const char *, ...) __attribute__((format(printf, 1, 2)));
+ void logit(const char *, ...) __attribute__((format(printf, 1, 2)));
+ void verbose(const char *, ...) __attribute__((format(printf, 1, 2)));
+ void debug(const char *, ...) __attribute__((format(printf, 1, 2)));
+Index: session.c
+--- session.c.orig 2005-08-31 18:59:49 +0200
++++ session.c 2006-10-01 10:05:57 +0200
+@@ -2434,7 +2434,7 @@
+ return;
+ called = 1;
+
+- if (authctxt == NULL)
++ if (authctxt == NULL || !authctxt->authenticated)
+ return;
+ #ifdef KRB5
+ if (options.kerberos_ticket_cleanup &&
+Index: sshd.c
+--- sshd.c.orig 2005-07-26 13:54:56 +0200
++++ sshd.c 2006-10-01 10:05:57 +0200
+@@ -312,7 +312,7 @@
+ kill(pmonitor->m_pid, SIGALRM);
+
+ /* Log error and exit. */
+- fatal("Timeout before authentication for %s", get_remote_ipaddr());
++ sigdie("Timeout before authentication for %s", get_remote_ipaddr());
+ }
+
+ /*
+@@ -1714,6 +1714,7 @@
+ }
+
+ authenticated:
++ authctxt->authenticated = 1;
+ #ifdef SSH_AUDIT_EVENTS
+ audit_event(SSH_AUTH_SUCCESS);
+ #endif
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/openssh/openssh.spec
============================================================================
$ cvs diff -u -r1.153.2.4 -r1.153.2.5 openssh.spec
--- openpkg-src/openssh/openssh.spec 20 Feb 2006 13:38:30 -0000
1.153.2.4
+++ openpkg-src/openssh/openssh.spec 1 Oct 2006 08:24:21 -0000
1.153.2.5
@@ -41,7 +41,7 @@
Group: Security
License: BSD
Version: %{V_base}%{V_portable}
-Release: 2.5.3
+Release: 2.5.4
# package options
%option with_fsl yes
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
