Date: Tue, 25 Aug 2015 20:48:52 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r287145 - in releng/10.2: . crypto/openssh sys/conf usr.sbin/pkg Message-ID: <201508252048.t7PKmqVN051046@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Tue Aug 25 20:48:51 2015 New Revision: 287145 URL: https://svnweb.freebsd.org/changeset/base/287145 Log: Fix OpenSSH multiple vulnerabilities. [SA-15:22] Fix insufficient check of unsupported pkg(7) signature methods. [EN-15:15] Approved by: so Modified: releng/10.2/UPDATING releng/10.2/crypto/openssh/monitor.c releng/10.2/crypto/openssh/monitor_wrap.c releng/10.2/crypto/openssh/mux.c releng/10.2/sys/conf/newvers.sh releng/10.2/usr.sbin/pkg/pkg.c Modified: releng/10.2/UPDATING ============================================================================== --- releng/10.2/UPDATING Tue Aug 25 20:48:44 2015 (r287144) +++ releng/10.2/UPDATING Tue Aug 25 20:48:51 2015 (r287145) @@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20150825: p2 FreeBSD-SA-15:22.openssh + FreeBSD-EN-15:15.pkg + Fix OpenSSH multiple vulnerabilities. [SA-15:22] + + Fix insufficient check of unsupported pkg(7) signature methods. + [EN-15:15] + 20150818: p1 FreeBSD-SA-15:20.expat FreeBSD-EN-15:11.toolchain FreeBSD-EN-15:12.netstat Modified: releng/10.2/crypto/openssh/monitor.c ============================================================================== --- releng/10.2/crypto/openssh/monitor.c Tue Aug 25 20:48:44 2015 (r287144) +++ releng/10.2/crypto/openssh/monitor.c Tue Aug 25 20:48:51 2015 (r287145) @@ -1027,9 +1027,7 @@ extern KbdintDevice sshpam_device; int mm_answer_pam_init_ctx(int sock, Buffer *m) { - debug3("%s", __func__); - authctxt->user = buffer_get_string(m, NULL); sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); sshpam_authok = NULL; buffer_clear(m); @@ -1111,14 +1109,16 @@ mm_answer_pam_respond(int sock, Buffer * int mm_answer_pam_free_ctx(int sock, Buffer *m) { + int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; debug3("%s", __func__); (sshpam_device.free_ctx)(sshpam_ctxt); + sshpam_ctxt = sshpam_authok = NULL; buffer_clear(m); mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); auth_method = "keyboard-interactive"; auth_submethod = "pam"; - return (sshpam_authok == sshpam_ctxt); + return r; } #endif Modified: releng/10.2/crypto/openssh/monitor_wrap.c ============================================================================== --- releng/10.2/crypto/openssh/monitor_wrap.c Tue Aug 25 20:48:44 2015 (r287144) +++ releng/10.2/crypto/openssh/monitor_wrap.c Tue Aug 25 20:48:51 2015 (r287145) @@ -820,7 +820,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) debug3("%s", __func__); buffer_init(&m); - buffer_put_cstring(&m, authctxt->user); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); Modified: releng/10.2/crypto/openssh/mux.c ============================================================================== --- releng/10.2/crypto/openssh/mux.c Tue Aug 25 20:48:44 2015 (r287144) +++ releng/10.2/crypto/openssh/mux.c Tue Aug 25 20:48:51 2015 (r287145) @@ -633,7 +633,8 @@ process_mux_open_fwd(u_int rid, Channel u_int lport, cport; int i, ret = 0, freefwd = 1; - fwd.listen_host = fwd.connect_host = NULL; + memset(&fwd, 0, sizeof(fwd)); + if (buffer_get_int_ret(&ftype, m) != 0 || (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || buffer_get_int_ret(&lport, m) != 0 || @@ -783,7 +784,8 @@ process_mux_close_fwd(u_int rid, Channel int i, listen_port, ret = 0; u_int lport, cport; - fwd.listen_host = fwd.connect_host = NULL; + memset(&fwd, 0, sizeof(fwd)); + if (buffer_get_int_ret(&ftype, m) != 0 || (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || buffer_get_int_ret(&lport, m) != 0 || Modified: releng/10.2/sys/conf/newvers.sh ============================================================================== --- releng/10.2/sys/conf/newvers.sh Tue Aug 25 20:48:44 2015 (r287144) +++ releng/10.2/sys/conf/newvers.sh Tue Aug 25 20:48:51 2015 (r287145) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.2" -BRANCH="RELEASE-p1" +BRANCH="RELEASE-p2" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.2/usr.sbin/pkg/pkg.c ============================================================================== --- releng/10.2/usr.sbin/pkg/pkg.c Tue Aug 25 20:48:44 2015 (r287144) +++ releng/10.2/usr.sbin/pkg/pkg.c Tue Aug 25 20:48:51 2015 (r287145) @@ -767,7 +767,13 @@ bootstrap_pkg(bool force) goto fetchfail; if (signature_type != NULL && - strcasecmp(signature_type, "FINGERPRINTS") == 0) { + strcasecmp(signature_type, "NONE") != 0) { + if (strcasecmp(signature_type, "FINGERPRINTS") != 0) { + warnx("Signature type %s is not supported for " + "bootstrapping.", signature_type); + goto cleanup; + } + snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX", getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP); snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig", @@ -855,7 +861,13 @@ bootstrap_pkg_local(const char *pkgpath, goto cleanup; } if (signature_type != NULL && - strcasecmp(signature_type, "FINGERPRINTS") == 0) { + strcasecmp(signature_type, "NONE") != 0) { + if (strcasecmp(signature_type, "FINGERPRINTS") != 0) { + warnx("Signature type %s is not supported for " + "bootstrapping.", signature_type); + goto cleanup; + } + snprintf(path, sizeof(path), "%s.sig", pkgpath); if ((fd_sig = open(path, O_RDONLY)) == -1) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508252048.t7PKmqVN051046>