From owner-svn-src-all@freebsd.org  Tue Aug 25 20:48:54 2015
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1DE299A703;
 Tue, 25 Aug 2015 20:48:54 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 34802A83;
 Tue, 25 Aug 2015 20:48:54 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.70])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t7PKmrAv051054;
 Tue, 25 Aug 2015 20:48:53 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id t7PKmqVN051046;
 Tue, 25 Aug 2015 20:48:52 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201508252048.t7PKmqVN051046@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Tue, 25 Aug 2015 20:48:52 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r287145 - in releng/10.2: . crypto/openssh sys/conf
 usr.sbin/pkg
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2015 20:48:55 -0000

Author: delphij
Date: Tue Aug 25 20:48:51 2015
New Revision: 287145
URL: https://svnweb.freebsd.org/changeset/base/287145

Log:
  Fix OpenSSH multiple vulnerabilities. [SA-15:22]
  
  Fix insufficient check of unsupported pkg(7) signature methods.
  [EN-15:15]
  
  Approved by:	so

Modified:
  releng/10.2/UPDATING
  releng/10.2/crypto/openssh/monitor.c
  releng/10.2/crypto/openssh/monitor_wrap.c
  releng/10.2/crypto/openssh/mux.c
  releng/10.2/sys/conf/newvers.sh
  releng/10.2/usr.sbin/pkg/pkg.c

Modified: releng/10.2/UPDATING
==============================================================================
--- releng/10.2/UPDATING	Tue Aug 25 20:48:44 2015	(r287144)
+++ releng/10.2/UPDATING	Tue Aug 25 20:48:51 2015	(r287145)
@@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20150825:	p2	FreeBSD-SA-15:22.openssh
+			FreeBSD-EN-15:15.pkg
+	Fix OpenSSH multiple vulnerabilities. [SA-15:22]
+
+	Fix insufficient check of unsupported pkg(7) signature methods.
+	[EN-15:15]
+
 20150818:	p1	FreeBSD-SA-15:20.expat
 			FreeBSD-EN-15:11.toolchain
 			FreeBSD-EN-15:12.netstat

Modified: releng/10.2/crypto/openssh/monitor.c
==============================================================================
--- releng/10.2/crypto/openssh/monitor.c	Tue Aug 25 20:48:44 2015	(r287144)
+++ releng/10.2/crypto/openssh/monitor.c	Tue Aug 25 20:48:51 2015	(r287145)
@@ -1027,9 +1027,7 @@ extern KbdintDevice sshpam_device;
 int
 mm_answer_pam_init_ctx(int sock, Buffer *m)
 {
-
 	debug3("%s", __func__);
-	authctxt->user = buffer_get_string(m, NULL);
 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
 	sshpam_authok = NULL;
 	buffer_clear(m);
@@ -1111,14 +1109,16 @@ mm_answer_pam_respond(int sock, Buffer *
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
 
 	debug3("%s", __func__);
 	(sshpam_device.free_ctx)(sshpam_ctxt);
+	sshpam_ctxt = sshpam_authok = NULL;
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
 	auth_method = "keyboard-interactive";
 	auth_submethod = "pam";
-	return (sshpam_authok == sshpam_ctxt);
+	return r;
 }
 #endif
 

Modified: releng/10.2/crypto/openssh/monitor_wrap.c
==============================================================================
--- releng/10.2/crypto/openssh/monitor_wrap.c	Tue Aug 25 20:48:44 2015	(r287144)
+++ releng/10.2/crypto/openssh/monitor_wrap.c	Tue Aug 25 20:48:51 2015	(r287145)
@@ -820,7 +820,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
 
 	debug3("%s", __func__);
 	buffer_init(&m);
-	buffer_put_cstring(&m, authctxt->user);
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);

Modified: releng/10.2/crypto/openssh/mux.c
==============================================================================
--- releng/10.2/crypto/openssh/mux.c	Tue Aug 25 20:48:44 2015	(r287144)
+++ releng/10.2/crypto/openssh/mux.c	Tue Aug 25 20:48:51 2015	(r287145)
@@ -633,7 +633,8 @@ process_mux_open_fwd(u_int rid, Channel 
 	u_int lport, cport;
 	int i, ret = 0, freefwd = 1;
 
-	fwd.listen_host = fwd.connect_host = NULL;
+	memset(&fwd, 0, sizeof(fwd));
+
 	if (buffer_get_int_ret(&ftype, m) != 0 ||
 	    (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
 	    buffer_get_int_ret(&lport, m) != 0 ||
@@ -783,7 +784,8 @@ process_mux_close_fwd(u_int rid, Channel
 	int i, listen_port, ret = 0;
 	u_int lport, cport;
 
-	fwd.listen_host = fwd.connect_host = NULL;
+	memset(&fwd, 0, sizeof(fwd));
+
 	if (buffer_get_int_ret(&ftype, m) != 0 ||
 	    (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
 	    buffer_get_int_ret(&lport, m) != 0 ||

Modified: releng/10.2/sys/conf/newvers.sh
==============================================================================
--- releng/10.2/sys/conf/newvers.sh	Tue Aug 25 20:48:44 2015	(r287144)
+++ releng/10.2/sys/conf/newvers.sh	Tue Aug 25 20:48:51 2015	(r287145)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.2"
-BRANCH="RELEASE-p1"
+BRANCH="RELEASE-p2"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.2/usr.sbin/pkg/pkg.c
==============================================================================
--- releng/10.2/usr.sbin/pkg/pkg.c	Tue Aug 25 20:48:44 2015	(r287144)
+++ releng/10.2/usr.sbin/pkg/pkg.c	Tue Aug 25 20:48:51 2015	(r287145)
@@ -767,7 +767,13 @@ bootstrap_pkg(bool force)
 		goto fetchfail;
 
 	if (signature_type != NULL &&
-	    strcasecmp(signature_type, "FINGERPRINTS") == 0) {
+	    strcasecmp(signature_type, "NONE") != 0) {
+		if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
+			warnx("Signature type %s is not supported for "
+			    "bootstrapping.", signature_type);
+			goto cleanup;
+		}
+
 		snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX",
 		    getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
 		snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig",
@@ -855,7 +861,13 @@ bootstrap_pkg_local(const char *pkgpath,
 		goto cleanup;
 	}
 	if (signature_type != NULL &&
-	    strcasecmp(signature_type, "FINGERPRINTS") == 0) {
+	    strcasecmp(signature_type, "NONE") != 0) {
+		if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
+			warnx("Signature type %s is not supported for "
+			    "bootstrapping.", signature_type);
+			goto cleanup;
+		}
+
 		snprintf(path, sizeof(path), "%s.sig", pkgpath);
 
 		if ((fd_sig = open(path, O_RDONLY)) == -1) {