[arch-commits] Commit in openssh/trunk (PKGBUILD keyboard-interactive.patch)
Gaetan Bisson
bisson at archlinux.org
Thu Jul 23 02:38:37 UTC 2015
Date: Thursday, July 23, 2015 @ 04:38:36
Author: bisson
Revision: 242452
fix https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
Added:
openssh/trunk/keyboard-interactive.patch
Modified:
openssh/trunk/PKGBUILD
----------------------------+
PKGBUILD | 9 ++++++-
keyboard-interactive.patch | 52 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 60 insertions(+), 1 deletion(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2015-07-23 00:53:11 UTC (rev 242451)
+++ PKGBUILD 2015-07-23 02:38:36 UTC (rev 242452)
@@ -5,7 +5,7 @@
pkgname=openssh
pkgver=6.9p1
-pkgrel=1
+pkgrel=2
pkgdesc='Free version of the SSH connectivity tools'
url='http://www.openssh.org/portable.html'
license=('custom:BSD')
@@ -16,6 +16,7 @@
'x11-ssh-askpass: input passphrase in X')
validpgpkeys=('59C2118ED206D927E667EBE3D3E5F56B6D920D30')
source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc}
+ 'keyboard-interactive.patch'
'sshdgenkeys.service'
'sshd at .service'
'sshd.service'
@@ -23,6 +24,7 @@
'sshd.conf'
'sshd.pam')
sha1sums=('86ab57f00d0fd9bf302760f2f6deac1b6e9df265' 'SKIP'
+ 'ef9e9327a943839abb3d202783b318e9cd2bdcd5'
'cc1ceec606c98c7407e7ac21ade23aed81e31405'
'6a0ff3305692cf83aca96e10f3bb51e1c26fccda'
'ec49c6beba923e201505f5669cea48cad29014db'
@@ -34,6 +36,11 @@
install=install
+prepare() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+ patch -p1 -i ../keyboard-interactive.patch
+}
+
build() {
cd "${srcdir}/${pkgname}-${pkgver}"
Added: keyboard-interactive.patch
===================================================================
--- keyboard-interactive.patch (rev 0)
+++ keyboard-interactive.patch 2015-07-23 02:38:36 UTC (rev 242452)
@@ -0,0 +1,52 @@
+From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
+From: "djm at openbsd.org" <djm at openbsd.org>
+Date: Sat, 18 Jul 2015 07:57:14 +0000
+Subject: upstream commit
+
+only query each keyboard-interactive device once per
+ authentication request regardless of how many times it is listed; ok markus@
+
+Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
+---
+ auth2-chall.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/auth2-chall.c b/auth2-chall.c
+index ddabe1a..4aff09d 100644
+--- a/auth2-chall.c
++++ b/auth2-chall.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */
++/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */
+ /*
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
+ * Copyright (c) 2001 Per Allansson. All rights reserved.
+@@ -83,6 +83,7 @@ struct KbdintAuthctxt
+ void *ctxt;
+ KbdintDevice *device;
+ u_int nreq;
++ u_int devices_done;
+ };
+
+ #ifdef USE_PAM
+@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
+ if (len == 0)
+ break;
+ for (i = 0; devices[i]; i++) {
+- if (!auth2_method_allowed(authctxt,
++ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++ !auth2_method_allowed(authctxt,
+ "keyboard-interactive", devices[i]->name))
+ continue;
+- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++ if (strncmp(kbdintctxt->devices, devices[i]->name,
++ len) == 0) {
+ kbdintctxt->device = devices[i];
++ kbdintctxt->devices_done |= 1 << i;
++ }
+ }
+ t = kbdintctxt->devices;
+ kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+--
+cgit v0.11.2
+
More information about the arch-commits
mailing list