pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/openssh Add patches to fix the problem report...
details: https://anonhg.NetBSD.org/pkgsrc/rev/a5c2899cea51
branches: trunk
changeset: 519041:a5c2899cea51
user: taca <taca%pkgsrc.org@localhost>
date: Wed Sep 27 16:10:59 2006 +0000
description:
Add patches to fix the problem reported by Secunia Advisory SA22091 (also
CVS-2006-4924); "OpenSSH Identical Blocks Denial of Service Vulnerability"
referring to OpenBSD's CVS repository.
Bump PKGREVISION.
diffstat:
security/openssh/Makefile | 3 +-
security/openssh/distinfo | 11 ++-
security/openssh/patches/patch-ax | 107 ++++++++++++++++++++++++++++++++++++++
security/openssh/patches/patch-ay | 15 +++++
security/openssh/patches/patch-az | 36 ++++++++++++
5 files changed, 167 insertions(+), 5 deletions(-)
diffs (209 lines):
diff -r 1698d98d71a8 -r a5c2899cea51 security/openssh/Makefile
--- a/security/openssh/Makefile Wed Sep 27 15:46:11 2006 +0000
+++ b/security/openssh/Makefile Wed Sep 27 16:10:59 2006 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.169 2006/06/04 14:56:37 joerg Exp $
+# $NetBSD: Makefile,v 1.170 2006/09/27 16:10:59 taca Exp $
DISTNAME= openssh-4.3p1
PKGNAME= openssh-4.3.1
+PKGREVISION= 1
SVR4_PKGNAME= ossh
CATEGORIES= security
MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
diff -r 1698d98d71a8 -r a5c2899cea51 security/openssh/distinfo
--- a/security/openssh/distinfo Wed Sep 27 15:46:11 2006 +0000
+++ b/security/openssh/distinfo Wed Sep 27 16:10:59 2006 +0000
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.52 2006/02/23 19:02:50 joerg Exp $
+$NetBSD: distinfo,v 1.53 2006/09/27 16:10:59 taca Exp $
+SHA1 (openssh-4.3p1-hpn11.diff) = 22f2c99d314abc400bd1731d9c35b0540cbf2eae
+RMD160 (openssh-4.3p1-hpn11.diff) = c3b807437fd9f40f2ab73c52586de194b84cce6e
+Size (openssh-4.3p1-hpn11.diff) = 11024 bytes
SHA1 (openssh-4.3p1.tar.gz) = b1f379127829e7e820955b2825130edd1601ba59
RMD160 (openssh-4.3p1.tar.gz) = c1d69873ecc453b40d825a2f1b3a0909da815f5e
Size (openssh-4.3p1.tar.gz) = 940777 bytes
-SHA1 (openssh-4.3p1-hpn11.diff) = 22f2c99d314abc400bd1731d9c35b0540cbf2eae
-RMD160 (openssh-4.3p1-hpn11.diff) = c3b807437fd9f40f2ab73c52586de194b84cce6e
-Size (openssh-4.3p1-hpn11.diff) = 11024 bytes
SHA1 (patch-aa) = 213f5f5a3c7ae0bceafac1b169063fc71806dc7c
SHA1 (patch-ab) = 6c71ad1a39a1d6f7e48fc244993a4189c2cd9ef7
SHA1 (patch-ac) = 8c625fdaca4d73c27e4e68b5bb3aa54327eb61ff
@@ -29,3 +29,6 @@
SHA1 (patch-au) = 052b0b6d8869ad09144e4fc9e1b3c5e03c669c44
SHA1 (patch-av) = 5543fcf94eaad26e27043c1527921e23ecfefc77
SHA1 (patch-aw) = 95d49965b0f24bf117e790785d3a8ef553865bda
+SHA1 (patch-ax) = 2c6923c767e7549d746d35358ecef2156012b227
+SHA1 (patch-ay) = e64d4266556ce05a5fd5e14ee4e988e7bf075576
+SHA1 (patch-az) = 341c42c82ddb6177bd8ac41813d6ad1e4b6e3839
diff -r 1698d98d71a8 -r a5c2899cea51 security/openssh/patches/patch-ax
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/openssh/patches/patch-ax Wed Sep 27 16:10:59 2006 +0000
@@ -0,0 +1,107 @@
+$NetBSD: patch-ax,v 1.1 2006/09/27 16:10:59 taca Exp $
+
+Secunia Advisory SA22091
+
+--- deattack.c.orig Mon Sep 22 20:04:23 2003
++++ deattack.c
+@@ -27,6 +27,24 @@ RCSID("$OpenBSD: deattack.c,v 1.19 2003/
+ #include "xmalloc.h"
+ #include "deattack.h"
+
++/*
++ * CRC attack detection has a worst-case behaviour that is O(N^3) over
++ * the number of identical blocks in a packet. This behaviour can be
++ * exploited to create a limited denial of service attack.
++ *
++ * However, because we are dealing with encrypted data, identical
++ * blocks should only occur every 2^35 maximally-sized packets or so.
++ * Consequently, we can detect this DoS by looking for identical blocks
++ * in a packet.
++ *
++ * The parameter below determines how many identical blocks we will
++ * accept in a single packet, trading off between attack detection and
++ * likelihood of terminating a legitimate connection. A value of 32
++ * corresponds to an average of 2^40 messages before an attack is
++ * misdetected
++ */
++#define MAX_IDENTICAL 32
++
+ /* SSH Constants */
+ #define SSH_MAXBLOCKS (32 * 1024)
+ #define SSH_BLOCKSIZE (8)
+@@ -56,17 +74,12 @@ crc_update(u_int32_t *a, u_int32_t b)
+
+ /* detect if a block is used in a particular pattern */
+ static int
+-check_crc(u_char *S, u_char *buf, u_int32_t len,
+- u_char *IV)
++check_crc(u_char *S, u_char *buf, u_int32_t len)
+ {
+ u_int32_t crc;
+ u_char *c;
+
+ crc = 0;
+- if (IV && !CMP(S, IV)) {
+- crc_update(&crc, 1);
+- crc_update(&crc, 0);
+- }
+ for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
+ if (!CMP(S, c)) {
+ crc_update(&crc, 1);
+@@ -82,12 +95,12 @@ check_crc(u_char *S, u_char *buf, u_int3
+
+ /* Detect a crc32 compensation attack on a packet */
+ int
+-detect_attack(u_char *buf, u_int32_t len, u_char *IV)
++detect_attack(u_char *buf, u_int32_t len)
+ {
+ static u_int16_t *h = (u_int16_t *) NULL;
+ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ u_int32_t i, j;
+- u_int32_t l;
++ u_int32_t l, same;
+ u_char *c;
+ u_char *d;
+
+@@ -111,15 +124,9 @@ detect_attack(u_char *buf, u_int32_t len
+
+ if (len <= HASH_MINBLOCKS) {
+ for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
+- if (IV && (!CMP(c, IV))) {
+- if ((check_crc(c, buf, len, IV)))
+- return (DEATTACK_DETECTED);
+- else
+- break;
+- }
+ for (d = buf; d < c; d += SSH_BLOCKSIZE) {
+ if (!CMP(c, d)) {
+- if ((check_crc(c, buf, len, IV)))
++ if ((check_crc(c, buf, len)))
+ return (DEATTACK_DETECTED);
+ else
+ break;
+@@ -130,21 +137,11 @@ detect_attack(u_char *buf, u_int32_t len
+ }
+ memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
+
+- if (IV)
+- h[HASH(IV) & (n - 1)] = HASH_IV;
+-
+- for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
++ for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+ for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
+ i = (i + 1) & (n - 1)) {
+- if (h[i] == HASH_IV) {
+- if (!CMP(c, IV)) {
+- if (check_crc(c, buf, len, IV))
+- return (DEATTACK_DETECTED);
+- else
+- break;
+- }
+- } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
+- if (check_crc(c, buf, len, IV))
++ if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
++ if (check_crc(c, buf, len))
+ return (DEATTACK_DETECTED);
+ else
+ break;
diff -r 1698d98d71a8 -r a5c2899cea51 security/openssh/patches/patch-ay
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/openssh/patches/patch-ay Wed Sep 27 16:10:59 2006 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-ay,v 1.1 2006/09/27 16:10:59 taca Exp $
+
+Secunia Advisory SA22091
+
+--- deattack.h.orig Wed Jul 4 13:46:57 2001
++++ deattack.h
+@@ -25,6 +25,7 @@
+ /* Return codes */
+ #define DEATTACK_OK 0
+ #define DEATTACK_DETECTED 1
++#define DEATTACK_DOS_DETECTED 2
+
+-int detect_attack(u_char *, u_int32_t, u_char[8]);
++int detect_attack(u_char *, u_int32_t);
+ #endif
diff -r 1698d98d71a8 -r a5c2899cea51 security/openssh/patches/patch-az
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/openssh/patches/patch-az Wed Sep 27 16:10:59 2006 +0000
@@ -0,0 +1,36 @@
+$NetBSD: patch-az,v 1.1 2006/09/27 16:10:59 taca Exp $
+
+Secunia Advisory SA22091 + one more OpenBSD's CVS update 1.144-1.145
+
+--- packet.c.orig Sat Nov 5 13:15:00 2005
++++ packet.c
+@@ -669,6 +669,9 @@ packet_enable_delayed_compress(void)
+ */
+ after_authentication = 1;
+ for (mode = 0; mode < MODE_MAX; mode++) {
++ /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
++ if (newkeys[mode] == NULL)
++ continue;
+ comp = &newkeys[mode]->comp;
+ if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
+ packet_init_compression();
+@@ -978,9 +981,16 @@ packet_read_poll1(void)
+ * (C)1998 CORE-SDI, Buenos Aires Argentina
+ * Ariel Futoransky(futo%core-sdi.com@localhost)
+ */
+- if (!receive_context.plaintext &&
+- detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED)
+- packet_disconnect("crc32 compensation attack: network attack detected");
++ if (!receive_context.plaintext) {
++ switch (detect_attack(buffer_ptr(&input), padded_len)) {
++ case DEATTACK_DETECTED:
++ packet_disconnect("crc32 compensation attack: "
++ "network attack detected");
++ case DEATTACK_DOS_DETECTED:
++ packet_disconnect("deattack denial of "
++ "service detected");
++ }
++ }
+
+ /* Decrypt data to incoming_packet. */
+ buffer_clear(&incoming_packet);
Home |
Main Index |
Thread Index |
Old Index