components/openssh/patches/030-auth_limits_bypass_fix.patch
branchs11-update
changeset 4752 3409fc90e641
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/030-auth_limits_bypass_fix.patch	Mon Aug 03 15:31:47 2015 -0700
@@ -0,0 +1,35 @@
+#
+# This is to fix a keyboard-interactive authentication brute force
+# vulnerability (MaxAuthTries bypass). A CVE number (CVE-2015-5600) has been
+# reserved for this problem, but not officially issued yet. This fix came from
+# OpenSSH upstream, which will be included in the future OpenSSH 7.0p1 release.
+# When we upgrade OpenSSH to 7.0 in the future, we will remove this patch.
+#
+--- a/auth2-chall.c	Mon Aug  3 15:25:43 2015
++++ b/auth2-chall.c	Mon Aug  3 15:28:17 2015
[email protected]@ -82,6 +82,7 @@
+ 	void *ctxt;
+ 	KbdintDevice *device;
+ 	u_int nreq;
++	u_int devices_done;
+ };
+ 
+ #ifdef USE_PAM
[email protected]@ -168,11 +169,15 @@
+ 		if (len == 0)
+ 			break;
+ 		for (i = 0; devices[i]; i++) {
+-			if (!auth2_method_allowed(authctxt,
++			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++			    !auth2_method_allowed(authctxt,
+ 			    "keyboard-interactive", devices[i]->name))
+ 				continue;
+-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++			if (strncmp(kbdintctxt->devices, devices[i]->name,
++			    len) == 0) {
+ 				kbdintctxt->device = devices[i];
++				kbdintctxt->devices_done |= 1 << i;
++			}
+ 		}
+ 		t = kbdintctxt->devices;
+ 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;