/[packages]/updates/3/openssh/current/SOURCES/openssh-6.2p2-CVE-2014-2653.patch
ViewVC logotype

Contents of /updates/3/openssh/current/SOURCES/openssh-6.2p2-CVE-2014-2653.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 612792 - (show annotations) (download)
Mon Apr 7 21:23:07 2014 UTC (6 years, 4 months ago) by luigiwalser
File size: 2344 byte(s)
add patch from debian to fix CVE-2014-2653
1 Description: Attempt SSHFP lookup even if server presents a certificate
2 If an ssh server presents a certificate to the client, then the client does
3 not check the DNS for SSHFP records. This means that a malicious server can
4 essentially disable DNS-host-key-checking, which means the client will fall
5 back to asking the user (who will just say "yes" to the fingerprint,
6 sadly).
7 .
8 This is CVE-2014-2653.
9 Author: Damien Miller <djm@mindrot.org>
10 Reviewed-by: Matthew Vernon <matthew@debian.org>
11 Bug-Debian: http://bugs.debian.org/742513
12 Forwarded: not-needed
13 Last-Update: 2014-04-03
14
15 Index: b/sshconnect.c
16 ===================================================================
17 --- a/sshconnect.c
18 +++ b/sshconnect.c
19 @@ -1110,29 +1110,39 @@
20 {
21 int flags = 0;
22 char *fp;
23 + Key *plain = NULL;
24
25 fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
26 debug("Server host key: %s %s", key_type(host_key), fp);
27 xfree(fp);
28
29 - /* XXX certs are not yet supported for DNS */
30 - if (!key_is_cert(host_key) && options.verify_host_key_dns &&
31 - verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
32 - if (flags & DNS_VERIFY_FOUND) {
33 -
34 - if (options.verify_host_key_dns == 1 &&
35 - flags & DNS_VERIFY_MATCH &&
36 - flags & DNS_VERIFY_SECURE)
37 - return 0;
38 -
39 - if (flags & DNS_VERIFY_MATCH) {
40 - matching_host_key_dns = 1;
41 - } else {
42 - warn_changed_key(host_key);
43 - error("Update the SSHFP RR in DNS with the new "
44 - "host key to get rid of this message.");
45 + if (options.verify_host_key_dns) {
46 + /*
47 + * XXX certs are not yet supported for DNS, so downgrade
48 + * them and try the plain key.
49 + */
50 + plain = key_from_private(host_key);
51 + if (key_is_cert(plain))
52 + key_drop_cert(plain);
53 + if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
54 + if (flags & DNS_VERIFY_FOUND) {
55 + if (options.verify_host_key_dns == 1 &&
56 + flags & DNS_VERIFY_MATCH &&
57 + flags & DNS_VERIFY_SECURE) {
58 + key_free(plain);
59 + return 0;
60 + }
61 + if (flags & DNS_VERIFY_MATCH) {
62 + matching_host_key_dns = 1;
63 + } else {
64 + warn_changed_key(plain);
65 + error("Update the SSHFP RR in DNS "
66 + "with the new host key to get rid "
67 + "of this message.");
68 + }
69 }
70 }
71 + key_free(plain);
72 }
73
74 return check_host_key(host, hostaddr, options.port, host_key, RDRW,

  ViewVC Help
Powered by ViewVC 1.1.28