touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #97065
[Bug 1485719] [NEW] Uninitialized struct field in the fix for CVE-2015-5600 causes random auth failures
Public bug reported:
In Ubuntu 12.04, the fix for CVE-2015-5600[1] just hit upstream in
package openssh-server_5.9p1-5ubuntu1.6, breaking authentication
mechanisms that rely on the keyboard-interactive method. This patch
introduces the field 'devices_done' to the KbdintAuthctxt struct, but
does not initialize the field in the kbdint_alloc() function. On Linux,
this ends up filling that field with junk data. The attached patch
against adds the initialization of the `devices_done` field alongside
the existing initialization code. This has also been reported upstream.
Reproducing:
Install openssh-server_5.9p1-5ubuntu1.6
Add an authentication mechanism that uses the keyboard-interactive method (like libpam-google-authenticator)
Attempt to log in via the above mechanism. Instead of consistently prompting the user for input, it will sometimes fall straight through to password auth because the devices_done bit field is initialized with garbage data.
Downgrading to openssh-server_5.9p1-5ubuntu1.4 solves the issue.
[1]: http://cvsweb.openbsd.org/cgi-
bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r1=1.42&r2=1.43&f=h
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Patch added: "CVE-2015-5600_initialize_struct.patch"
https://bugs.launchpad.net/bugs/1485719/+attachment/4446088/+files/CVE-2015-5600_initialize_struct.patch
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1485719
Title:
Uninitialized struct field in the fix for CVE-2015-5600 causes random
auth failures
Status in openssh package in Ubuntu:
New
Bug description:
In Ubuntu 12.04, the fix for CVE-2015-5600[1] just hit upstream in
package openssh-server_5.9p1-5ubuntu1.6, breaking authentication
mechanisms that rely on the keyboard-interactive method. This patch
introduces the field 'devices_done' to the KbdintAuthctxt struct, but
does not initialize the field in the kbdint_alloc() function. On
Linux, this ends up filling that field with junk data. The attached
patch against adds the initialization of the `devices_done` field
alongside the existing initialization code. This has also been
reported upstream.
Reproducing:
Install openssh-server_5.9p1-5ubuntu1.6
Add an authentication mechanism that uses the keyboard-interactive method (like libpam-google-authenticator)
Attempt to log in via the above mechanism. Instead of consistently prompting the user for input, it will sometimes fall straight through to password auth because the devices_done bit field is initialized with garbage data.
Downgrading to openssh-server_5.9p1-5ubuntu1.4 solves the issue.
[1]: http://cvsweb.openbsd.org/cgi-
bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r1=1.42&r2=1.43&f=h
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1485719/+subscriptions
Follow ups