← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #97089

[Bug 1485719] Re: Uninitialized struct field in the fix for CVE-2015-5600 causes random auth failures

  Thread PreviousDate PreviousThread Next 
** Also affects: openssh (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: openssh (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: openssh (Ubuntu Wily)
   Importance: Undecided
       Status: New

** Also affects: openssh (Ubuntu Vivid)
   Importance: Undecided
       Status: New

** Changed in: openssh (Ubuntu Precise)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: openssh (Ubuntu Trusty)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: openssh (Ubuntu Vivid)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: openssh (Ubuntu Wily)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: openssh (Ubuntu Precise)
       Status: New => Confirmed

** Changed in: openssh (Ubuntu Trusty)
       Status: New => Confirmed

** Changed in: openssh (Ubuntu Vivid)
       Status: New => Confirmed

** Changed in: openssh (Ubuntu Wily)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1485719

Title:
  Uninitialized struct field in the fix for CVE-2015-5600 causes random
  auth failures

Status in openssh package in Ubuntu:
  Confirmed
Status in openssh source package in Precise:
  Confirmed
Status in openssh source package in Trusty:
  Confirmed
Status in openssh source package in Vivid:
  Confirmed
Status in openssh source package in Wily:
  Confirmed

Bug description:
  In Ubuntu 12.04, the fix for CVE-2015-5600[1] just hit upstream in
  package openssh-server_5.9p1-5ubuntu1.6, breaking authentication
  mechanisms that rely on the keyboard-interactive method.  This patch
  introduces the field 'devices_done' to the KbdintAuthctxt struct, but
  does not initialize the field in the kbdint_alloc() function.  On
  Linux, this ends up filling that field with junk data.  The attached
  patch against adds the initialization of the `devices_done` field
  alongside the existing initialization code.  This has also been
  reported upstream.

  Reproducing:

  Install openssh-server_5.9p1-5ubuntu1.6
  Add an authentication mechanism that uses the keyboard-interactive method (like libpam-google-authenticator)
  Attempt to log in via the above mechanism.  Instead of consistently prompting the user for input, it will sometimes fall straight through to password auth because the devices_done bit field is initialized with garbage data.

  Downgrading to openssh-server_5.9p1-5ubuntu1.4 solves the issue.

  [1]: http://cvsweb.openbsd.org/cgi-
  bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r1=1.42&r2=1.43&f=h

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1485719/+subscriptions

References

  Thread PreviousDate PreviousThread Next