From djm at cvs.openbsd.org  Tue May  3 10:48:57 2011
From: djm at cvs.openbsd.org (Damien Miller)
Date: Mon, 2 May 2011 18:48:57 -0600 (MDT)
Subject: [openssh-unix-announce] Revised: Portable OpenSSH security
	advisory: portable-keysign-rand-helper.adv
Message-ID: <201105030048.p430mv7q011791@cvs.openbsd.org>

OpenSSH Security Advisory: portable-keysign-rand-helper.adv

This document may be found at:
http://www.openssh.com/txt/portable-keysign-rand-helper.adv

1. Vulnerability

        Portable OpenSSH's ssh-keysign utility may allow unauthorised
        local access to host keys on platforms if ssh-rand-helper is
        used.

2. Affected configurations

        Portable OpenSSH prior to version 5.8p2 only on platforms
        that are configured to use ssh-rand-helper for entropy
        collection.

        ssh-rand-helper is enabled at configure time when it is
        detected that OpenSSL does not have a built-in source of
        randomness, and only used at runtime if this condition
        remains. Platforms that support /dev/random or otherwise
        configure OpenSSL with a random number provider are not
        vulnerable.

        In particular, *BSD, OS X, Cygwin and Linux are not
        affected.

3. Mitigation

        If host-based authentication is not in use (enabled using
        HostBasedAuthentication or RhostsRSAAuthentication in
        sshd_config), then remove the setuid bit from ssh-keysign.

4. Details

        ssh-keysign is a setuid helper program that is used to mediate
        access to the host's private host keys during host-based
        authentication. It would use its elevated privilege to open
        the keys and then immediately drop privileges to complete its
        cryptographic signing operations.

        After privilege was dropped, ssh-keysign would ensure that
        the OpenSSL random number generator that it depends upon was
        adequately prepared. On configurations that lacked a built-in
        source of entropy in OpenSSL, ssh-keysign would execute the
        ssh-rand-helper program to attempt to retrieve some from the
        system environment.

        However, the file descriptors to the host private key files
        were not closed prior to executing ssh-rand-helper. Since this
        process was "born unprivileged" and inherited the sensitive
        file descriptors, there was no protection against an attacker
        using ptrace(2) to attach to it and instructing it to read out
        the private keys.

5. Credit

        This issue was privately reported by Tomas Mraz on April 26,
        2011.

6. Fix

        OpenSSH 5.8p2 contains a fix for this vulnerability.

        Future releases of portable OpenSSH will remove support for
        ssh-rand-helper - in 2011, there is no excuse for not
        providing a /dev/random-like interface as part of the OS.
        Users stuck on one of these platforms may use PRNGd
        (http://prngd.sf.net) to provide a host-wide random pool.

        Users of older versions that do not wish to upgrade
        immediately may apply this patch:

Index: ssh-keysign.c
===================================================================
RCS file: /var/cvs/openssh/ssh-keysign.c,v
retrieving revision 1.43
diff -u -p -r1.43 ssh-keysign.c
--- ssh-keysign.c	10 Sep 2010 01:12:09 -0000	1.43
+++ ssh-keysign.c	29 Apr 2011 01:25:55 -0000
@@ -167,6 +167,9 @@ main(int argc, char **argv)
 
 	key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
 	key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+	if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
+	    fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0)
+		fatal("fcntl failed");
 
 	original_real_uid = getuid();	/* XXX readconf.c needs this */
 	if ((pw = getpwuid(original_real_uid)) == NULL)

From djm at cvs.openbsd.org  Tue May  3 10:50:41 2011
From: djm at cvs.openbsd.org (Damien Miller)
Date: Mon, 2 May 2011 18:50:41 -0600 (MDT)
Subject: [openssh-unix-announce] Announce: Portable OpenSSH 5.8p2 released
Message-ID: <201105030050.p430ofGT001241@cvs.openbsd.org>

Portable OpenSSH 5.8p2 has just been released. It will be available
from the mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Changes since OpenSSH 5.8p1
===========================

Security:

 * Fix local private host key compromise on platforms without host-
   level randomness support (e.g. /dev/random) reported by Tomas Mraz

   On hosts that did not have a randomness source configured in
   OpenSSL and were not configured to use EGD/PRNGd (using the
   --with-prngd-socket configure option), the ssh-rand-helper command
   was being implicitly executed by ssh-keysign with open file
   descriptors to the host private keys. An attacker could use
   ptrace(2) to attach to ssh-rand-helper and exfiltrate the keys.

   Most modern operating systems are not vulnerable. In particular,
   *BSD, Linux, OS X and Cygwin do not use ssh-rand-helper.

   A full advisory for this issue is available at:
   http://www.openssh.com/txt/portable-keysign-rand-helper.adv

Portable OpenSSH Bugfixes:

 * Fix compilation failure when enabling SELinux support.

 * Revised Cygwin ssh-{host,user}-config that include ECDSA key
   support.

 * Revised Cygwin ssh-host-config to be more thorough in error checking
   and reporting.

Checksums:
==========

 - SHA1 (openssh-5.8p2.tar.gz) = e610270e0c5484fb291cd81bbcbefbeb5e391a62

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh at openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.


From djm at mindrot.org  Thu May  5 12:03:11 2011
From: djm at mindrot.org (Damien Miller)
Date: Thu, 5 May 2011 12:03:11 +1000 (EST)
Subject: [openssh-unix-announce] Incorrect version identifier in 5.8p2
	release
Message-ID: <alpine.BSO.2.00.1105051159540.3317@natsu.mindrot.org>

Hi,

The OpenSSH 5.8p2 release shipped with the wrong version identified
embedded in version.h (it still identified itself as "5.8p1").
I have cut and uploaded a new release with this mistake corrected.

The checksum for the revised tarball is:

SHA1 (openssh-5.8p2.tar.gz) = 64798328d310e4f06c9f01228107520adbc8b3e5

As usual, this file is signed with gzsig and PGP.

Apologies for any inconvenience and thanks to Charles Johnston for
bringing the problem to my attention.

-d