Fix for CVE-2015-5600 can erroneously prevent logging in sometimes

Damien Miller djm at mindrot.org
Tue Aug 18 10:48:36 AEST 2015


On Mon, 17 Aug 2015, Ethan Rahn wrote:

> Hello,
> 
> When testing a fix for CVE-2015-5600 based on the Ubuntu patch in
> openssh-5.9 (
> https://launchpadlibrarian.net/214490716/openssh_1%3A5.9p1-5ubuntu1.4_1%3A5.9p1-5ubuntu1.6.diff.gz
> ), I noticed that there was an issue with getting permission denied when
> trying to log in lots of times with what should be valid credentials.
> 
> The symptom was when logging in with the command and sshd_config below I
> would get permission denied sometimes and permission granted other times.
> Upon investigating the reason for permission being denied was sshd
> erroneously thinking "pam" had already been used as a login method on the
> first attempt to use it. This appeared to be related to the kbdinit_alloc
> function in auth2_chall.c not initializing devices_done. Once I made the
> following patch the issue went away:
> 
> @@ -130,6 +131,7 @@ kbdint_alloc(const char *devs)
>         kbdintctxt->ctxt = NULL;
>         kbdintctxt->device = NULL;
>         kbdintctxt->nreq = 0;
> +       kbdintctxt->devices_done = 0;
> 
>         return kbdintctxt;
>  }

Your patch is needed for openssh <= 6.3. Newer versions have used calloc
to allocate kbdintctxt. Whoever backported the patch for 7.0 should have
checked to begin with.

-d



More information about the openssh-unix-dev mailing list