Fix for CVE-2015-5600 can erroneously prevent logging in sometimes
Damien Miller
djm at mindrot.org
Tue Aug 18 10:48:36 AEST 2015
On Mon, 17 Aug 2015, Ethan Rahn wrote:
> Hello,
>
> When testing a fix for CVE-2015-5600 based on the Ubuntu patch in
> openssh-5.9 (
> https://launchpadlibrarian.net/214490716/openssh_1%3A5.9p1-5ubuntu1.4_1%3A5.9p1-5ubuntu1.6.diff.gz
> ), I noticed that there was an issue with getting permission denied when
> trying to log in lots of times with what should be valid credentials.
>
> The symptom was when logging in with the command and sshd_config below I
> would get permission denied sometimes and permission granted other times.
> Upon investigating the reason for permission being denied was sshd
> erroneously thinking "pam" had already been used as a login method on the
> first attempt to use it. This appeared to be related to the kbdinit_alloc
> function in auth2_chall.c not initializing devices_done. Once I made the
> following patch the issue went away:
>
> @@ -130,6 +131,7 @@ kbdint_alloc(const char *devs)
> kbdintctxt->ctxt = NULL;
> kbdintctxt->device = NULL;
> kbdintctxt->nreq = 0;
> + kbdintctxt->devices_done = 0;
>
> return kbdintctxt;
> }
Your patch is needed for openssh <= 6.3. Newer versions have used calloc
to allocate kbdintctxt. Whoever backported the patch for 7.0 should have
checked to begin with.
-d
More information about the openssh-unix-dev
mailing list