tags 327233 patch thanks On Thu, Sep 08, 2005 at 10:11:53AM -0500, Micah Anderson wrote: > Package: openssh-krb5 > Severity: important > Tags: security > > CAN-2005-2798[1] reads: > > sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, > allows GSSAPI credentials to be delegated to clients who log in using > non-GSSAPI methods, which could cause those credentials to be exposed to > untrusted users or hosts. > > Since GASSAPI features are enabled in openssh-krb5/ssh-krb5 and the source > package tends to use older gassapi source, so it is likely these binaries > are vulnerable.
This appears to be the case. The patch from upstream CVS, attached to this mail, applies cleanly to openssh-krb5 with only harmless offset differences. Please test the resulting binaries (I don't have a Kerberos setup myself) and apply. > GSSAPI is disabled in the main openssh binary packages, but the bug is still > present in the source (see #326065), so this separate bug is filed against > this package. Kerberos/GSSAPI support is enabled in openssh proper as of today's 1:4.2p1-2 upload (after applying the GSSAPI key exchange patch), so I think openssh-krb5 is now a redundant package, but fixing it for those people who will take a little while to switch over to openssh would still be nice. Cheers, -- Colin Watson [EMAIL PROTECTED]
Index: gss-serv.c
===================================================================
RCS file: /cvs/openssh/gss-serv.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -p -u -r1.7 -r1.8
--- gss-serv.c 17 Jul 2005 07:22:45 -0000 1.7
+++ gss-serv.c 31 Aug 2005 09:46:27 -0000 1.8
@@ -275,13 +275,24 @@ ssh_gssapi_do_child(char ***envp, u_int
int
ssh_gssapi_userok(char *user)
{
+ OM_uint32 lmin;
+
if (gssapi_client.exportedname.length == 0 ||
gssapi_client.exportedname.value == NULL) {
debug("No suitable client data");
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
- return ((*gssapi_client.mech->userok)(&gssapi_client, user));
+ if ((*gssapi_client.mech->userok)(&gssapi_client, user))
+ return 1;
+ else {
+ /* Destroy delegated credentials if userok fails */
+ gss_release_buffer(&lmin, &gssapi_client.displayname);
+ gss_release_buffer(&lmin, &gssapi_client.exportedname);
+ gss_release_cred(&lmin, &gssapi_client.creds);
+ memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+ return 0;
+ }
else
debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
return (0);
Index: sshconnect2.c
===================================================================
RCS file: /cvs/openssh/sshconnect2.c,v
retrieving revision 1.130
retrieving revision 1.131
diff -p -u -r1.130 -r1.131
--- sshconnect2.c 26 Jul 2005 11:54:56 -0000 1.130
+++ sshconnect2.c 31 Aug 2005 09:46:27 -0000 1.131
@@ -545,7 +545,8 @@ process_gssapi_token(void *ctxt, gss_buf
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt = authctxt->methoddata;
gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc gssbuf, mic;
+ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc gssbuf;
OM_uint32 status, ms, flags;
Buffer b;
signature.asc
Description: Digital signature
