ssh - Remove undocumented roaming support CVE-2016-0777 CVE-2016-0778
authorMatthew Dillon <dillon@apollo.backplane.com>
Thu, 14 Jan 2016 17:06:23 +0000 (09:06 -0800)
committerMatthew Dillon <dillon@apollo.backplane.com>
Thu, 14 Jan 2016 17:06:23 +0000 (09:06 -0800)
* Remove client-side 'roaming' feature as per openbsd patch.

* CVE-2016-0777 CVE-2016-0778.  A malicious server can trick the client
  into potentially leaking key material.

crypto/openssh/readconf.c
crypto/openssh/ssh.c

index 9c24952..c339873 100644 (file)
@@ -1658,7 +1658,7 @@ initialize_options(Options * options)
        options->tun_remote = -1;
        options->local_command = NULL;
        options->permit_local_command = -1;
-       options->use_roaming = -1;
+       options->use_roaming = 0;       /* default off CVE-2016-0777,0778 */
        options->visual_host_key = -1;
        options->ip_qos_interactive = -1;
        options->ip_qos_bulk = -1;
@@ -1864,8 +1864,7 @@ fill_default_options(Options * options)
                options->tun_remote = SSH_TUNID_ANY;
        if (options->permit_local_command == -1)
                options->permit_local_command = 0;
-       if (options->use_roaming == -1)
-               options->use_roaming = 1;
+       options->use_roaming = 0;       /* force off CVE-2016-0777,0778 */
        if (options->visual_host_key == -1)
                options->visual_host_key = 0;
        if (options->ip_qos_interactive == -1)
index 9aeaf49..6973b23 100644 (file)
@@ -1878,9 +1878,6 @@ ssh_session2(void)
                        fork_postauth();
        }
 
-       if (options.use_roaming)
-               request_roaming();
-
        return client_loop(tty_flag, tty_flag ?
            options.escape_char : SSH_ESCAPECHAR_NONE, id);
 }