ssh - Fix an openssh vulnerability
authorMatthew Dillon <dillon@apollo.backplane.com>
Mon, 3 Aug 2015 01:08:56 +0000 (18:08 -0700)
committerMatthew Dillon <dillon@apollo.backplane.com>
Mon, 3 Aug 2015 01:08:56 +0000 (18:08 -0700)
* Note that this vulnerability cannot occur with
  DragonFly's defaults.

Security:   CVE-2015-5600
Security:   FreeBSD-SA-15:16.openssh

crypto/openssh/auth2-chall.c

index ea4eb69..c400f72 100644 (file)
@@ -83,6 +83,7 @@ struct KbdintAuthctxt
        void *ctxt;
        KbdintDevice *device;
        u_int nreq;
+       u_int devices_done;
 };
 
 #ifdef USE_PAM
@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
                if (len == 0)
                        break;
                for (i = 0; devices[i]; i++) {
-                       if (!auth2_method_allowed(authctxt,
+                       if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
+                           !auth2_method_allowed(authctxt,
                            "keyboard-interactive", devices[i]->name))
                                continue;
-                       if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+                       if (strncmp(kbdintctxt->devices, devices[i]->name,
+                                   len) == 0) {
                                kbdintctxt->device = devices[i];
+                               kbdintctxt->devices_done |= 1 << i;
+                       }
                }
                t = kbdintctxt->devices;
                kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;