From: Matthew Dillon <dillon@apollo.backplane.com>
Date: Mon, 3 Aug 2015 01:08:56 +0000 (-0700)
Subject: ssh - Fix an openssh vulnerability
X-Git-Tag: v4.5.0~990
X-Git-Url: https://gitweb.dragonflybsd.org/~tuxillo/dragonfly.git/commitdiff_plain/c75851831d63007c4b11c7a9015a72417efd7d40

ssh - Fix an openssh vulnerability

* Note that this vulnerability cannot occur with
  DragonFly's defaults.

Security:   CVE-2015-5600
Security:   FreeBSD-SA-15:16.openssh
---

diff --git a/crypto/openssh/auth2-chall.c b/crypto/openssh/auth2-chall.c
index ea4eb6952f..c400f723b1 100644
--- a/crypto/openssh/auth2-chall.c
+++ b/crypto/openssh/auth2-chall.c
@@ -83,6 +83,7 @@ struct KbdintAuthctxt
 	void *ctxt;
 	KbdintDevice *device;
 	u_int nreq;
+	u_int devices_done;
 };
 
 #ifdef USE_PAM
@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
 		if (len == 0)
 			break;
 		for (i = 0; devices[i]; i++) {
-			if (!auth2_method_allowed(authctxt,
+			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
+			    !auth2_method_allowed(authctxt,
 			    "keyboard-interactive", devices[i]->name))
 				continue;
-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+			if (strncmp(kbdintctxt->devices, devices[i]->name,
+				    len) == 0) {
 				kbdintctxt->device = devices[i];
+				kbdintctxt->devices_done |= 1 << i;
+			}
 		}
 		t = kbdintctxt->devices;
 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;