Ubuntu
openssh package

Uninitialized struct field in the fix for CVE-2015-5600 causes random auth failures

Bug #1485719 reported by Benn Sundsrud
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Marc Deslauriers
Vivid
Fix Released
Undecided
Marc Deslauriers
Wily
Fix Released
Undecided
Marc Deslauriers

Bug Description

In Ubuntu 12.04, the fix for CVE-2015-5600[1] just hit upstream in package openssh-server_5.9p1-5ubuntu1.6, breaking authentication mechanisms that rely on the keyboard-interactive method. This patch introduces the field 'devices_done' to the KbdintAuthctxt struct, but does not initialize the field in the kbdint_alloc() function. On Linux, this ends up filling that field with junk data. The attached patch against adds the initialization of the `devices_done` field alongside the existing initialization code. This has also been reported upstream.

Reproducing:

Install openssh-server_5.9p1-5ubuntu1.6
Add an authentication mechanism that uses the keyboard-interactive method (like libpam-google-authenticator)
Attempt to log in via the above mechanism. Instead of consistently prompting the user for input, it will sometimes fall straight through to password auth because the devices_done bit field is initialized with garbage data.

Downgrading to openssh-server_5.9p1-5ubuntu1.4 solves the issue.

[1]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r1=1.42&r2=1.43&f=h

Tags: patch

CVE References

Revision history for this message
Benn Sundsrud (benn-sundsrud) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "CVE-2015-5600_initialize_struct.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Marc Deslauriers (mdeslaur)
Changed in openssh (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssh (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssh (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssh (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssh (Ubuntu Precise):
status: New → Confirmed
Changed in openssh (Ubuntu Trusty):
status: New → Confirmed
Changed in openssh (Ubuntu Vivid):
status: New → Confirmed
Changed in openssh (Ubuntu Wily):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have uploaded updated packages to fix this issue to the following PPA:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Please test and see if they fix the issue in your environment. If they do, and they pass QA, I will publish them as security updates tomorrow.

Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:6.7p1-6ubuntu2

---------------
openssh (1:6.7p1-6ubuntu2) wily; urgency=medium

  * SECURITY REGRESSION: random auth failures because of uninitialized
    struct field (LP: #1485719)
    - debian/patches/CVE-2015-5600-2.patch: properly initialize field in
      auth2-chall.c.

 -- Marc Deslauriers <email address hidden> Mon, 17 Aug 2015 22:13:25 -0400

Changed in openssh (Ubuntu Wily):
status: Confirmed → Fix Released
Revision history for this message
Benn Sundsrud (benn-sundsrud) wrote :

That package works on my test box. Thanks Marc!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:5.9p1-5ubuntu1.7

---------------
openssh (1:5.9p1-5ubuntu1.7) precise-security; urgency=medium

  * SECURITY REGRESSION: random auth failures because of uninitialized
    struct field (LP: #1485719)
    - debian/patches/CVE-2015-5600-2.patch:

 -- Marc Deslauriers <email address hidden> Mon, 17 Aug 2015 21:53:19 -0400

Changed in openssh (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:6.6p1-2ubuntu2.3

---------------
openssh (1:6.6p1-2ubuntu2.3) trusty-security; urgency=medium

  * SECURITY REGRESSION: random auth failures because of uninitialized
    struct field (LP: #1485719)
    - debian/patches/CVE-2015-5600-2.patch:

 -- Marc Deslauriers <email address hidden> Mon, 17 Aug 2015 21:52:52 -0400

Changed in openssh (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:6.7p1-5ubuntu1.3

---------------
openssh (1:6.7p1-5ubuntu1.3) vivid-security; urgency=medium

  * SECURITY REGRESSION: random auth failures because of uninitialized
    struct field (LP: #1485719)
    - debian/patches/CVE-2015-5600-2.patch:

 -- Marc Deslauriers <email address hidden> Mon, 17 Aug 2015 21:49:49 -0400

Changed in openssh (Ubuntu Vivid):
status: Confirmed → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

This patch is unnecessary with OpenSSH 6.5p1 and newer, because kbdint_alloc now uses xcalloc rather than xmalloc and thus zeroes the entire structure. The regression fix was thus only needed for precise and not for later releases; I'll drop it from wily shortly when resyncing with unstable, in the cause of keeping a smaller delta against upstream.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.