[openssh/f20: 10/12] prevent a server from skipping SSHFP lookup (#1081338) CVE-2014-2653
plautrba
plautrba at fedoraproject.org
Thu May 15 08:38:37 UTC 2014
commit d271e022960c924903f1b81fa684da3055152d88
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Wed May 14 18:04:10 2014 +0200
prevent a server from skipping SSHFP lookup (#1081338)
CVE-2014-2653
openssh-6.4p1-CVE-2014-2653.patch | 80 +++++++++++++++++++++++++++++++++++++
openssh.spec | 4 ++
2 files changed, 84 insertions(+), 0 deletions(-)
---
diff --git a/openssh-6.4p1-CVE-2014-2653.patch b/openssh-6.4p1-CVE-2014-2653.patch
new file mode 100644
index 0000000..27f3fa3
--- /dev/null
+++ b/openssh-6.4p1-CVE-2014-2653.patch
@@ -0,0 +1,80 @@
+diff --git a/ChangeLog b/ChangeLog
+index 29d70ec..a0fb67e 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,14 @@
++20140420
++ - djm at cvs.openbsd.org 2014/04/01 03:34:10
++ [sshconnect.c]
++ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
++ certificate keys to plain keys and attempt SSHFP resolution.
++
++ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
++ dialog by offering only certificate keys.
++
++ Reported by mcv21 AT cam.ac.uk
++
+ 20131010
+ - dtucker at cvs.openbsd.org 2013/10/08 11:42:13
+ [dh.c dh.h]
+diff --git a/sshconnect.c b/sshconnect.c
+index ddc167e..4d8c718 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -1136,30 +1136,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+ {
+ int flags = 0;
+ char *fp;
++ Key *plain = NULL;
+
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ debug("Server host key: %s %s%s", key_type(host_key),
+ key_fingerprint_prefix(), fp);
+ free(fp);
+
+- /* XXX certs are not yet supported for DNS */
+- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+- if (flags & DNS_VERIFY_FOUND) {
+-
+- if (options.verify_host_key_dns == 1 &&
+- flags & DNS_VERIFY_MATCH &&
+- flags & DNS_VERIFY_SECURE)
+- return 0;
+-
+- if (flags & DNS_VERIFY_MATCH) {
+- matching_host_key_dns = 1;
+- } else {
+- warn_changed_key(host_key);
+- error("Update the SSHFP RR in DNS with the new "
+- "host key to get rid of this message.");
++ if (options.verify_host_key_dns) {
++ /*
++ * XXX certs are not yet supported for DNS, so downgrade
++ * them and try the plain key.
++ */
++ plain = key_from_private(host_key);
++ if (key_is_cert(plain))
++ key_drop_cert(plain);
++ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
++ if (flags & DNS_VERIFY_FOUND) {
++ if (options.verify_host_key_dns == 1 &&
++ flags & DNS_VERIFY_MATCH &&
++ flags & DNS_VERIFY_SECURE) {
++ key_free(plain);
++ return 0;
++ }
++ if (flags & DNS_VERIFY_MATCH) {
++ matching_host_key_dns = 1;
++ } else {
++ warn_changed_key(plain);
++ error("Update the SSHFP RR in DNS "
++ "with the new host key to get rid "
++ "of this message.");
++ }
+ }
+ }
++ key_free(plain);
+ }
+
+ return check_host_key(host, hostaddr, options.port, host_key, RDRW,
diff --git a/openssh.spec b/openssh.spec
index 3e75f2c..5b78b54 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -190,6 +190,9 @@ Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch
Patch906: openssh-6.4p1-fromto-remote.patch
# Try CLOCK_BOOTTIME with fallback (#1091992)
Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch
+# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
+# dialog by offering only certificate keys. (#1081338)
+Patch908: openssh-6.4p1-CVE-2014-2653.patch
License: BSD
@@ -416,6 +419,7 @@ popd
%patch905 -p1 -b .legacy-ssh-copy-id
%patch906 -p1 -b .fromto-remote
%patch907 -p1 -b .CLOCK_BOOTTIME
+%patch908 -p1 -b .CVE-2014-2653
%if 0
# Nothing here yet
More information about the scm-commits
mailing list