Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 29 Oct 2016 15:14:10 +0000 (UTC)
From:      Mark Felder <feld@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r424915 - in branches/2016Q4/security/openssh-portable: . files
Message-ID:  <201610291514.u9TFEANu047547@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: feld
Date: Sat Oct 29 15:14:10 2016
New Revision: 424915
URL: https://svnweb.freebsd.org/changeset/ports/424915

Log:
  MFH: r424592
  
  Bring in upstream commit ec165c392ca54317dbe3064a8c200de6531e89ad:
    Unregister the KEXINIT handler after message has been
    received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
    allocation of up to 128MB -- until the connection is closed. Reported by
    shilei-c at 360.cn
  
  Security:	CVE-2016-8858
  
  Approved by:	ports-secteam (with hat)

Added:
  branches/2016Q4/security/openssh-portable/files/patch-kex.c
     - copied unchanged from r424592, head/security/openssh-portable/files/patch-kex.c
Modified:
  branches/2016Q4/security/openssh-portable/Makefile
Directory Properties:
  branches/2016Q4/   (props changed)

Modified: branches/2016Q4/security/openssh-portable/Makefile
==============================================================================
--- branches/2016Q4/security/openssh-portable/Makefile	Sat Oct 29 15:01:59 2016	(r424914)
+++ branches/2016Q4/security/openssh-portable/Makefile	Sat Oct 29 15:14:10 2016	(r424915)
@@ -3,7 +3,7 @@
 
 PORTNAME=	openssh
 DISTVERSION=	7.3p1
-PORTREVISION=	0
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable

Copied: branches/2016Q4/security/openssh-portable/files/patch-kex.c (from r424592, head/security/openssh-portable/files/patch-kex.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2016Q4/security/openssh-portable/files/patch-kex.c	Sat Oct 29 15:14:10 2016	(r424915, copy of r424592, head/security/openssh-portable/files/patch-kex.c)
@@ -0,0 +1,33 @@
+From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
+From: "markus@openbsd.org" <markus@openbsd.org>
+Date: Mon, 10 Oct 2016 19:28:48 +0000
+Subject: [PATCH] upstream commit
+
+Unregister the KEXINIT handler after message has been
+received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
+allocation of up to 128MB -- until the connection is closed. Reported by
+shilei-c at 360.cn
+
+Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
+---
+ kex.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git kex.c kex.c
+index 3f97f8c..6a94bc5 100644
+--- kex.c
++++ kex.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: kex.c,v 1.126 2016/09/28 21:44:52 djm Exp $ */
++/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */
+ /*
+  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
+  *
+@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
+ 	if (kex == NULL)
+ 		return SSH_ERR_INVALID_ARGUMENT;
+ 
++	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ 	ptr = sshpkt_ptr(ssh, &dlen);
+ 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ 		return r;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201610291514.u9TFEANu047547>