~ubuntu-branches/debian/stretch/dropbear/stretch

Viewing changes to debian/diff/0005-user-disclosure.diff

Committer: Package Import Robot
Author(s): Gerrit Pape, Matt Johnston, Gerrit Pape
Date: 2013-10-25 15:00:48 UTC
mfrom: (1.4.6)
Revision ID: package-import@ubuntu.com-20131025150048-3jq765x96xayk392

Tags: 2013.60-1

http://bugs.debian.org/692653

[ Matt Johnston ]
* New upstream release.

[ Gerrit Pape ]
* debian/diff/0004-cve-2013-4421.diff, 0005-user-disclosure.diff:
remove; fixed upstream.
* debian/dropbear.postinst: don't fail if initramfs-tools it not
installed (closes: #692653).

files added:
configure.ac

dropbearconvert.1

dropbearkey.1

files removed:
cli-algo.c

cli-service.c

configure.in

debian/diff/0004-cve-2013-4421.diff

debian/diff/0005-user-disclosure.diff

dropbearkey.8

svr-algo.c

files modified:
.hg_archival.txt

.hgsigs

.hgtags

CHANGES

LICENSE

MULTI

Makefile.in

README

agentfwd.h

algo.h

auth.h

bignum.h

buffer.c

channel.h

circbuffer.c

cli-agentfwd.c

cli-auth.c

cli-authpubkey.c

cli-chansession.c

cli-kex.c

cli-main.c

cli-runopts.c

cli-session.c

common-algo.c

common-channel.c

common-kex.c

common-runopts.c

common-session.c

compat.c

config.guess

config.h.in

config.sub

configure

dbclient.1

dbmulti.c

dbutil.c

dbutil.h

debian/changelog

debian/diff/0001-dbclient.1-dbclient-uses-compression-if-compiled-with.diff

debian/diff/0002-dropbearkey.8-mention-y-option-add-example.diff

debian/diff/0003-options.h-use-usr-bin-xauth-instead-of-usr-bin-X11-xa.diff

debian/dropbear.postinst

debian/rules

debug.h

dropbear.8

dropbearkey.c

dss.c

includes.h

kex.h

libtomcrypt/src/headers/tomcrypt_custom.h

libtommath/Makefile.in

loginrec.c

options.h

packet.c

process-packet.c

queue.c

queue.h

random.c

random.h

rsa.c

runopts.h

scp.c

scpmisc.c

service.h

session.h

signkey.c

sshpty.c

svr-auth.c

svr-authpam.c

svr-authpasswd.c

svr-authpubkeyoptions.c

svr-chansession.c

svr-kex.c

svr-main.c

svr-runopts.c

svr-session.c

svr-tcpfwd.c

svr-x11fwd.c

sysoptions.h

tcp-accept.c

tcpfwd.h

termcodes.c

Show diffs side-by-side

added added

removed removed

debian/diff/0005-user-disclosure.diff

# HG changeset patch

# User Matt Johnston <matt@ucc.asn.au>

# Date 1369564764 -28800

# Node ID d7784616409a427f3bc6eb9e0d3f8b942404fe5b

# Parent e0084f136cb88f8530928d85378b1d344d41f789

improve auth failure delays to avoid indicating which users exist

--- a/svr-auth.c 2013-10-15 23:57:41.935735500 -0400

+++ b/svr-auth.c 2013-10-16 00:05:10.343719116 -0400

@@ -110,6 +110,7 @@

unsigned char *username = NULL, *servicename = NULL, *methodname = NULL;

unsigned int userlen, servicelen, methodlen;

+ int valid_user = 0;

TRACE(("enter recv_msg_userauth_request"))

@@ -141,6 +142,14 @@

dropbear_exit("unknown service in auth");

}

+ /* check username is good before continuing.

+ * the 'incrfail' varies depending on the auth method to

+ * avoid giving away which users exist on the system through

+ * the time delay. */

+ if (checkusername(username, userlen) == DROPBEAR_SUCCESS) {

+ valid_user = 1;

+ }

/* user wants to know what methods are supported */

if (methodlen == AUTH_METHOD_NONE_LEN &&

strncmp(methodname, AUTH_METHOD_NONE,

@@ -149,14 +158,6 @@

send_msg_userauth_failure(0, 0);

goto out;

}

- /* check username is good before continuing */

- if (checkusername(username, userlen) == DROPBEAR_FAILURE) {

- /* username is invalid/no shell/etc - send failure */

- TRACE(("sending checkusername failure"))

- send_msg_userauth_failure(0, 1);

- goto out;

- }

#ifdef ENABLE_SVR_PASSWORD_AUTH

if (!svr_opts.noauthpass &&

@@ -165,8 +166,10 @@

if (methodlen == AUTH_METHOD_PASSWORD_LEN &&

strncmp(methodname, AUTH_METHOD_PASSWORD,

AUTH_METHOD_PASSWORD_LEN) == 0) {

- svr_auth_password();

- goto out;

+ if (valid_user) {

+ svr_auth_password();

+ goto out;

+ }

}

#endif

@@ -178,8 +181,10 @@

if (methodlen == AUTH_METHOD_PASSWORD_LEN &&

strncmp(methodname, AUTH_METHOD_PASSWORD,

AUTH_METHOD_PASSWORD_LEN) == 0) {

- svr_auth_pam();

- goto out;

+ if (valid_user) {

+ svr_auth_pam();

+ goto out;

+ }

}

#endif

@@ -189,12 +194,17 @@

if (methodlen == AUTH_METHOD_PUBKEY_LEN &&

strncmp(methodname, AUTH_METHOD_PUBKEY,

AUTH_METHOD_PUBKEY_LEN) == 0) {

- svr_auth_pubkey();

+ if (valid_user) {

+ svr_auth_pubkey();

+ } else {

+ /* pubkey has no failure delay */

+ send_msg_userauth_failure(0, 0);

+ }

goto out;

}

#endif

- /* nothing matched, we just fail */

+ /* nothing matched, we just fail with a delay */

send_msg_userauth_failure(0, 1);

out:

@@ -237,7 +247,6 @@

dropbear_log(LOG_WARNING,

"Login attempt for nonexistent user from %s",

svr_ses.addrstring);

- send_msg_userauth_failure(0, 1);

return DROPBEAR_FAILURE;

100

}

101

102

@@ -245,7 +254,6 @@

103

if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {

104

TRACE(("leave checkusername: root login disabled"))

105

dropbear_log(LOG_WARNING, "root login rejected");

106

- send_msg_userauth_failure(0, 1);

107

return DROPBEAR_FAILURE;

108

}

109

110

@@ -274,7 +282,6 @@

111

TRACE(("no matching shell"))

112

dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected",

113

ses.authstate.pw_name);

114

- send_msg_userauth_failure(0, 1);

115

return DROPBEAR_FAILURE;

116

117

goodshell:

118

@@ -284,7 +291,6 @@

119

TRACE(("uid = %d", ses.authstate.pw_uid))

120

TRACE(("leave checkusername"))

121

return DROPBEAR_SUCCESS;

122

123

}

124

125

/* Send a failure message to the client, in responds to a userauth_request.

126

@@ -331,8 +337,8 @@

127

if (incrfail) {

128

unsigned int delay;

129

genrandom((unsigned char*)&delay, sizeof(delay));

130

- /* We delay for 300ms +- 50ms, 0.1ms granularity */

131

- delay = 250000 + (delay % 1000)*100;

132

+ /* We delay for 300ms +- 50ms */

133

+ delay = 250000 + (delay % 100000);

134

usleep(delay);

135

ses.authstate.failcount++;

136

}

Older »