svn commit: r43207 - in head/share: security/advisories security/patches/SA-13:14 xml
Dag-Erling Smørgrav
des at FreeBSD.org
Tue Nov 19 10:20:36 UTC 2013
Author: des
Date: Tue Nov 19 10:20:35 2013
New Revision: 43207
URL: http://svnweb.freebsd.org/changeset/doc/43207
Log:
Pre-zero the MAC context.
Security: CVE-2013-4548
Security: FreeBSD-SA-13:14.openssh
Approved by: so
Added:
head/share/security/advisories/FreeBSD-SA-13:14.openssh.asc (contents, props changed)
head/share/security/patches/SA-13:14/
head/share/security/patches/SA-13:14/openssh.patch (contents, props changed)
head/share/security/patches/SA-13:14/openssh.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-13:14.openssh.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-13:14.openssh.asc Tue Nov 19 10:20:35 2013 (r43207)
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-13:14.openssh Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSH AES-GCM memory corruption vulnerability
+
+Category: contrib
+Module: openssh
+Announced: 2013-11-19
+Affects: FreeBSD 10.0-BETA
+Corrected: 2013-11-19 09:35:20 UTC (stable/10, 10.0-STABLE)
+ 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA3-p1)
+ 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA2-p1)
+ 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA1-p2)
+CVE Name: CVE-2013-4548
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services,
+including remote shell access.
+
+AES-GCM (Galois/Counter Mode) is a mode of operation for AES block
+cipher that combines the counter mode of encryption with the Galois
+mode of authentication which can offer throughput rates for state of
+the art, high speed communication channels.
+
+OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
+
+II. Problem Description
+
+A memory corruption vulnerability exists in the post-authentication sshd
+process when an AES-GCM cipher (aes128-gcm at openssh.com or
+aes256-gcm at openssh.com) is selected during key exchange.
+
+III. Impact
+
+If exploited, this vulnerability might permit code execution with the
+privileges of the authenticated user, thereby allowing a malicious
+user with valid credentials to bypass shell or command restrictions
+placed on their account.
+
+IV. Workaround
+
+Disable AES-GCM in the server configuration. This can be accomplished by
+adding the following /etc/sshd_config option, which will disable AES-GCM
+while leaving other ciphers active:
+
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
+
+Systems not running the OpenSSH server daemon (sshd) are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch
+# fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch.asc
+# gpg --verify openssh.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the sshd daemon, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r258335
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4548>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:14.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.15 (FreeBSD)
+
+iQIcBAEBAgAGBQJSizUhAAoJEO1n7NZdz2rn6VcQALriII/5f2ipZQeOt41p5oBi
+r3qQ3uoZc705MGhld/Zz/RjmB8N+NSZUCZQP0sjaEUkksykZNQhmlbvJXB0ywDHP
+ggIpq++7r2igXMwqqj+7SEtOkQc/rP8/pDjAn0CJKDGIItgpYuqB34sEJNNuYjiM
+f/bdfXN3zU4VOiIjCjfGuOamGPXCyRdEAm9HKMVWuDqXIjBHdOxhkw2TnyrC77Vd
+IxOEYsD97XYuJF++55uHBMv+jynrlQfJF9s3+rQVGOqs14KXYJ+HeqFwxJkhIzyg
+BrxotPNcO6i5lFOiZrCcmEkf3SRh3Ok3CFFFdn9EhOTxrfGKRm/7R+WB0NKT4+ll
+sAWfhCCMHkhE/j/0L/DCGL8wD6zH1bzpFWn6efAlih4N5YXSJfGlZdkPw0zl/ZgD
+umYiwpr9PMnPtocfpV51HITNf0T+CUUHJ5bI3Do9cKZyr3yt869r2MNH6PLT0Lyl
+4YTcN6IC1K+2JXxvjry7wuJWaPUDS/Hl7Rb3vivdyFJsOF6cddCq1uoU/COXjEE7
+KF2+KXNKyCZvfPYxzaljvQjEEGZFswN21YrG4dk3JbaOEo0/+s06DJe/YDhagRgQ
+h1DtzesRuV8Mlxf0kCX5dmMEjIYX0ZtsZT7aueoSD0zGDFpiOjMQ2DQ3O9S3UhFz
+ScAFXjtFwMqy8RkwNzIp
+=Nkc2
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-13:14/openssh.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-13:14/openssh.patch Tue Nov 19 10:20:35 2013 (r43207)
@@ -0,0 +1,13 @@
+Index: crypto/openssh/monitor_wrap.c
+===================================================================
+--- crypto/openssh/monitor_wrap.c (revision 257864)
++++ crypto/openssh/monitor_wrap.c (working copy)
+@@ -480,7 +480,7 @@ mm_newkeys_from_blob(u_char *blob, int blen)
+ buffer_init(&b);
+ buffer_append(&b, blob, blen);
+
+- newkey = xmalloc(sizeof(*newkey));
++ newkey = xcalloc(1, sizeof(*newkey));
+ enc = &newkey->enc;
+ mac = &newkey->mac;
+ comp = &newkey->comp;
Added: head/share/security/patches/SA-13:14/openssh.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-13:14/openssh.patch.asc Tue Nov 19 10:20:35 2013 (r43207)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.15 (FreeBSD)
+
+iQIcBAABAgAGBQJSiy7MAAoJEO1n7NZdz2rnCrcP/2oBQZKd1oe+eyS5AG4u+kAx
+tyCBm6QDBHobyg5KoqwbfFanTQxBIFpKUN6FdIIQbmprSOHZuxeqfWT2iI7eUhym
+HOTjzCeY11jvq4VUcWK+gTz2MSZ334ZLzJDAMBLtCVpfk9a6hFYbxDippn5h2lnV
+Fe3qsr9nZBkYC9p7IoVLXS41G60SV1VgSu3WyrX0+dAPWSMgvBdZ21opwjBXm39z
+JpjXdTfCMjq+FjXugiLo7yndXiErn8MetFie5xUgLxCX5f/3dwWrM9UBDtP+KKoU
+aTSx4dCRYeB92bwgIwTWTNL4Bi/fgN1M/dNOsL4/x1qjH7juZCqikPGNwfYd8eUJ
+lonHJxoYE3CSYrXJrX5X6h3lchUi3HUv30wgalxlHzNH2Z1k/fu1Ji3M5WaUeSZO
+SwWvJONKymzrPnXJYI39t3YutblA061p6Du8xhXk94AqefYnSOYyoeQkjuIRrRVR
+JlG9WR9S1LxUvQUvhdAxY5X1spvjJCH6HthYaRndlwcMPmV2VT00sIPvtHdjVTVr
+noJrULAj5T7b8esJTxgr+nt8uhfSUYTsSHhbkiJVJjb09BdkKu2+nVFH9LiFRflZ
+YVBszcu9QvkNglVVwdfSblFWBTc9bq6fOkfURlgl63WXKwfM5a8hLDKYy/TtuXwx
+PEqlGw0i5Lp/B9hpkbW9
+=imhD
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Tue Nov 19 10:17:10 2013 (r43206)
+++ head/share/xml/advisories.xml Tue Nov 19 10:20:35 2013 (r43207)
@@ -8,6 +8,18 @@
<name>2013</name>
<month>
+ <name>11</name>
+
+ <day>
+ <name>19</name>
+
+ <advisory>
+ <name>FreeBSD-SA-13:14.openssh</name>
+ </advisory>
+ </day>
+ </month>
+
+ <month>
<name>9</name>
<day>
More information about the svn-doc-all
mailing list