From 871da95292ad21660fc01589c8ea49035638b21e Mon Sep 17 00:00:00 2001
From: delphij <delphij@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Tue, 25 Aug 2015 20:48:51 +0000
Subject: [PATCH] Fix OpenSSH multiple vulnerabilities. [SA-15:22]

Fix insufficient check of unsupported pkg(7) signature methods.
[EN-15:15]

Approved by:	so


git-svn-id: https://svn.freebsd.org/base/releng/10.2@287145 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 UPDATING                      |  7 +++++++
 crypto/openssh/monitor.c      |  6 +++---
 crypto/openssh/monitor_wrap.c |  1 -
 crypto/openssh/mux.c          |  6 ++++--
 sys/conf/newvers.sh           |  2 +-
 usr.sbin/pkg/pkg.c            | 16 ++++++++++++++--
 6 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/UPDATING b/UPDATING
index 45f4d9775..3ce3a1156 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20150825:	p2	FreeBSD-SA-15:22.openssh
+			FreeBSD-EN-15:15.pkg
+	Fix OpenSSH multiple vulnerabilities. [SA-15:22]
+
+	Fix insufficient check of unsupported pkg(7) signature methods.
+	[EN-15:15]
+
 20150818:	p1	FreeBSD-SA-15:20.expat
 			FreeBSD-EN-15:11.toolchain
 			FreeBSD-EN-15:12.netstat
diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
index 531c4f9a8..af63490cf 100644
--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@@ -1027,9 +1027,7 @@ extern KbdintDevice sshpam_device;
 int
 mm_answer_pam_init_ctx(int sock, Buffer *m)
 {
-
 	debug3("%s", __func__);
-	authctxt->user = buffer_get_string(m, NULL);
 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
 	sshpam_authok = NULL;
 	buffer_clear(m);
@@ -1111,14 +1109,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
 
 	debug3("%s", __func__);
 	(sshpam_device.free_ctx)(sshpam_ctxt);
+	sshpam_ctxt = sshpam_authok = NULL;
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
 	auth_method = "keyboard-interactive";
 	auth_submethod = "pam";
-	return (sshpam_authok == sshpam_ctxt);
+	return r;
 }
 #endif
 
diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c
index 1a47e4174..b2bc8dd64 100644
--- a/crypto/openssh/monitor_wrap.c
+++ b/crypto/openssh/monitor_wrap.c
@@ -820,7 +820,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
 
 	debug3("%s", __func__);
 	buffer_init(&m);
-	buffer_put_cstring(&m, authctxt->user);
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/crypto/openssh/mux.c b/crypto/openssh/mux.c
index f4edf5552..e8700e1f4 100644
--- a/crypto/openssh/mux.c
+++ b/crypto/openssh/mux.c
@@ -633,7 +633,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
 	u_int lport, cport;
 	int i, ret = 0, freefwd = 1;
 
-	fwd.listen_host = fwd.connect_host = NULL;
+	memset(&fwd, 0, sizeof(fwd));
+
 	if (buffer_get_int_ret(&ftype, m) != 0 ||
 	    (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
 	    buffer_get_int_ret(&lport, m) != 0 ||
@@ -783,7 +784,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
 	int i, listen_port, ret = 0;
 	u_int lport, cport;
 
-	fwd.listen_host = fwd.connect_host = NULL;
+	memset(&fwd, 0, sizeof(fwd));
+
 	if (buffer_get_int_ret(&ftype, m) != 0 ||
 	    (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
 	    buffer_get_int_ret(&lport, m) != 0 ||
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 6feea13e7..45ca709b2 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.2"
-BRANCH="RELEASE-p1"
+BRANCH="RELEASE-p2"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/usr.sbin/pkg/pkg.c b/usr.sbin/pkg/pkg.c
index 5ae6c19b9..e242638e0 100644
--- a/usr.sbin/pkg/pkg.c
+++ b/usr.sbin/pkg/pkg.c
@@ -767,7 +767,13 @@ bootstrap_pkg(bool force)
 		goto fetchfail;
 
 	if (signature_type != NULL &&
-	    strcasecmp(signature_type, "FINGERPRINTS") == 0) {
+	    strcasecmp(signature_type, "NONE") != 0) {
+		if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
+			warnx("Signature type %s is not supported for "
+			    "bootstrapping.", signature_type);
+			goto cleanup;
+		}
+
 		snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX",
 		    getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
 		snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig",
@@ -855,7 +861,13 @@ bootstrap_pkg_local(const char *pkgpath, bool force)
 		goto cleanup;
 	}
 	if (signature_type != NULL &&
-	    strcasecmp(signature_type, "FINGERPRINTS") == 0) {
+	    strcasecmp(signature_type, "NONE") != 0) {
+		if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
+			warnx("Signature type %s is not supported for "
+			    "bootstrapping.", signature_type);
+			goto cleanup;
+		}
+
 		snprintf(path, sizeof(path), "%s.sig", pkgpath);
 
 		if ((fd_sig = open(path, O_RDONLY)) == -1) {
-- 
2.42.0