Bug 1673802
Summary: | CVE-2019-7639 gsi-openssh: enabling PermitPAMUserChange allows to login with the correct username and wrong password [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | viraniac |
Component: | gsi-openssh | Assignee: | Mattias Ellert <mattias.ellert> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | agk, mattias.ellert, msiddiqu, omarandemad |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | gsi-openssh-7.9p1-5.fc30 gsi-openssh-7.8p1-3.fc28 gsi-openssh-7.9p1-5.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-02-18 01:26:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1674453 |
Description
viraniac
2019-02-08 07:52:43 UTC
I have posted a request for CVE and have got the following id for the same. CVE-2019-7639 I went through the code of openssh-7.9p1-gsissh.patch I found the following code at line 511 sshpam_err = pam_authenticate(sshpam_handle, flags); + if (options.permit_pam_user_change) { + sshpam_check_userchanged(); + } and then I saw the definition of sshpam_check_userchanged() function and I noticed that its also using the same variable "sshpam_err" to check if the user that we want to map to exists. But because of that, it changes sshpam_err to say that the operation was a success. The code present on line 515 onward interpret it as authentication was successful and user ends up logging into the system with incorrect password. gsi-openssh-7.9p1-5.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-af3d726d38 gsi-openssh-7.8p1-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-710afd062a + not affected - affected + gsi-openssh-7.7p1-5.fc28 - gsi-openssh-7.8p1-1.fc28 - gsi-openssh-7.8p1-2.fc28 + gsi-openssh-7.8p1-3.fc28 + gsi-openssh-7.7p1-5.fc29 - gsi-openssh-7.9p1-1.fc29 - gsi-openssh-7.9p1-2.fc29 - gsi-openssh-7.9p1-3.fc29 - gsi-openssh-7.9p1-4.fc29 + gsi-openssh-7.9p1-5.fc29 + gsi-openssh-7.7p1-5.fc30 - gsi-openssh-7.9p1-1.fc30 - gsi-openssh-7.9p1-2.fc30 - gsi-openssh-7.9p1-2.fc30.1 - gsi-openssh-7.9p1-3.fc30- - gsi-openssh-7.9p1-3.fc30.1 - gsi-openssh-7.9p1-4.fc30 + gsi-openssh-7.9p1-5.fc30 gsi-openssh-7.8p1-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-710afd062a gsi-openssh-7.9p1-5.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-af3d726d38 gsi-openssh-7.8p1-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. gsi-openssh-7.9p1-5.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |