diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2019-04-29 14:26:36 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-04-30 12:05:23 +0100 |
commit | e0a6bdaa64ab8c8dd7ba583d1f9c7f73396f2331 (patch) | |
tree | e7242cc889c8a6e29fd701ff4eafff31c0d712c9 | |
parent | 71a546aaf3a7da8487a90f20ac211dd31d852d85 (diff) | |
download | poky-e0a6bdaa64ab8c8dd7ba583d1f9c7f73396f2331.tar.gz |
openssh: fix CVE-2018-20685, CVE-2019-6109, CVE-2019-6111
Also backport a patch to fix issues introduced by fix for CVE-2019-6109.
(From OE-Core rev: 31b7485d8377c1c535d1878220bbc1d49dc5f13e)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
5 files changed, 627 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch new file mode 100644 index 0000000000..2fb57da635 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From 5df934e2279e8ed1f07b990f4b2b3baf6470f7e5 Mon Sep 17 00:00:00 2001 | ||
2 | From: "dtucker@openbsd.org" <dtucker@openbsd.org> | ||
3 | Date: Thu, 24 Jan 2019 16:52:17 +0000 | ||
4 | Subject: [PATCH] upstream: Have progressmeter force an update at the beginning | ||
5 | and | ||
6 | |||
7 | end of each transfer. Fixes the problem recently introduces where very quick | ||
8 | transfers do not display the progressmeter at all. Spotted by naddy@ | ||
9 | |||
10 | OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a | ||
11 | Ustream-Status: Backport | ||
12 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
13 | --- | ||
14 | progressmeter.c | 13 +++++-------- | ||
15 | progressmeter.h | 4 ++-- | ||
16 | scp.c | 2 +- | ||
17 | sftp-client.c | 2 +- | ||
18 | 4 files changed, 9 insertions(+), 12 deletions(-) | ||
19 | |||
20 | diff --git a/progressmeter.c b/progressmeter.c | ||
21 | index add462d..e385c12 100644 | ||
22 | --- a/progressmeter.c | ||
23 | +++ b/progressmeter.c | ||
24 | @@ -1,4 +1,4 @@ | ||
25 | -/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */ | ||
26 | +/* $OpenBSD: progressmeter.c,v 1.47 2019/01/24 16:52:17 dtucker Exp $ */ | ||
27 | /* | ||
28 | * Copyright (c) 2003 Nils Nordman. All rights reserved. | ||
29 | * | ||
30 | @@ -59,9 +59,6 @@ static void format_rate(char *, int, off_t); | ||
31 | static void sig_winch(int); | ||
32 | static void setscreensize(void); | ||
33 | |||
34 | -/* updates the progressmeter to reflect the current state of the transfer */ | ||
35 | -void refresh_progress_meter(void); | ||
36 | - | ||
37 | /* signal handler for updating the progress meter */ | ||
38 | static void sig_alarm(int); | ||
39 | |||
40 | @@ -120,7 +117,7 @@ format_size(char *buf, int size, off_t bytes) | ||
41 | } | ||
42 | |||
43 | void | ||
44 | -refresh_progress_meter(void) | ||
45 | +refresh_progress_meter(int force_update) | ||
46 | { | ||
47 | char buf[MAX_WINSIZE + 1]; | ||
48 | off_t transferred; | ||
49 | @@ -131,7 +128,7 @@ refresh_progress_meter(void) | ||
50 | int hours, minutes, seconds; | ||
51 | int file_len; | ||
52 | |||
53 | - if ((!alarm_fired && !win_resized) || !can_output()) | ||
54 | + if ((!force_update && !alarm_fired && !win_resized) || !can_output()) | ||
55 | return; | ||
56 | alarm_fired = 0; | ||
57 | |||
58 | @@ -254,7 +251,7 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr) | ||
59 | bytes_per_second = 0; | ||
60 | |||
61 | setscreensize(); | ||
62 | - refresh_progress_meter(); | ||
63 | + refresh_progress_meter(1); | ||
64 | |||
65 | signal(SIGALRM, sig_alarm); | ||
66 | signal(SIGWINCH, sig_winch); | ||
67 | @@ -271,7 +268,7 @@ stop_progress_meter(void) | ||
68 | |||
69 | /* Ensure we complete the progress */ | ||
70 | if (cur_pos != end_pos) | ||
71 | - refresh_progress_meter(); | ||
72 | + refresh_progress_meter(1); | ||
73 | |||
74 | atomicio(vwrite, STDOUT_FILENO, "\n", 1); | ||
75 | } | ||
76 | diff --git a/progressmeter.h b/progressmeter.h | ||
77 | index 8f66780..1703ea7 100644 | ||
78 | --- a/progressmeter.h | ||
79 | +++ b/progressmeter.h | ||
80 | @@ -1,4 +1,4 @@ | ||
81 | -/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */ | ||
82 | +/* $OpenBSD: progressmeter.h,v 1.5 2019/01/24 16:52:17 dtucker Exp $ */ | ||
83 | /* | ||
84 | * Copyright (c) 2002 Nils Nordman. All rights reserved. | ||
85 | * | ||
86 | @@ -24,5 +24,5 @@ | ||
87 | */ | ||
88 | |||
89 | void start_progress_meter(const char *, off_t, off_t *); | ||
90 | -void refresh_progress_meter(void); | ||
91 | +void refresh_progress_meter(int); | ||
92 | void stop_progress_meter(void); | ||
93 | diff --git a/scp.c b/scp.c | ||
94 | index 4a342a6..0587cec 100644 | ||
95 | --- a/scp.c | ||
96 | +++ b/scp.c | ||
97 | @@ -585,7 +585,7 @@ scpio(void *_cnt, size_t s) | ||
98 | off_t *cnt = (off_t *)_cnt; | ||
99 | |||
100 | *cnt += s; | ||
101 | - refresh_progress_meter(); | ||
102 | + refresh_progress_meter(0); | ||
103 | if (limit_kbps > 0) | ||
104 | bandwidth_limit(&bwlimit, s); | ||
105 | return 0; | ||
106 | diff --git a/sftp-client.c b/sftp-client.c | ||
107 | index 2bc698f..cf2887a 100644 | ||
108 | --- a/sftp-client.c | ||
109 | +++ b/sftp-client.c | ||
110 | @@ -101,7 +101,7 @@ sftpio(void *_bwlimit, size_t amount) | ||
111 | { | ||
112 | struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit; | ||
113 | |||
114 | - refresh_progress_meter(); | ||
115 | + refresh_progress_meter(0); | ||
116 | if (bwlimit != NULL) | ||
117 | bandwidth_limit(bwlimit, amount); | ||
118 | return 0; | ||
119 | -- | ||
120 | 2.7.4 | ||
121 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2018-20685.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2018-20685.patch new file mode 100644 index 0000000000..e2fc607ff8 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2018-20685.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Fri, 16 Nov 2018 03:03:10 +0000 | ||
4 | Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer | ||
5 | to the | ||
6 | |||
7 | current directory; based on report/patch from Harry Sintonen | ||
8 | |||
9 | OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9 | ||
10 | |||
11 | CVE: CVE-2018-20685 | ||
12 | Ustream-Status: Backport | ||
13 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
14 | --- | ||
15 | scp.c | 5 +++-- | ||
16 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/scp.c b/scp.c | ||
19 | index 60682c6..4f3fdcd 100644 | ||
20 | --- a/scp.c | ||
21 | +++ b/scp.c | ||
22 | @@ -1,4 +1,4 @@ | ||
23 | -/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */ | ||
24 | +/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */ | ||
25 | /* | ||
26 | * scp - secure remote copy. This is basically patched BSD rcp which | ||
27 | * uses ssh to do the data transfer (instead of using rcmd). | ||
28 | @@ -1106,7 +1106,8 @@ sink(int argc, char **argv) | ||
29 | SCREWUP("size out of range"); | ||
30 | size = (off_t)ull; | ||
31 | |||
32 | - if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { | ||
33 | + if (*cp == '\0' || strchr(cp, '/') != NULL || | ||
34 | + strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { | ||
35 | run_err("error: unexpected filename: %s", cp); | ||
36 | exit(1); | ||
37 | } | ||
38 | -- | ||
39 | 2.7.4 | ||
40 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2019-6109.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6109.patch new file mode 100644 index 0000000000..dabe4a6c97 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6109.patch | |||
@@ -0,0 +1,275 @@ | |||
1 | From 15d47c3bd8551521240bc459fc004c280daef817 Mon Sep 17 00:00:00 2001 | ||
2 | From: "dtucker@openbsd.org" <dtucker@openbsd.org> | ||
3 | Date: Wed, 23 Jan 2019 08:01:46 +0000 | ||
4 | Subject: [PATCH] upstream: Sanitize scp filenames via snmprintf. To do this we | ||
5 | move | ||
6 | |||
7 | the progressmeter formatting outside of signal handler context and have the | ||
8 | atomicio callback called for EINTR too. bz#2434 with contributions from djm | ||
9 | and jjelen at redhat.com, ok djm@ | ||
10 | |||
11 | OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8 | ||
12 | CVE: CVE-2019-6109 | ||
13 | Upstream-Status: Backport | ||
14 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
15 | --- | ||
16 | atomicio.c | 20 +++++++++++++++----- | ||
17 | progressmeter.c | 53 ++++++++++++++++++++++++----------------------------- | ||
18 | progressmeter.h | 3 ++- | ||
19 | scp.c | 1 + | ||
20 | sftp-client.c | 16 +++++++++------- | ||
21 | 5 files changed, 51 insertions(+), 42 deletions(-) | ||
22 | |||
23 | diff --git a/atomicio.c b/atomicio.c | ||
24 | index f854a06..d91bd76 100644 | ||
25 | --- a/atomicio.c | ||
26 | +++ b/atomicio.c | ||
27 | @@ -1,4 +1,4 @@ | ||
28 | -/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */ | ||
29 | +/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */ | ||
30 | /* | ||
31 | * Copyright (c) 2006 Damien Miller. All rights reserved. | ||
32 | * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved. | ||
33 | @@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n, | ||
34 | res = (f) (fd, s + pos, n - pos); | ||
35 | switch (res) { | ||
36 | case -1: | ||
37 | - if (errno == EINTR) | ||
38 | + if (errno == EINTR) { | ||
39 | + /* possible SIGALARM, update callback */ | ||
40 | + if (cb != NULL && cb(cb_arg, 0) == -1) { | ||
41 | + errno = EINTR; | ||
42 | + return pos; | ||
43 | + } | ||
44 | continue; | ||
45 | - if (errno == EAGAIN || errno == EWOULDBLOCK) { | ||
46 | + } else if (errno == EAGAIN || errno == EWOULDBLOCK) { | ||
47 | #ifndef BROKEN_READ_COMPARISON | ||
48 | (void)poll(&pfd, 1, -1); | ||
49 | #endif | ||
50 | @@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd, | ||
51 | res = (f) (fd, iov, iovcnt); | ||
52 | switch (res) { | ||
53 | case -1: | ||
54 | - if (errno == EINTR) | ||
55 | + if (errno == EINTR) { | ||
56 | + /* possible SIGALARM, update callback */ | ||
57 | + if (cb != NULL && cb(cb_arg, 0) == -1) { | ||
58 | + errno = EINTR; | ||
59 | + return pos; | ||
60 | + } | ||
61 | continue; | ||
62 | - if (errno == EAGAIN || errno == EWOULDBLOCK) { | ||
63 | + } else if (errno == EAGAIN || errno == EWOULDBLOCK) { | ||
64 | #ifndef BROKEN_READV_COMPARISON | ||
65 | (void)poll(&pfd, 1, -1); | ||
66 | #endif | ||
67 | diff --git a/progressmeter.c b/progressmeter.c | ||
68 | index fe9bf52..add462d 100644 | ||
69 | --- a/progressmeter.c | ||
70 | +++ b/progressmeter.c | ||
71 | @@ -1,4 +1,4 @@ | ||
72 | -/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */ | ||
73 | +/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */ | ||
74 | /* | ||
75 | * Copyright (c) 2003 Nils Nordman. All rights reserved. | ||
76 | * | ||
77 | @@ -31,6 +31,7 @@ | ||
78 | |||
79 | #include <errno.h> | ||
80 | #include <signal.h> | ||
81 | +#include <stdarg.h> | ||
82 | #include <stdio.h> | ||
83 | #include <string.h> | ||
84 | #include <time.h> | ||
85 | @@ -39,6 +40,7 @@ | ||
86 | #include "progressmeter.h" | ||
87 | #include "atomicio.h" | ||
88 | #include "misc.h" | ||
89 | +#include "utf8.h" | ||
90 | |||
91 | #define DEFAULT_WINSIZE 80 | ||
92 | #define MAX_WINSIZE 512 | ||
93 | @@ -61,7 +63,7 @@ static void setscreensize(void); | ||
94 | void refresh_progress_meter(void); | ||
95 | |||
96 | /* signal handler for updating the progress meter */ | ||
97 | -static void update_progress_meter(int); | ||
98 | +static void sig_alarm(int); | ||
99 | |||
100 | static double start; /* start progress */ | ||
101 | static double last_update; /* last progress update */ | ||
102 | @@ -74,6 +76,7 @@ static long stalled; /* how long we have been stalled */ | ||
103 | static int bytes_per_second; /* current speed in bytes per second */ | ||
104 | static int win_size; /* terminal window size */ | ||
105 | static volatile sig_atomic_t win_resized; /* for window resizing */ | ||
106 | +static volatile sig_atomic_t alarm_fired; | ||
107 | |||
108 | /* units for format_size */ | ||
109 | static const char unit[] = " KMGT"; | ||
110 | @@ -126,9 +129,17 @@ refresh_progress_meter(void) | ||
111 | off_t bytes_left; | ||
112 | int cur_speed; | ||
113 | int hours, minutes, seconds; | ||
114 | - int i, len; | ||
115 | int file_len; | ||
116 | |||
117 | + if ((!alarm_fired && !win_resized) || !can_output()) | ||
118 | + return; | ||
119 | + alarm_fired = 0; | ||
120 | + | ||
121 | + if (win_resized) { | ||
122 | + setscreensize(); | ||
123 | + win_resized = 0; | ||
124 | + } | ||
125 | + | ||
126 | transferred = *counter - (cur_pos ? cur_pos : start_pos); | ||
127 | cur_pos = *counter; | ||
128 | now = monotime_double(); | ||
129 | @@ -158,16 +169,11 @@ refresh_progress_meter(void) | ||
130 | |||
131 | /* filename */ | ||
132 | buf[0] = '\0'; | ||
133 | - file_len = win_size - 35; | ||
134 | + file_len = win_size - 36; | ||
135 | if (file_len > 0) { | ||
136 | - len = snprintf(buf, file_len + 1, "\r%s", file); | ||
137 | - if (len < 0) | ||
138 | - len = 0; | ||
139 | - if (len >= file_len + 1) | ||
140 | - len = file_len; | ||
141 | - for (i = len; i < file_len; i++) | ||
142 | - buf[i] = ' '; | ||
143 | - buf[file_len] = '\0'; | ||
144 | + buf[0] = '\r'; | ||
145 | + snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s", | ||
146 | + file_len * -1, file); | ||
147 | } | ||
148 | |||
149 | /* percent of transfer done */ | ||
150 | @@ -228,22 +234,11 @@ refresh_progress_meter(void) | ||
151 | |||
152 | /*ARGSUSED*/ | ||
153 | static void | ||
154 | -update_progress_meter(int ignore) | ||
155 | +sig_alarm(int ignore) | ||
156 | { | ||
157 | - int save_errno; | ||
158 | - | ||
159 | - save_errno = errno; | ||
160 | - | ||
161 | - if (win_resized) { | ||
162 | - setscreensize(); | ||
163 | - win_resized = 0; | ||
164 | - } | ||
165 | - if (can_output()) | ||
166 | - refresh_progress_meter(); | ||
167 | - | ||
168 | - signal(SIGALRM, update_progress_meter); | ||
169 | + signal(SIGALRM, sig_alarm); | ||
170 | + alarm_fired = 1; | ||
171 | alarm(UPDATE_INTERVAL); | ||
172 | - errno = save_errno; | ||
173 | } | ||
174 | |||
175 | void | ||
176 | @@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr) | ||
177 | bytes_per_second = 0; | ||
178 | |||
179 | setscreensize(); | ||
180 | - if (can_output()) | ||
181 | - refresh_progress_meter(); | ||
182 | + refresh_progress_meter(); | ||
183 | |||
184 | - signal(SIGALRM, update_progress_meter); | ||
185 | + signal(SIGALRM, sig_alarm); | ||
186 | signal(SIGWINCH, sig_winch); | ||
187 | alarm(UPDATE_INTERVAL); | ||
188 | } | ||
189 | @@ -286,6 +280,7 @@ stop_progress_meter(void) | ||
190 | static void | ||
191 | sig_winch(int sig) | ||
192 | { | ||
193 | + signal(SIGWINCH, sig_winch); | ||
194 | win_resized = 1; | ||
195 | } | ||
196 | |||
197 | diff --git a/progressmeter.h b/progressmeter.h | ||
198 | index bf179dc..8f66780 100644 | ||
199 | --- a/progressmeter.h | ||
200 | +++ b/progressmeter.h | ||
201 | @@ -1,4 +1,4 @@ | ||
202 | -/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */ | ||
203 | +/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */ | ||
204 | /* | ||
205 | * Copyright (c) 2002 Nils Nordman. All rights reserved. | ||
206 | * | ||
207 | @@ -24,4 +24,5 @@ | ||
208 | */ | ||
209 | |||
210 | void start_progress_meter(const char *, off_t, off_t *); | ||
211 | +void refresh_progress_meter(void); | ||
212 | void stop_progress_meter(void); | ||
213 | diff --git a/scp.c b/scp.c | ||
214 | index 4f3fdcd..4a342a6 100644 | ||
215 | --- a/scp.c | ||
216 | +++ b/scp.c | ||
217 | @@ -585,6 +585,7 @@ scpio(void *_cnt, size_t s) | ||
218 | off_t *cnt = (off_t *)_cnt; | ||
219 | |||
220 | *cnt += s; | ||
221 | + refresh_progress_meter(); | ||
222 | if (limit_kbps > 0) | ||
223 | bandwidth_limit(&bwlimit, s); | ||
224 | return 0; | ||
225 | diff --git a/sftp-client.c b/sftp-client.c | ||
226 | index 4986d6d..2bc698f 100644 | ||
227 | --- a/sftp-client.c | ||
228 | +++ b/sftp-client.c | ||
229 | @@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount) | ||
230 | { | ||
231 | struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit; | ||
232 | |||
233 | - bandwidth_limit(bwlimit, amount); | ||
234 | + refresh_progress_meter(); | ||
235 | + if (bwlimit != NULL) | ||
236 | + bandwidth_limit(bwlimit, amount); | ||
237 | return 0; | ||
238 | } | ||
239 | |||
240 | @@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m) | ||
241 | iov[1].iov_base = (u_char *)sshbuf_ptr(m); | ||
242 | iov[1].iov_len = sshbuf_len(m); | ||
243 | |||
244 | - if (atomiciov6(writev, conn->fd_out, iov, 2, | ||
245 | - conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != | ||
246 | + if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio, | ||
247 | + conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) != | ||
248 | sshbuf_len(m) + sizeof(mlen)) | ||
249 | fatal("Couldn't send packet: %s", strerror(errno)); | ||
250 | |||
251 | @@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial) | ||
252 | |||
253 | if ((r = sshbuf_reserve(m, 4, &p)) != 0) | ||
254 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
255 | - if (atomicio6(read, conn->fd_in, p, 4, | ||
256 | - conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) { | ||
257 | + if (atomicio6(read, conn->fd_in, p, 4, sftpio, | ||
258 | + conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) { | ||
259 | if (errno == EPIPE || errno == ECONNRESET) | ||
260 | fatal("Connection closed"); | ||
261 | else | ||
262 | @@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial) | ||
263 | |||
264 | if ((r = sshbuf_reserve(m, msg_len, &p)) != 0) | ||
265 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
266 | - if (atomicio6(read, conn->fd_in, p, msg_len, | ||
267 | - conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) | ||
268 | + if (atomicio6(read, conn->fd_in, p, msg_len, sftpio, | ||
269 | + conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) | ||
270 | != msg_len) { | ||
271 | if (errno == EPIPE) | ||
272 | fatal("Connection closed"); | ||
273 | -- | ||
274 | 2.7.4 | ||
275 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2019-6111.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6111.patch new file mode 100644 index 0000000000..80cf39b923 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6111.patch | |||
@@ -0,0 +1,187 @@ | |||
1 | From 15cc3497367d2e9729353b3df75518548e845c82 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Sat, 26 Jan 2019 22:41:28 +0000 | ||
4 | Subject: [PATCH] upstream: check in scp client that filenames sent during | ||
5 | |||
6 | remote->local directory copies satisfy the wildcard specified by the user. | ||
7 | |||
8 | This checking provides some protection against a malicious server | ||
9 | sending unexpected filenames, but it comes at a risk of rejecting wanted | ||
10 | files due to differences between client and server wildcard expansion rules. | ||
11 | |||
12 | For this reason, this also adds a new -T flag to disable the check. | ||
13 | |||
14 | reported by Harry Sintonen | ||
15 | fix approach suggested by markus@; | ||
16 | has been in snaps for ~1wk courtesy deraadt@ | ||
17 | |||
18 | OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda | ||
19 | |||
20 | CVE: CVE-2019-6111 | ||
21 | Ustream-Status: Backport | ||
22 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
23 | --- | ||
24 | scp.1 | 12 +++++++++++- | ||
25 | scp.c | 37 +++++++++++++++++++++++++++++-------- | ||
26 | 2 files changed, 40 insertions(+), 9 deletions(-) | ||
27 | |||
28 | diff --git a/scp.1 b/scp.1 | ||
29 | index 0e5cc1b..397e770 100644 | ||
30 | --- a/scp.1 | ||
31 | +++ b/scp.1 | ||
32 | @@ -18,7 +18,7 @@ | ||
33 | .Nd secure copy (remote file copy program) | ||
34 | .Sh SYNOPSIS | ||
35 | .Nm scp | ||
36 | -.Op Fl 346BCpqrv | ||
37 | +.Op Fl 346BCpqrTv | ||
38 | .Op Fl c Ar cipher | ||
39 | .Op Fl F Ar ssh_config | ||
40 | .Op Fl i Ar identity_file | ||
41 | @@ -208,6 +208,16 @@ to use for the encrypted connection. | ||
42 | The program must understand | ||
43 | .Xr ssh 1 | ||
44 | options. | ||
45 | +.It Fl T | ||
46 | +Disable strict filename checking. | ||
47 | +By default when copying files from a remote host to a local directory | ||
48 | +.Nm | ||
49 | +checks that the received filenames match those requested on the command-line | ||
50 | +to prevent the remote end from sending unexpected or unwanted files. | ||
51 | +Because of differences in how various operating systems and shells interpret | ||
52 | +filename wildcards, these checks may cause wanted files to be rejected. | ||
53 | +This option disables these checks at the expense of fully trusting that | ||
54 | +the server will not send unexpected filenames. | ||
55 | .It Fl v | ||
56 | Verbose mode. | ||
57 | Causes | ||
58 | diff --git a/scp.c b/scp.c | ||
59 | index 0587cec..b2d331e 100644 | ||
60 | --- a/scp.c | ||
61 | +++ b/scp.c | ||
62 | @@ -94,6 +94,7 @@ | ||
63 | #include <dirent.h> | ||
64 | #include <errno.h> | ||
65 | #include <fcntl.h> | ||
66 | +#include <fnmatch.h> | ||
67 | #include <limits.h> | ||
68 | #include <locale.h> | ||
69 | #include <pwd.h> | ||
70 | @@ -375,14 +376,14 @@ void verifydir(char *); | ||
71 | struct passwd *pwd; | ||
72 | uid_t userid; | ||
73 | int errs, remin, remout; | ||
74 | -int pflag, iamremote, iamrecursive, targetshouldbedirectory; | ||
75 | +int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory; | ||
76 | |||
77 | #define CMDNEEDS 64 | ||
78 | char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ | ||
79 | |||
80 | int response(void); | ||
81 | void rsource(char *, struct stat *); | ||
82 | -void sink(int, char *[]); | ||
83 | +void sink(int, char *[], const char *); | ||
84 | void source(int, char *[]); | ||
85 | void tolocal(int, char *[]); | ||
86 | void toremote(int, char *[]); | ||
87 | @@ -421,8 +422,9 @@ main(int argc, char **argv) | ||
88 | addargs(&args, "-oRemoteCommand=none"); | ||
89 | addargs(&args, "-oRequestTTY=no"); | ||
90 | |||
91 | - fflag = tflag = 0; | ||
92 | - while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1) | ||
93 | + fflag = Tflag = tflag = 0; | ||
94 | + while ((ch = getopt(argc, argv, | ||
95 | + "dfl:prtTvBCc:i:P:q12346S:o:F:")) != -1) { | ||
96 | switch (ch) { | ||
97 | /* User-visible flags. */ | ||
98 | case '1': | ||
99 | @@ -501,9 +503,13 @@ main(int argc, char **argv) | ||
100 | setmode(0, O_BINARY); | ||
101 | #endif | ||
102 | break; | ||
103 | + case 'T': | ||
104 | + Tflag = 1; | ||
105 | + break; | ||
106 | default: | ||
107 | usage(); | ||
108 | } | ||
109 | + } | ||
110 | argc -= optind; | ||
111 | argv += optind; | ||
112 | |||
113 | @@ -534,7 +540,7 @@ main(int argc, char **argv) | ||
114 | } | ||
115 | if (tflag) { | ||
116 | /* Receive data. */ | ||
117 | - sink(argc, argv); | ||
118 | + sink(argc, argv, NULL); | ||
119 | exit(errs != 0); | ||
120 | } | ||
121 | if (argc < 2) | ||
122 | @@ -792,7 +798,7 @@ tolocal(int argc, char **argv) | ||
123 | continue; | ||
124 | } | ||
125 | free(bp); | ||
126 | - sink(1, argv + argc - 1); | ||
127 | + sink(1, argv + argc - 1, src); | ||
128 | (void) close(remin); | ||
129 | remin = remout = -1; | ||
130 | } | ||
131 | @@ -968,7 +974,7 @@ rsource(char *name, struct stat *statp) | ||
132 | (sizeof(type) != 4 && sizeof(type) != 8)) | ||
133 | |||
134 | void | ||
135 | -sink(int argc, char **argv) | ||
136 | +sink(int argc, char **argv, const char *src) | ||
137 | { | ||
138 | static BUF buffer; | ||
139 | struct stat stb; | ||
140 | @@ -984,6 +990,7 @@ sink(int argc, char **argv) | ||
141 | unsigned long long ull; | ||
142 | int setimes, targisdir, wrerrno = 0; | ||
143 | char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; | ||
144 | + char *src_copy = NULL, *restrict_pattern = NULL; | ||
145 | struct timeval tv[2]; | ||
146 | |||
147 | #define atime tv[0] | ||
148 | @@ -1008,6 +1015,17 @@ sink(int argc, char **argv) | ||
149 | (void) atomicio(vwrite, remout, "", 1); | ||
150 | if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode)) | ||
151 | targisdir = 1; | ||
152 | + if (src != NULL && !iamrecursive && !Tflag) { | ||
153 | + /* | ||
154 | + * Prepare to try to restrict incoming filenames to match | ||
155 | + * the requested destination file glob. | ||
156 | + */ | ||
157 | + if ((src_copy = strdup(src)) == NULL) | ||
158 | + fatal("strdup failed"); | ||
159 | + if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) { | ||
160 | + *restrict_pattern++ = '\0'; | ||
161 | + } | ||
162 | + } | ||
163 | for (first = 1;; first = 0) { | ||
164 | cp = buf; | ||
165 | if (atomicio(read, remin, cp, 1) != 1) | ||
166 | @@ -1112,6 +1130,9 @@ sink(int argc, char **argv) | ||
167 | run_err("error: unexpected filename: %s", cp); | ||
168 | exit(1); | ||
169 | } | ||
170 | + if (restrict_pattern != NULL && | ||
171 | + fnmatch(restrict_pattern, cp, 0) != 0) | ||
172 | + SCREWUP("filename does not match request"); | ||
173 | if (targisdir) { | ||
174 | static char *namebuf; | ||
175 | static size_t cursize; | ||
176 | @@ -1149,7 +1170,7 @@ sink(int argc, char **argv) | ||
177 | goto bad; | ||
178 | } | ||
179 | vect[0] = xstrdup(np); | ||
180 | - sink(1, vect); | ||
181 | + sink(1, vect, src); | ||
182 | if (setimes) { | ||
183 | setimes = 0; | ||
184 | if (utimes(vect[0], tv) < 0) | ||
185 | -- | ||
186 | 2.7.4 | ||
187 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh_7.9p1.bb b/meta/recipes-connectivity/openssh/openssh_7.9p1.bb index 6260135d5b..b971b2b1e8 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.9p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.9p1.bb | |||
@@ -24,6 +24,10 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
24 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ | 24 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ |
25 | file://sshd_check_keys \ | 25 | file://sshd_check_keys \ |
26 | file://add-test-support-for-busybox.patch \ | 26 | file://add-test-support-for-busybox.patch \ |
27 | file://CVE-2018-20685.patch \ | ||
28 | file://CVE-2019-6109.patch \ | ||
29 | file://0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch \ | ||
30 | file://CVE-2019-6111.patch \ | ||
27 | " | 31 | " |
28 | SRC_URI[md5sum] = "c6af50b7a474d04726a5aa747a5dce8f" | 32 | SRC_URI[md5sum] = "c6af50b7a474d04726a5aa747a5dce8f" |
29 | SRC_URI[sha256sum] = "6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad" | 33 | SRC_URI[sha256sum] = "6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad" |