openssh: CVE-2011-4327

A security flaw was found in the way ssh-keysign, a ssh helper program for host based authentication, attempted to retrieve enough entropy information on configurations that lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would be executed to retrieve the entropy from the system environment). A local attacker could use this flaw to obtain unauthorized access to host keys via ptrace(2) process trace attached to the 'ssh-rand-helper' program. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 http://www.openssh.com/txt/portable-keysign-rand-helper.adv [YOCTO #3493] (From OE-Core rev: bdce08215396e5ab99ada5fa0f62c3b002a44582) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Li Wang <li.wang@windriver.com> 2012-11-27 14:13:21 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2012-11-28 07:41:26 +0000
commit: b629d940304ec65c2d799e0aa44d03562a784bd6 (patch)
tree: 2832168b5944ceb31705266a585841283ff6e57f /meta/recipes-connectivity/openssh/openssh-6.0p1
parent: 8d1aed5dd236a82da9caae6c486c5165cd877d85 (diff)
download: poky-b629d940304ec65c2d799e0aa44d03562a784bd6.tar.gz
1 files changed, 27 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
new file mode 100644
index 0000000000..8489edcc82
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
@@ -0,0 +1,27 @@
+openssh-CVE-2011-4327
+A security flaw was found in the way ssh-keysign,
+a ssh helper program for host based authentication,
+attempted to retrieve enough entropy information on configurations that
+lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
+be executed to retrieve the entropy from the system environment).
+A local attacker could use this flaw to obtain unauthorized access to host keys
+via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
+http://www.openssh.com/txt/portable-keysign-rand-helper.adv
+Signed-off-by: Li Wang <li.wang@windriver.com>
+--- a/ssh-keysign.c
+++ b/ssh-keysign.c
+@@ -170,6 +170,10 @@
+        key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+        key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
+        key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
+       if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
+           fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
+           fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
+               fatal("fcntl failed");
+ 
+        original_real_uid = getuid();   /* XXX readconf.c needs this */
+        if ((pw = getpwuid(original_real_uid)) == NULL)
author	Li Wang <li.wang@windriver.com>	2012-11-27 14:13:21 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2012-11-28 07:41:26 +0000
commit	b629d940304ec65c2d799e0aa44d03562a784bd6 (patch)
tree	2832168b5944ceb31705266a585841283ff6e57f /meta/recipes-connectivity/openssh/openssh-6.0p1
parent	8d1aed5dd236a82da9caae6c486c5165cd877d85 (diff)
download	poky-b629d940304ec65c2d799e0aa44d03562a784bd6.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch new file mode 100644 index 0000000000..8489edcc82 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
@@ -0,0 +1,27 @@
	1	openssh-CVE-2011-4327
	2
	3	A security flaw was found in the way ssh-keysign,
	4	a ssh helper program for host based authentication,
	5	attempted to retrieve enough entropy information on configurations that
	6	lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
	7	be executed to retrieve the entropy from the system environment).
	8	A local attacker could use this flaw to obtain unauthorized access to host keys
	9	via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
	10
	11	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
	12	http://www.openssh.com/txt/portable-keysign-rand-helper.adv
	13
	14	Signed-off-by: Li Wang <li.wang@windriver.com>
	15	--- a/ssh-keysign.c
	16	+++ b/ssh-keysign.c
	17	@@ -170,6 +170,10 @@
	18	key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
	19	key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
	20	key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
	21	+ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 \|\|
	22	+ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 \|\|
	23	+ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
	24	+ fatal("fcntl failed");
	25
	26	original_real_uid = getuid(); /* XXX readconf.c needs this */
	27	if ((pw = getpwuid(original_real_uid)) == NULL)