initial commit for Enea Linux 5.0 arm

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Tudor Florea <tudor.florea@enea.com> 2015-10-09 22:59:03 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2015-10-09 22:59:03 +0200
commit: 972dcfcdbfe75dcfeb777150c136576cf1a71e99 (patch)
tree: 97a61cd7e293d7ae9d56ef7ed0f81253365bb026 /meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
download: poky-972dcfcdbfe75dcfeb777150c136576cf1a71e99.tar.gz
1 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
new file mode 100644
index 0000000000..674d186044
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
@@ -0,0 +1,114 @@
+Upstream-Status: Backport
+This CVE could be removed if openssh is upgrade to 6.6 or higher.
+Below are some details.
+Attempt SSHFP lookup even if server presents a certificate
+Reference:
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
+If an ssh server presents a certificate to the client, then the client
+does not check the DNS for SSHFP records. This means that a malicious
+server can essentially disable DNS-host-key-checking, which means the
+client will fall back to asking the user (who will just say "yes" to
+the fingerprint, sadly).
+This patch means that the ssh client will, if necessary, extract the
+server key from the proffered certificate, and attempt to verify it
+against the DNS. The patch was written by Mark Wooding
+<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
+it, and tested it.
+Signed-off-by: Matthew Vernon <matthew@debian.org>
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+--- a/sshconnect.c
+++ b/sshconnect.c
+@@ -1210,36 +1210,63 @@ fail:
+        return -1;
+ }
+ 
+static int
+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
+{
+       int rc = -1;
+       int flags = 0;
+       Key *raw_key = NULL;
+
+       if (!options.verify_host_key_dns)
+               goto done;
+
+       /* XXX certs are not yet supported for DNS; try looking the raw key
+        * up in the DNS anyway.
+        */
+       if (key_is_cert(host_key)) {
+               debug2("Extracting key from cert for SSHFP lookup");
+               raw_key = key_from_private(host_key);
+               if (key_drop_cert(raw_key))
+                       fatal("Couldn't drop certificate");
+               host_key = raw_key;
+       }
+
+       if (verify_host_key_dns(host, hostaddr, host_key, &flags))
+               goto done;
+
+       if (flags & DNS_VERIFY_FOUND) {
+
+               if (options.verify_host_key_dns == 1 &&
+                               flags & DNS_VERIFY_MATCH &&
+                               flags & DNS_VERIFY_SECURE) {
+                       rc = 0;
+               } else if (flags & DNS_VERIFY_MATCH) {
+                       matching_host_key_dns = 1;
+               } else {
+                       warn_changed_key(host_key);
+                       error("Update the SSHFP RR in DNS with the new "
+                                       "host key to get rid of this message.");
+               }
+       }
+
+done:
+       if (raw_key)
+               key_free(raw_key);
+       return rc;
+}
+
+ /* returns 0 if key verifies or -1 if key does NOT verify */
+ int
+ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+ {
+-       int flags = 0;
+        char *fp;
+ 
+        fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+        debug("Server host key: %s %s", key_type(host_key), fp);
+        free(fp);
+ 
+-       /* XXX certs are not yet supported for DNS */
+-       if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+-           verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+-               if (flags & DNS_VERIFY_FOUND) {
+-
+-                       if (options.verify_host_key_dns == 1 &&
+-                           flags & DNS_VERIFY_MATCH &&
+-                           flags & DNS_VERIFY_SECURE)
+-                               return 0;
+-
+-                       if (flags & DNS_VERIFY_MATCH) {
+-                               matching_host_key_dns = 1;
+-                       } else {
+-                               warn_changed_key(host_key);
+-                               error("Update the SSHFP RR in DNS with the new "
+-                                   "host key to get rid of this message.");
+-                       }
+-               }
+-       }
+       if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
+               return 0;
+ 
+        return check_host_key(host, hostaddr, options.port, host_key, RDRW,
+            options.user_hostfiles, options.num_user_hostfiles,
+-- 
+1.7.9.5
author	Tudor Florea <tudor.florea@enea.com>	2015-10-09 22:59:03 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2015-10-09 22:59:03 +0200
commit	972dcfcdbfe75dcfeb777150c136576cf1a71e99 (patch)
tree	97a61cd7e293d7ae9d56ef7ed0f81253365bb026 /meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
download	poky-972dcfcdbfe75dcfeb777150c136576cf1a71e99.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch new file mode 100644 index 0000000000..674d186044 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
@@ -0,0 +1,114 @@
	1	Upstream-Status: Backport
	2
	3	This CVE could be removed if openssh is upgrade to 6.6 or higher.
	4	Below are some details.
	5
	6	Attempt SSHFP lookup even if server presents a certificate
	7
	8	Reference:
	9	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
	10
	11	If an ssh server presents a certificate to the client, then the client
	12	does not check the DNS for SSHFP records. This means that a malicious
	13	server can essentially disable DNS-host-key-checking, which means the
	14	client will fall back to asking the user (who will just say "yes" to
	15	the fingerprint, sadly).
	16
	17	This patch means that the ssh client will, if necessary, extract the
	18	server key from the proffered certificate, and attempt to verify it
	19	against the DNS. The patch was written by Mark Wooding
	20	<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
	21	it, and tested it.
	22
	23	Signed-off-by: Matthew Vernon <matthew@debian.org>
	24	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
	25	---
	26	--- a/sshconnect.c
	27	+++ b/sshconnect.c
	28	@@ -1210,36 +1210,63 @@ fail:
	29	return -1;
	30	}
	31
	32	+static int
	33	+check_host_key_sshfp(char host, struct sockaddr hostaddr, Key *host_key)
	34	+{
	35	+ int rc = -1;
	36	+ int flags = 0;
	37	+ Key *raw_key = NULL;
	38	+
	39	+ if (!options.verify_host_key_dns)
	40	+ goto done;
	41	+
	42	+ /* XXX certs are not yet supported for DNS; try looking the raw key
	43	+ * up in the DNS anyway.
	44	+ */
	45	+ if (key_is_cert(host_key)) {
	46	+ debug2("Extracting key from cert for SSHFP lookup");
	47	+ raw_key = key_from_private(host_key);
	48	+ if (key_drop_cert(raw_key))
	49	+ fatal("Couldn't drop certificate");
	50	+ host_key = raw_key;
	51	+ }
	52	+
	53	+ if (verify_host_key_dns(host, hostaddr, host_key, &flags))
	54	+ goto done;
	55	+
	56	+ if (flags & DNS_VERIFY_FOUND) {
	57	+
	58	+ if (options.verify_host_key_dns == 1 &&
	59	+ flags & DNS_VERIFY_MATCH &&
	60	+ flags & DNS_VERIFY_SECURE) {
	61	+ rc = 0;
	62	+ } else if (flags & DNS_VERIFY_MATCH) {
	63	+ matching_host_key_dns = 1;
	64	+ } else {
	65	+ warn_changed_key(host_key);
	66	+ error("Update the SSHFP RR in DNS with the new "
	67	+ "host key to get rid of this message.");
	68	+ }
	69	+ }
	70	+
	71	+done:
	72	+ if (raw_key)
	73	+ key_free(raw_key);
	74	+ return rc;
	75	+}
	76	+
	77	/* returns 0 if key verifies or -1 if key does NOT verify */
	78	int
	79	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
	80	{
	81	- int flags = 0;
	82	char *fp;
	83
	84	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
	85	debug("Server host key: %s %s", key_type(host_key), fp);
	86	free(fp);
	87
	88	- /* XXX certs are not yet supported for DNS */
	89	- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
	90	- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
	91	- if (flags & DNS_VERIFY_FOUND) {
	92	-
	93	- if (options.verify_host_key_dns == 1 &&
	94	- flags & DNS_VERIFY_MATCH &&
	95	- flags & DNS_VERIFY_SECURE)
	96	- return 0;
	97	-
	98	- if (flags & DNS_VERIFY_MATCH) {
	99	- matching_host_key_dns = 1;
	100	- } else {
	101	- warn_changed_key(host_key);
	102	- error("Update the SSHFP RR in DNS with the new "
	103	- "host key to get rid of this message.");
	104	- }
	105	- }
	106	- }
	107	+ if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
	108	+ return 0;
	109
	110	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
	111	options.user_hostfiles, options.num_user_hostfiles,
	112	--
	113	1.7.9.5
	114