diff options
author | Paul Eggleton <paul.eggleton@linux.intel.com> | 2014-12-26 15:05:36 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-01-07 23:35:06 +0000 |
commit | 3fb5191d4da52c6b352a23881c0ea63c2e348619 (patch) | |
tree | d64060e9d298fc5cf45e4650f11c615144bbfcc1 /meta/recipes-connectivity/openssh | |
parent | 060e35492d5b4d416ede1fd18db3647796271aa6 (diff) | |
download | poky-3fb5191d4da52c6b352a23881c0ea63c2e348619.tar.gz |
openssh: upgrade to 6.7p1
* Drop two CVE patches already handled upstream.
* Drop nostrip.patch which no longer applies and use the existing
--disable-strip configure option instead.
* OpenSSH 6.7+ no longer supports tcp wrappers. We could apply the
Debian patch to add support back in, but it seems best to follow
upstream here unless we have a good reason to do otherwise.
(From OE-Core rev: 59e0833e24e4945569d36928dc0f231e822670ba)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/openssh')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/nostrip.patch | 20 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch | 29 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch | 114 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh_6.7p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_6.6p1.bb) | 14 |
4 files changed, 5 insertions, 172 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/nostrip.patch b/meta/recipes-connectivity/openssh/openssh/nostrip.patch deleted file mode 100644 index 33111f5494..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/nostrip.patch +++ /dev/null | |||
@@ -1,20 +0,0 @@ | |||
1 | Disable stripping binaries during make install. | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Build system specific. | ||
6 | |||
7 | Signed-off-by: Scott Garman <scott.a.garman@intel.com> | ||
8 | |||
9 | diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in | ||
10 | --- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700 | ||
11 | +++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700 | ||
12 | @@ -29,7 +29,7 @@ | ||
13 | RAND_HELPER=$(libexecdir)/ssh-rand-helper | ||
14 | PRIVSEP_PATH=@PRIVSEP_PATH@ | ||
15 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ | ||
16 | -STRIP_OPT=@STRIP_OPT@ | ||
17 | +STRIP_OPT= | ||
18 | |||
19 | PATHS= -DSSHDIR=\"$(sysconfdir)\" \ | ||
20 | -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch deleted file mode 100644 index 30c11cf432..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | openssh-CVE-2011-4327 | ||
2 | |||
3 | A security flaw was found in the way ssh-keysign, | ||
4 | a ssh helper program for host based authentication, | ||
5 | attempted to retrieve enough entropy information on configurations that | ||
6 | lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would | ||
7 | be executed to retrieve the entropy from the system environment). | ||
8 | A local attacker could use this flaw to obtain unauthorized access to host keys | ||
9 | via ptrace(2) process trace attached to the 'ssh-rand-helper' program. | ||
10 | |||
11 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 | ||
12 | http://www.openssh.com/txt/portable-keysign-rand-helper.adv | ||
13 | |||
14 | Upstream-Status: Pending | ||
15 | |||
16 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
17 | --- a/ssh-keysign.c | ||
18 | +++ b/ssh-keysign.c | ||
19 | @@ -170,6 +170,10 @@ | ||
20 | key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); | ||
21 | key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); | ||
22 | key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); | ||
23 | + if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 || | ||
24 | + fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 || | ||
25 | + fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0) | ||
26 | + fatal("fcntl failed"); | ||
27 | |||
28 | original_real_uid = getuid(); /* XXX readconf.c needs this */ | ||
29 | if ((pw = getpwuid(original_real_uid)) == NULL) | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch deleted file mode 100644 index 674d186044..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch +++ /dev/null | |||
@@ -1,114 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | This CVE could be removed if openssh is upgrade to 6.6 or higher. | ||
4 | Below are some details. | ||
5 | |||
6 | Attempt SSHFP lookup even if server presents a certificate | ||
7 | |||
8 | Reference: | ||
9 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 | ||
10 | |||
11 | If an ssh server presents a certificate to the client, then the client | ||
12 | does not check the DNS for SSHFP records. This means that a malicious | ||
13 | server can essentially disable DNS-host-key-checking, which means the | ||
14 | client will fall back to asking the user (who will just say "yes" to | ||
15 | the fingerprint, sadly). | ||
16 | |||
17 | This patch means that the ssh client will, if necessary, extract the | ||
18 | server key from the proffered certificate, and attempt to verify it | ||
19 | against the DNS. The patch was written by Mark Wooding | ||
20 | <mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed | ||
21 | it, and tested it. | ||
22 | |||
23 | Signed-off-by: Matthew Vernon <matthew@debian.org> | ||
24 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
25 | --- | ||
26 | --- a/sshconnect.c | ||
27 | +++ b/sshconnect.c | ||
28 | @@ -1210,36 +1210,63 @@ fail: | ||
29 | return -1; | ||
30 | } | ||
31 | |||
32 | +static int | ||
33 | +check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key) | ||
34 | +{ | ||
35 | + int rc = -1; | ||
36 | + int flags = 0; | ||
37 | + Key *raw_key = NULL; | ||
38 | + | ||
39 | + if (!options.verify_host_key_dns) | ||
40 | + goto done; | ||
41 | + | ||
42 | + /* XXX certs are not yet supported for DNS; try looking the raw key | ||
43 | + * up in the DNS anyway. | ||
44 | + */ | ||
45 | + if (key_is_cert(host_key)) { | ||
46 | + debug2("Extracting key from cert for SSHFP lookup"); | ||
47 | + raw_key = key_from_private(host_key); | ||
48 | + if (key_drop_cert(raw_key)) | ||
49 | + fatal("Couldn't drop certificate"); | ||
50 | + host_key = raw_key; | ||
51 | + } | ||
52 | + | ||
53 | + if (verify_host_key_dns(host, hostaddr, host_key, &flags)) | ||
54 | + goto done; | ||
55 | + | ||
56 | + if (flags & DNS_VERIFY_FOUND) { | ||
57 | + | ||
58 | + if (options.verify_host_key_dns == 1 && | ||
59 | + flags & DNS_VERIFY_MATCH && | ||
60 | + flags & DNS_VERIFY_SECURE) { | ||
61 | + rc = 0; | ||
62 | + } else if (flags & DNS_VERIFY_MATCH) { | ||
63 | + matching_host_key_dns = 1; | ||
64 | + } else { | ||
65 | + warn_changed_key(host_key); | ||
66 | + error("Update the SSHFP RR in DNS with the new " | ||
67 | + "host key to get rid of this message."); | ||
68 | + } | ||
69 | + } | ||
70 | + | ||
71 | +done: | ||
72 | + if (raw_key) | ||
73 | + key_free(raw_key); | ||
74 | + return rc; | ||
75 | +} | ||
76 | + | ||
77 | /* returns 0 if key verifies or -1 if key does NOT verify */ | ||
78 | int | ||
79 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | ||
80 | { | ||
81 | - int flags = 0; | ||
82 | char *fp; | ||
83 | |||
84 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); | ||
85 | debug("Server host key: %s %s", key_type(host_key), fp); | ||
86 | free(fp); | ||
87 | |||
88 | - /* XXX certs are not yet supported for DNS */ | ||
89 | - if (!key_is_cert(host_key) && options.verify_host_key_dns && | ||
90 | - verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { | ||
91 | - if (flags & DNS_VERIFY_FOUND) { | ||
92 | - | ||
93 | - if (options.verify_host_key_dns == 1 && | ||
94 | - flags & DNS_VERIFY_MATCH && | ||
95 | - flags & DNS_VERIFY_SECURE) | ||
96 | - return 0; | ||
97 | - | ||
98 | - if (flags & DNS_VERIFY_MATCH) { | ||
99 | - matching_host_key_dns = 1; | ||
100 | - } else { | ||
101 | - warn_changed_key(host_key); | ||
102 | - error("Update the SSHFP RR in DNS with the new " | ||
103 | - "host key to get rid of this message."); | ||
104 | - } | ||
105 | - } | ||
106 | - } | ||
107 | + if (check_host_key_sshfp(host, hostaddr, host_key) == 0) | ||
108 | + return 0; | ||
109 | |||
110 | return check_host_key(host, hostaddr, options.port, host_key, RDRW, | ||
111 | options.user_hostfiles, options.num_user_hostfiles, | ||
112 | -- | ||
113 | 1.7.9.5 | ||
114 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb index abc302b90f..19093fc992 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb | |||
@@ -11,11 +11,9 @@ DEPENDS = "zlib openssl" | |||
11 | DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" | 11 | DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" |
12 | 12 | ||
13 | SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ | 13 | SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ |
14 | file://nostrip.patch \ | ||
15 | file://sshd_config \ | 14 | file://sshd_config \ |
16 | file://ssh_config \ | 15 | file://ssh_config \ |
17 | file://init \ | 16 | file://init \ |
18 | file://openssh-CVE-2011-4327.patch \ | ||
19 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 17 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
20 | file://sshd.socket \ | 18 | file://sshd.socket \ |
21 | file://sshd@.service \ | 19 | file://sshd@.service \ |
@@ -23,13 +21,12 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. | |||
23 | file://volatiles.99_sshd \ | 21 | file://volatiles.99_sshd \ |
24 | file://add-test-support-for-busybox.patch \ | 22 | file://add-test-support-for-busybox.patch \ |
25 | file://run-ptest \ | 23 | file://run-ptest \ |
26 | file://openssh-CVE-2014-2653.patch \ | ||
27 | file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch" | 24 | file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch" |
28 | 25 | ||
29 | PAM_SRC_URI = "file://sshd" | 26 | PAM_SRC_URI = "file://sshd" |
30 | 27 | ||
31 | SRC_URI[md5sum] = "3e9800e6bca1fbac0eea4d41baa7f239" | 28 | SRC_URI[md5sum] = "3246aa79317b1d23cae783a3bf8275d6" |
32 | SRC_URI[sha256sum] = "48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb" | 29 | SRC_URI[sha256sum] = "b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507" |
33 | 30 | ||
34 | inherit useradd update-rc.d update-alternatives systemd | 31 | inherit useradd update-rc.d update-alternatives systemd |
35 | 32 | ||
@@ -42,9 +39,6 @@ INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" | |||
42 | SYSTEMD_PACKAGES = "${PN}-sshd" | 39 | SYSTEMD_PACKAGES = "${PN}-sshd" |
43 | SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" | 40 | SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" |
44 | 41 | ||
45 | PACKAGECONFIG ??= "tcp-wrappers" | ||
46 | PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers" | ||
47 | |||
48 | inherit autotools-brokensep ptest | 42 | inherit autotools-brokensep ptest |
49 | 43 | ||
50 | # LFS support: | 44 | # LFS support: |
@@ -56,7 +50,9 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ | |||
56 | --without-zlib-version-check \ | 50 | --without-zlib-version-check \ |
57 | --with-privsep-path=/var/run/sshd \ | 51 | --with-privsep-path=/var/run/sshd \ |
58 | --sysconfdir=${sysconfdir}/ssh \ | 52 | --sysconfdir=${sysconfdir}/ssh \ |
59 | --with-xauth=/usr/bin/xauth" | 53 | --with-xauth=/usr/bin/xauth \ |
54 | --disable-strip \ | ||
55 | " | ||
60 | 56 | ||
61 | # Since we do not depend on libbsd, we do not want configure to use it | 57 | # Since we do not depend on libbsd, we do not want configure to use it |
62 | # just because it finds libutil.h. But, specifying --disable-libutil | 58 | # just because it finds libutil.h. But, specifying --disable-libutil |