summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh
diff options
context:
space:
mode:
authorPaul Eggleton <paul.eggleton@linux.intel.com>2014-12-26 15:05:36 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-01-07 23:35:06 +0000
commit3fb5191d4da52c6b352a23881c0ea63c2e348619 (patch)
treed64060e9d298fc5cf45e4650f11c615144bbfcc1 /meta/recipes-connectivity/openssh
parent060e35492d5b4d416ede1fd18db3647796271aa6 (diff)
downloadpoky-3fb5191d4da52c6b352a23881c0ea63c2e348619.tar.gz
openssh: upgrade to 6.7p1
* Drop two CVE patches already handled upstream. * Drop nostrip.patch which no longer applies and use the existing --disable-strip configure option instead. * OpenSSH 6.7+ no longer supports tcp wrappers. We could apply the Debian patch to add support back in, but it seems best to follow upstream here unless we have a good reason to do otherwise. (From OE-Core rev: 59e0833e24e4945569d36928dc0f231e822670ba) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/openssh')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/nostrip.patch20
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch29
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch114
-rw-r--r--meta/recipes-connectivity/openssh/openssh_6.7p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_6.6p1.bb)14
4 files changed, 5 insertions, 172 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/nostrip.patch b/meta/recipes-connectivity/openssh/openssh/nostrip.patch
deleted file mode 100644
index 33111f5494..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/nostrip.patch
+++ /dev/null
@@ -1,20 +0,0 @@
1Disable stripping binaries during make install.
2
3Upstream-Status: Inappropriate [configuration]
4
5Build system specific.
6
7Signed-off-by: Scott Garman <scott.a.garman@intel.com>
8
9diff -ur openssh-5.6p1.orig/Makefile.in openssh-5.6p1/Makefile.in
10--- openssh-5.6p1.orig/Makefile.in 2010-05-11 23:51:39.000000000 -0700
11+++ openssh-5.6p1/Makefile.in 2010-08-30 16:49:54.000000000 -0700
12@@ -29,7 +29,7 @@
13 RAND_HELPER=$(libexecdir)/ssh-rand-helper
14 PRIVSEP_PATH=@PRIVSEP_PATH@
15 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
16-STRIP_OPT=@STRIP_OPT@
17+STRIP_OPT=
18
19 PATHS= -DSSHDIR=\"$(sysconfdir)\" \
20 -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
deleted file mode 100644
index 30c11cf432..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2011-4327.patch
+++ /dev/null
@@ -1,29 +0,0 @@
1openssh-CVE-2011-4327
2
3A security flaw was found in the way ssh-keysign,
4a ssh helper program for host based authentication,
5attempted to retrieve enough entropy information on configurations that
6lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
7be executed to retrieve the entropy from the system environment).
8A local attacker could use this flaw to obtain unauthorized access to host keys
9via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
10
11https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
12http://www.openssh.com/txt/portable-keysign-rand-helper.adv
13
14Upstream-Status: Pending
15
16Signed-off-by: Li Wang <li.wang@windriver.com>
17--- a/ssh-keysign.c
18+++ b/ssh-keysign.c
19@@ -170,6 +170,10 @@
20 key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
21 key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
22 key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
23+ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
24+ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
25+ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
26+ fatal("fcntl failed");
27
28 original_real_uid = getuid(); /* XXX readconf.c needs this */
29 if ((pw = getpwuid(original_real_uid)) == NULL)
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
deleted file mode 100644
index 674d186044..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
+++ /dev/null
@@ -1,114 +0,0 @@
1Upstream-Status: Backport
2
3This CVE could be removed if openssh is upgrade to 6.6 or higher.
4Below are some details.
5
6Attempt SSHFP lookup even if server presents a certificate
7
8Reference:
9https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
10
11If an ssh server presents a certificate to the client, then the client
12does not check the DNS for SSHFP records. This means that a malicious
13server can essentially disable DNS-host-key-checking, which means the
14client will fall back to asking the user (who will just say "yes" to
15the fingerprint, sadly).
16
17This patch means that the ssh client will, if necessary, extract the
18server key from the proffered certificate, and attempt to verify it
19against the DNS. The patch was written by Mark Wooding
20<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
21it, and tested it.
22
23Signed-off-by: Matthew Vernon <matthew@debian.org>
24Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
25---
26--- a/sshconnect.c
27+++ b/sshconnect.c
28@@ -1210,36 +1210,63 @@ fail:
29 return -1;
30 }
31
32+static int
33+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
34+{
35+ int rc = -1;
36+ int flags = 0;
37+ Key *raw_key = NULL;
38+
39+ if (!options.verify_host_key_dns)
40+ goto done;
41+
42+ /* XXX certs are not yet supported for DNS; try looking the raw key
43+ * up in the DNS anyway.
44+ */
45+ if (key_is_cert(host_key)) {
46+ debug2("Extracting key from cert for SSHFP lookup");
47+ raw_key = key_from_private(host_key);
48+ if (key_drop_cert(raw_key))
49+ fatal("Couldn't drop certificate");
50+ host_key = raw_key;
51+ }
52+
53+ if (verify_host_key_dns(host, hostaddr, host_key, &flags))
54+ goto done;
55+
56+ if (flags & DNS_VERIFY_FOUND) {
57+
58+ if (options.verify_host_key_dns == 1 &&
59+ flags & DNS_VERIFY_MATCH &&
60+ flags & DNS_VERIFY_SECURE) {
61+ rc = 0;
62+ } else if (flags & DNS_VERIFY_MATCH) {
63+ matching_host_key_dns = 1;
64+ } else {
65+ warn_changed_key(host_key);
66+ error("Update the SSHFP RR in DNS with the new "
67+ "host key to get rid of this message.");
68+ }
69+ }
70+
71+done:
72+ if (raw_key)
73+ key_free(raw_key);
74+ return rc;
75+}
76+
77 /* returns 0 if key verifies or -1 if key does NOT verify */
78 int
79 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
80 {
81- int flags = 0;
82 char *fp;
83
84 fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
85 debug("Server host key: %s %s", key_type(host_key), fp);
86 free(fp);
87
88- /* XXX certs are not yet supported for DNS */
89- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
90- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
91- if (flags & DNS_VERIFY_FOUND) {
92-
93- if (options.verify_host_key_dns == 1 &&
94- flags & DNS_VERIFY_MATCH &&
95- flags & DNS_VERIFY_SECURE)
96- return 0;
97-
98- if (flags & DNS_VERIFY_MATCH) {
99- matching_host_key_dns = 1;
100- } else {
101- warn_changed_key(host_key);
102- error("Update the SSHFP RR in DNS with the new "
103- "host key to get rid of this message.");
104- }
105- }
106- }
107+ if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
108+ return 0;
109
110 return check_host_key(host, hostaddr, options.port, host_key, RDRW,
111 options.user_hostfiles, options.num_user_hostfiles,
112--
1131.7.9.5
114
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
index abc302b90f..19093fc992 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.7p1.bb
@@ -11,11 +11,9 @@ DEPENDS = "zlib openssl"
11DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" 11DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
12 12
13SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ 13SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
14 file://nostrip.patch \
15 file://sshd_config \ 14 file://sshd_config \
16 file://ssh_config \ 15 file://ssh_config \
17 file://init \ 16 file://init \
18 file://openssh-CVE-2011-4327.patch \
19 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ 17 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
20 file://sshd.socket \ 18 file://sshd.socket \
21 file://sshd@.service \ 19 file://sshd@.service \
@@ -23,13 +21,12 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
23 file://volatiles.99_sshd \ 21 file://volatiles.99_sshd \
24 file://add-test-support-for-busybox.patch \ 22 file://add-test-support-for-busybox.patch \
25 file://run-ptest \ 23 file://run-ptest \
26 file://openssh-CVE-2014-2653.patch \
27 file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch" 24 file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
28 25
29PAM_SRC_URI = "file://sshd" 26PAM_SRC_URI = "file://sshd"
30 27
31SRC_URI[md5sum] = "3e9800e6bca1fbac0eea4d41baa7f239" 28SRC_URI[md5sum] = "3246aa79317b1d23cae783a3bf8275d6"
32SRC_URI[sha256sum] = "48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb" 29SRC_URI[sha256sum] = "b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507"
33 30
34inherit useradd update-rc.d update-alternatives systemd 31inherit useradd update-rc.d update-alternatives systemd
35 32
@@ -42,9 +39,6 @@ INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
42SYSTEMD_PACKAGES = "${PN}-sshd" 39SYSTEMD_PACKAGES = "${PN}-sshd"
43SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" 40SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
44 41
45PACKAGECONFIG ??= "tcp-wrappers"
46PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
47
48inherit autotools-brokensep ptest 42inherit autotools-brokensep ptest
49 43
50# LFS support: 44# LFS support:
@@ -56,7 +50,9 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
56 --without-zlib-version-check \ 50 --without-zlib-version-check \
57 --with-privsep-path=/var/run/sshd \ 51 --with-privsep-path=/var/run/sshd \
58 --sysconfdir=${sysconfdir}/ssh \ 52 --sysconfdir=${sysconfdir}/ssh \
59 --with-xauth=/usr/bin/xauth" 53 --with-xauth=/usr/bin/xauth \
54 --disable-strip \
55 "
60 56
61# Since we do not depend on libbsd, we do not want configure to use it 57# Since we do not depend on libbsd, we do not want configure to use it
62# just because it finds libutil.h. But, specifying --disable-libutil 58# just because it finds libutil.h. But, specifying --disable-libutil