openssh: Upgrade 8.0p1 -> 8.1p1

Drop upstream backport of integer overflow in XMSS private key parsing. Add PACKAGECONFIG for kerberos, libedit and ldns. If api-documentation is enabled then install man(7) manpages rather than catman pages. License-Update: convert to UTF-8 (From OE-Core rev: b084fa095800c090389b9c00d66f109d7cd11455) Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Alex Kiernan <alex.kiernan@gmail.com> 2019-12-01 18:47:33 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-12-06 14:41:28 +0000
commit: 6fa4763974705a327bcbbea3638ca66800c9391b (patch)
tree: 520bf20e217962a4d3c6b698dc8a213e7e8261cf /meta/recipes-connectivity/openssh
parent: 7ce92685a19d045648c633bdc4de9b7ccce1036d (diff)
download: poky-6fa4763974705a327bcbbea3638ca66800c9391b.tar.gz
2 files changed, 10 insertions, 45 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch
deleted file mode 100644
index 3265be3485..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 2014fad3d28090b59d2f8a0971166c06e5fa6da6 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Fri, 18 Oct 2019 14:56:58 +0800
-Subject: [PATCH] upstream: fix integer overflow in XMSS private key parsing.
-Reported by Adam Zabrocki via SecuriTeam's SSH program.
-Note that this code is experimental and not compiled by default.
-ok markus@
-OpenBSD-Commit-ID: cd0361896d15e8a1bac495ac583ff065ffca2be1
-Signed-off-by: "djm@openbsd.org" <djm@openbsd.org>
-Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a]
-CVE: CVE-2019-16905
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
- sshkey-xmss.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/sshkey-xmss.c b/sshkey-xmss.c
-index aaae702..c57681a 100644
--- a/sshkey-xmss.c
-+++ b/sshkey-xmss.c
-@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
-                goto out;
-        }
-        /* check that an appropriate amount of auth data is present */
-       if (sshbuf_len(encoded) < encrypted_len + authlen) {
-+       if (sshbuf_len(encoded) < authlen ||
-+           sshbuf_len(encoded) - authlen < encrypted_len) {
-                r = SSH_ERR_INVALID_FORMAT;
-                goto out;
-        }
-- 
-2.7.4
diff --git a/meta/recipes-connectivity/openssh/openssh_8.0p1.bb b/meta/recipes-connectivity/openssh/openssh_8.1p1.bb
index 2ffbc9a95f..024ebca402 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.1p1.bb
@@ -6,7 +6,7 @@ and for executing commands on a remote machine."
 HOMEPAGE = "http://www.openssh.com/"
 SECTION = "console/network"
 LICENSE = "BSD & ISC & MIT"
-LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"
+LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3"
 DEPENDS = "zlib openssl virtual/crypt"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
@@ -24,14 +24,13 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
           file://sshd_check_keys \
           file://add-test-support-for-busybox.patch \
-           file://0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch \
           "
-SRC_URI[md5sum] = "bf050f002fe510e1daecd39044e1122d"
+SRC_URI[md5sum] = "513694343631a99841e815306806edf0"
-SRC_URI[sha256sum] = "bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68"
+SRC_URI[sha256sum] = "02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff"
 PAM_SRC_URI = "file://sshd"
-inherit useradd update-rc.d update-alternatives systemd
+inherit manpages useradd update-rc.d update-alternatives systemd
 USERADD_PACKAGES = "${PN}-sshd"
 USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
@@ -44,6 +43,12 @@ SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
 inherit autotools-brokensep ptest
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
+PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
+PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
+PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
 EXTRA_AUTORECONF += "--exclude=aclocal"
 # login path is hardcoded in sshd
author	Alex Kiernan <alex.kiernan@gmail.com>	2019-12-01 18:47:33 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-12-06 14:41:28 +0000
commit	6fa4763974705a327bcbbea3638ca66800c9391b (patch)
tree	520bf20e217962a4d3c6b698dc8a213e7e8261cf /meta/recipes-connectivity/openssh
parent	7ce92685a19d045648c633bdc4de9b7ccce1036d (diff)
download	poky-6fa4763974705a327bcbbea3638ca66800c9391b.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch deleted file mode 100644 index 3265be3485..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch +++ /dev/null
@@ -1,40 +0,0 @@
1	From 2014fad3d28090b59d2f8a0971166c06e5fa6da6 Mon Sep 17 00:00:00 2001
2	From: Hongxu Jia <hongxu.jia@windriver.com>
3	Date: Fri, 18 Oct 2019 14:56:58 +0800
4	Subject: [PATCH] upstream: fix integer overflow in XMSS private key parsing.
5
6	Reported by Adam Zabrocki via SecuriTeam's SSH program.
7
8	Note that this code is experimental and not compiled by default.
9
10	ok markus@
11
12	OpenBSD-Commit-ID: cd0361896d15e8a1bac495ac583ff065ffca2be1
13
14	Signed-off-by: "djm@openbsd.org" <djm@openbsd.org>
15
16	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a]
17	CVE: CVE-2019-16905
18
19	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
20	---
21	sshkey-xmss.c \| 3 ++-
22	1 file changed, 2 insertions(+), 1 deletion(-)
23
24	diff --git a/sshkey-xmss.c b/sshkey-xmss.c
25	index aaae702..c57681a 100644
26	--- a/sshkey-xmss.c
27	+++ b/sshkey-xmss.c
28	@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey k, struct sshbuf encoded,
29	goto out;
30	}
31	/* check that an appropriate amount of auth data is present */
32	- if (sshbuf_len(encoded) < encrypted_len + authlen) {
33	+ if (sshbuf_len(encoded) < authlen \|\|
34	+ sshbuf_len(encoded) - authlen < encrypted_len) {
35	r = SSH_ERR_INVALID_FORMAT;
36	goto out;
37	}
38	--
39	2.7.4
40


diff --git a/meta/recipes-connectivity/openssh/openssh_8.0p1.bb b/meta/recipes-connectivity/openssh/openssh_8.1p1.bb index 2ffbc9a95f..024ebca402 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.0p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.1p1.bb
@@ -6,7 +6,7 @@ and for executing commands on a remote machine."
6	HOMEPAGE = "http://www.openssh.com/"	6	HOMEPAGE = "http://www.openssh.com/"
7	SECTION = "console/network"	7	SECTION = "console/network"
8	LICENSE = "BSD & ISC & MIT"	8	LICENSE = "BSD & ISC & MIT"
9	LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"	9	LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3"
10		10
11	DEPENDS = "zlib openssl virtual/crypt"	11	DEPENDS = "zlib openssl virtual/crypt"
12	DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"	12	DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
@@ -24,14 +24,13 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
24	file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \	24	file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
25	file://sshd_check_keys \	25	file://sshd_check_keys \
26	file://add-test-support-for-busybox.patch \	26	file://add-test-support-for-busybox.patch \
27	file://0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch \
28	"	27	"
29	SRC_URI[md5sum] = "bf050f002fe510e1daecd39044e1122d"	28	SRC_URI[md5sum] = "513694343631a99841e815306806edf0"
30	SRC_URI[sha256sum] = "bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68"	29	SRC_URI[sha256sum] = "02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff"
31		30
32	PAM_SRC_URI = "file://sshd"	31	PAM_SRC_URI = "file://sshd"
33		32
34	inherit useradd update-rc.d update-alternatives systemd	33	inherit manpages useradd update-rc.d update-alternatives systemd
35		34
36	USERADD_PACKAGES = "${PN}-sshd"	35	USERADD_PACKAGES = "${PN}-sshd"
37	USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"	36	USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
@@ -44,6 +43,12 @@ SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
44		43
45	inherit autotools-brokensep ptest	44	inherit autotools-brokensep ptest
46		45
		46	PACKAGECONFIG ??= ""
		47	PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
		48	PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
		49	PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
		50	PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
		51
47	EXTRA_AUTORECONF += "--exclude=aclocal"	52	EXTRA_AUTORECONF += "--exclude=aclocal"
48		53
49	# login path is hardcoded in sshd	54	# login path is hardcoded in sshd