openssh: CVE-2016-1907

This issue requires three commits: https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f https://anongit.mindrot.org/openssh.git/commit/?id=2fecfd486bdba9f51b3a789277bb0733ca36e1c0 (From OE-Core rev: a42229df424552955c0ac62da1063461f97f5938) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-01-15 16:59:49 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-01-18 11:47:08 +0000
commit: a2f23fa62858b89850aab339ddec16dcf6026b37 (patch)
tree: 91a231d4464be275ce381eef973c72ae4f377374 /meta/recipes-connectivity
parent: 320a3192206683ad184d22aa89b9db42bcac2ad2 (diff)
download: poky-a2f23fa62858b89850aab339ddec16dcf6026b37.tar.gz
4 files changed, 431 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch
new file mode 100644
index 0000000000..9fac69c3dd
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch
@@ -0,0 +1,65 @@
+From f98a09cacff7baad8748c9aa217afd155a4d493f Mon Sep 17 00:00:00 2001
+From: "mmcc@openbsd.org" <mmcc@openbsd.org>
+Date: Tue, 20 Oct 2015 03:36:35 +0000
+Subject: [PATCH] upstream commit
+Replace a function-local allocation with stack memory.
+ok djm@
+Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e
+Upstream-Status: Backport
+CVE: CVE-2016-1907
+[YOCTO #8935]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ clientloop.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+diff --git a/clientloop.c b/clientloop.c
+index 87ceb3d..1e05cba 100644
+--- a/clientloop.c
+++ b/clientloop.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */
+/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -311,11 +311,10 @@ client_x11_get_proto(const char *display, const char *xauth_path,
+        static char proto[512], data[512];
+        FILE *f;
+        int got_data = 0, generated = 0, do_unlink = 0, i;
+-       char *xauthdir, *xauthfile;
+       char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
+        struct stat st;
+        u_int now, x11_timeout_real;
+ 
+-       xauthdir = xauthfile = NULL;
+        *_proto = proto;
+        *_data = data;
+        proto[0] = data[0] = '\0';
+@@ -343,8 +342,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
+                        display = xdisplay;
+                }
+                if (trusted == 0) {
+-                       xauthdir = xmalloc(PATH_MAX);
+-                       xauthfile = xmalloc(PATH_MAX);
+                        mktemp_proto(xauthdir, PATH_MAX);
+                        /*
+                         * The authentication cookie should briefly outlive
+@@ -407,8 +404,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
+                unlink(xauthfile);
+                rmdir(xauthdir);
+        }
+-       free(xauthdir);
+-       free(xauthfile);
+ 
+        /*
+         * If we didn't get authentication data, just make up some
+-- 
+1.9.1
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch
new file mode 100644
index 0000000000..3dfc51af79
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch
@@ -0,0 +1,329 @@
+From ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 13 Jan 2016 23:04:47 +0000
+Subject: [PATCH] upstream commit
+eliminate fallback from untrusted X11 forwarding to trusted
+ forwarding when the X server disables the SECURITY extension; Reported by
+ Thomas Hoger; ok deraadt@
+Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
+Upstream-Status: Backport
+CVE: CVE-2016-1907
+[YOCTO #8935]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ clientloop.c | 114 ++++++++++++++++++++++++++++++++++++-----------------------
+ clientloop.h |   4 +--
+ mux.c        |  22 ++++++------
+ ssh.c        |  23 +++++-------
+ 4 files changed, 93 insertions(+), 70 deletions(-)
+Index: openssh-7.1p2/clientloop.c
+===================================================================
+--- openssh-7.1p2.orig/clientloop.c
+++ openssh-7.1p2/clientloop.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */
+/* $OpenBSD: clientloop.c,v 1.279 2016/01/13 23:04:47 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -288,6 +288,9 @@ client_x11_display_valid(const char *dis
+ {
+        size_t i, dlen;
+ 
+       if (display == NULL)
+               return 0;
+
+        dlen = strlen(display);
+        for (i = 0; i < dlen; i++) {
+                if (!isalnum((u_char)display[i]) &&
+@@ -301,34 +304,33 @@ client_x11_display_valid(const char *dis
+ 
+ #define SSH_X11_PROTO          "MIT-MAGIC-COOKIE-1"
+ #define X11_TIMEOUT_SLACK      60
+-void
+int
+ client_x11_get_proto(const char *display, const char *xauth_path,
+     u_int trusted, u_int timeout, char **_proto, char **_data)
+ {
+-       char cmd[1024];
+-       char line[512];
+-       char xdisplay[512];
+       char cmd[1024], line[512], xdisplay[512];
+       char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
+        static char proto[512], data[512];
+        FILE *f;
+-       int got_data = 0, generated = 0, do_unlink = 0, i;
+-       char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
+       int got_data = 0, generated = 0, do_unlink = 0, i, r;
+        struct stat st;
+        u_int now, x11_timeout_real;
+ 
+        *_proto = proto;
+        *_data = data;
+-       proto[0] = data[0] = '\0';
+       proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
+ 
+-       if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
+-               debug("No xauth program.");
+-       } else if (!client_x11_display_valid(display)) {
+-               logit("DISPLAY '%s' invalid, falling back to fake xauth data",
+       if (!client_x11_display_valid(display)) {
+               logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
+                    display);
+-       } else {
+-               if (display == NULL) {
+-                       debug("x11_get_proto: DISPLAY not set");
+-                       return;
+-               }
+               return -1;
+       }
+       if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
+               debug("No xauth program.");
+               xauth_path = NULL;
+       }
+
+       if (xauth_path != NULL) {
+                /*
+                 * Handle FamilyLocal case where $DISPLAY does
+                 * not match an authorization entry.  For this we
+@@ -337,43 +339,60 @@ client_x11_get_proto(const char *display
+                 *      is not perfect.
+                 */
+                if (strncmp(display, "localhost:", 10) == 0) {
+-                       snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
+-                           display + 10);
+                       if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
+                           display + 10)) < 0 ||
+                           (size_t)r >= sizeof(xdisplay)) {
+                               error("%s: display name too long", __func__);
+                               return -1;
+                       }
+                        display = xdisplay;
+                }
+                if (trusted == 0) {
+-                       mktemp_proto(xauthdir, PATH_MAX);
+                        /*
+                        * Generate an untrusted X11 auth cookie.
+                        *
+                         * The authentication cookie should briefly outlive
+                         * ssh's willingness to forward X11 connections to
+                         * avoid nasty fail-open behaviour in the X server.
+                         */
+                       mktemp_proto(xauthdir, sizeof(xauthdir));
+                       if (mkdtemp(xauthdir) == NULL) {
+                               error("%s: mkdtemp: %s",
+                                   __func__, strerror(errno));
+                               return -1;
+                       }
+                       do_unlink = 1;
+                       if ((r = snprintf(xauthfile, sizeof(xauthfile),
+                           "%s/xauthfile", xauthdir)) < 0 ||
+                           (size_t)r >= sizeof(xauthfile)) {
+                               error("%s: xauthfile path too long", __func__);
+                               unlink(xauthfile);
+                               rmdir(xauthdir);
+                               return -1;
+                       }
+
+                        if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
+                                x11_timeout_real = UINT_MAX;
+                        else
+                                x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
+-                       if (mkdtemp(xauthdir) != NULL) {
+-                               do_unlink = 1;
+-                               snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
+-                                   xauthdir);
+-                               snprintf(cmd, sizeof(cmd),
+-                                   "%s -f %s generate %s " SSH_X11_PROTO
+-                                   " untrusted timeout %u 2>" _PATH_DEVNULL,
+-                                   xauth_path, xauthfile, display,
+-                                   x11_timeout_real);
+-                               debug2("x11_get_proto: %s", cmd);
+-                               if (x11_refuse_time == 0) {
+-                                       now = monotime() + 1;
+-                                       if (UINT_MAX - timeout < now)
+-                                               x11_refuse_time = UINT_MAX;
+-                                       else
+-                                               x11_refuse_time = now + timeout;
+-                                       channel_set_x11_refuse_time(
+-                                           x11_refuse_time);
+-                               }
+-                               if (system(cmd) == 0)
+-                                       generated = 1;
+                       if ((r = snprintf(cmd, sizeof(cmd),
+                           "%s -f %s generate %s " SSH_X11_PROTO
+                           " untrusted timeout %u 2>" _PATH_DEVNULL,
+                           xauth_path, xauthfile, display,
+                           x11_timeout_real)) < 0 ||
+                           (size_t)r >= sizeof(cmd))
+                               fatal("%s: cmd too long", __func__);
+                       debug2("%s: %s", __func__, cmd);
+                       if (x11_refuse_time == 0) {
+                               now = monotime() + 1;
+                               if (UINT_MAX - timeout < now)
+                                       x11_refuse_time = UINT_MAX;
+                               else
+                                       x11_refuse_time = now + timeout;
+                               channel_set_x11_refuse_time(x11_refuse_time);
+                        }
+                       if (system(cmd) == 0)
+                               generated = 1;
+                }
+ 
+                /*
+@@ -395,9 +414,7 @@ client_x11_get_proto(const char *display
+                                got_data = 1;
+                        if (f)
+                                pclose(f);
+-               } else
+-                       error("Warning: untrusted X11 forwarding setup failed: "
+-                           "xauth key data not generated");
+               }
+        }
+ 
+        if (do_unlink) {
+@@ -405,6 +422,13 @@ client_x11_get_proto(const char *display
+                rmdir(xauthdir);
+        }
+ 
+       /* Don't fall back to fake X11 data for untrusted forwarding */
+       if (!trusted && !got_data) {
+               error("Warning: untrusted X11 forwarding setup failed: "
+                   "xauth key data not generated");
+               return -1;
+       }
+
+        /*
+         * If we didn't get authentication data, just make up some
+         * data.  The forwarding code will check the validity of the
+@@ -427,6 +451,8 @@ client_x11_get_proto(const char *display
+                        rnd >>= 8;
+                }
+        }
+
+       return 0;
+ }
+ 
+ /*
+Index: openssh-7.1p2/clientloop.h
+===================================================================
+--- openssh-7.1p2.orig/clientloop.h
+++ openssh-7.1p2/clientloop.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */
+/* $OpenBSD: clientloop.h,v 1.32 2016/01/13 23:04:47 djm Exp $ */
+ 
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+@@ -39,7 +39,7 @@
+ 
+ /* Client side main loop for the interactive session. */
+ int     client_loop(int, int, int);
+-void    client_x11_get_proto(const char *, const char *, u_int, u_int,
+int     client_x11_get_proto(const char *, const char *, u_int, u_int,
+            char **, char **);
+ void    client_global_request_reply_fwd(int, u_int32_t, void *);
+ void    client_session2_setup(int, int, int, const char *, struct termios *,
+Index: openssh-7.1p2/mux.c
+===================================================================
+--- openssh-7.1p2.orig/mux.c
+++ openssh-7.1p2/mux.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */
+/* $OpenBSD: mux.c,v 1.58 2016/01/13 23:04:47 djm Exp $ */
+ /*
+  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
+  *
+@@ -1354,16 +1354,18 @@ mux_session_confirm(int id, int success,
+                char *proto, *data;
+ 
+                /* Get reasonable local authentication information. */
+-               client_x11_get_proto(display, options.xauth_location,
+               if (client_x11_get_proto(display, options.xauth_location,
+                    options.forward_x11_trusted, options.forward_x11_timeout,
+-                   &proto, &data);
+-               /* Request forwarding with authentication spoofing. */
+-               debug("Requesting X11 forwarding with authentication "
+-                   "spoofing.");
+-               x11_request_forwarding_with_spoofing(id, display, proto,
+-                   data, 1);
+-               client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN);
+-               /* XXX exit_on_forward_failure */
+                   &proto, &data) == 0) {
+                       /* Request forwarding with authentication spoofing. */
+                       debug("Requesting X11 forwarding with authentication "
+                           "spoofing.");
+                       x11_request_forwarding_with_spoofing(id, display, proto,
+                           data, 1);
+                       /* XXX exit_on_forward_failure */
+                       client_expect_confirm(id, "X11 forwarding",
+                           CONFIRM_WARN);
+               }
+        }
+ 
+        if (cctx->want_agent_fwd && options.forward_agent) {
+Index: openssh-7.1p2/ssh.c
+===================================================================
+--- openssh-7.1p2.orig/ssh.c
+++ openssh-7.1p2/ssh.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh.c,v 1.420 2015/07/30 00:01:34 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.433 2016/01/13 23:04:47 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -1604,6 +1604,7 @@ ssh_session(void)
+        struct winsize ws;
+        char *cp;
+        const char *display;
+       char *proto = NULL, *data = NULL;
+ 
+        /* Enable compression if requested. */
+        if (options.compression) {
+@@ -1674,13 +1675,9 @@ ssh_session(void)
+        display = getenv("DISPLAY");
+        if (display == NULL && options.forward_x11)
+                debug("X11 forwarding requested but DISPLAY not set");
+-       if (options.forward_x11 && display != NULL) {
+-               char *proto, *data;
+-               /* Get reasonable local authentication information. */
+-               client_x11_get_proto(display, options.xauth_location,
+-                   options.forward_x11_trusted,
+-                   options.forward_x11_timeout,
+-                   &proto, &data);
+       if (options.forward_x11 && client_x11_get_proto(display,
+           options.xauth_location, options.forward_x11_trusted,
+           options.forward_x11_timeout, &proto, &data) == 0) {
+                /* Request forwarding with authentication spoofing. */
+                debug("Requesting X11 forwarding with authentication "
+                    "spoofing.");
+@@ -1770,6 +1767,7 @@ ssh_session2_setup(int id, int success,
+        extern char **environ;
+        const char *display;
+        int interactive = tty_flag;
+       char *proto = NULL, *data = NULL;
+ 
+        if (!success)
+                return; /* No need for error message, channels code sens one */
+@@ -1777,12 +1775,9 @@ ssh_session2_setup(int id, int success,
+        display = getenv("DISPLAY");
+        if (display == NULL && options.forward_x11)
+                debug("X11 forwarding requested but DISPLAY not set");
+-       if (options.forward_x11 && display != NULL) {
+-               char *proto, *data;
+-               /* Get reasonable local authentication information. */
+-               client_x11_get_proto(display, options.xauth_location,
+-                   options.forward_x11_trusted,
+-                   options.forward_x11_timeout, &proto, &data);
+       if (options.forward_x11 && client_x11_get_proto(display,
+           options.xauth_location, options.forward_x11_trusted,
+           options.forward_x11_timeout, &proto, &data) == 0) {
+                /* Request forwarding with authentication spoofing. */
+                debug("Requesting X11 forwarding with authentication "
+                    "spoofing.");
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch
new file mode 100644
index 0000000000..f3d132e43d
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch
@@ -0,0 +1,33 @@
+From d77148e3a3ef6c29b26ec74331455394581aa257 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 8 Nov 2015 21:59:11 +0000
+Subject: [PATCH] upstream commit
+fix OOB read in packet code caused by missing return
+ statement found by Ben Hawkes; ok markus@ deraadt@
+Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
+Upstream-Status: Backport
+CVE: CVE-2016-1907
+[YOCTO #8935]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ packet.c | 1 +
+ 1 file changed, 1 insertion(+)
+Index: openssh-7.1p2/packet.c
+===================================================================
+--- openssh-7.1p2.orig/packet.c
+++ openssh-7.1p2/packet.c
+@@ -1855,6 +1855,7 @@ ssh_packet_process_incoming(struct ssh *
+                if (len >= state->packet_discard) {
+                        if ((r = ssh_packet_stop_discard(ssh)) != 0)
+                                return r;
+                       return SSH_ERR_CONN_CORRUPT;
+                }
+                state->packet_discard -= len;
+                return 0;
diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
index ac824ee301..9c62d7894b 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
@@ -20,7 +20,10 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
           file://sshdgenkeys.service \
           file://volatiles.99_sshd \
           file://add-test-support-for-busybox.patch \
-           file://run-ptest"
+           file://run-ptest \
+           file://CVE-2016-1907_upstream_commit.patch \
+           file://CVE-2016-1907_2.patch \
+           file://CVE-2016-1907_3.patch "
 PAM_SRC_URI = "file://sshd"
author	Armin Kuster <akuster@mvista.com>	2016-01-15 16:59:49 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-01-18 11:47:08 +0000
commit	a2f23fa62858b89850aab339ddec16dcf6026b37 (patch)
tree	91a231d4464be275ce381eef973c72ae4f377374 /meta/recipes-connectivity
parent	320a3192206683ad184d22aa89b9db42bcac2ad2 (diff)
download	poky-a2f23fa62858b89850aab339ddec16dcf6026b37.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch new file mode 100644 index 0000000000..9fac69c3dd --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch
@@ -0,0 +1,65 @@
		1	From f98a09cacff7baad8748c9aa217afd155a4d493f Mon Sep 17 00:00:00 2001
		2	From: "mmcc@openbsd.org" <mmcc@openbsd.org>
		3	Date: Tue, 20 Oct 2015 03:36:35 +0000
		4	Subject: [PATCH] upstream commit
		5
		6	Replace a function-local allocation with stack memory.
		7
		8	ok djm@
		9
		10	Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e
		11	Upstream-Status: Backport
		12	CVE: CVE-2016-1907
		13
		14	[YOCTO #8935]
		15
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	---
		19	clientloop.c \| 9 ++-------
		20	1 file changed, 2 insertions(+), 7 deletions(-)
		21
		22	diff --git a/clientloop.c b/clientloop.c
		23	index 87ceb3d..1e05cba 100644
		24	--- a/clientloop.c
		25	+++ b/clientloop.c
		26	@@ -1,4 +1,4 @@
		27	-/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */
		28	+/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */
		29	/*
		30	* Author: Tatu Ylonen <ylo@cs.hut.fi>
		31	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
		32	@@ -311,11 +311,10 @@ client_x11_get_proto(const char display, const char xauth_path,
		33	static char proto[512], data[512];
		34	FILE *f;
		35	int got_data = 0, generated = 0, do_unlink = 0, i;
		36	- char xauthdir, xauthfile;
		37	+ char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
		38	struct stat st;
		39	u_int now, x11_timeout_real;
		40
		41	- xauthdir = xauthfile = NULL;
		42	*_proto = proto;
		43	*_data = data;
		44	proto[0] = data[0] = '\0';
		45	@@ -343,8 +342,6 @@ client_x11_get_proto(const char display, const char xauth_path,
		46	display = xdisplay;
		47	}
		48	if (trusted == 0) {
		49	- xauthdir = xmalloc(PATH_MAX);
		50	- xauthfile = xmalloc(PATH_MAX);
		51	mktemp_proto(xauthdir, PATH_MAX);
		52	/*
		53	* The authentication cookie should briefly outlive
		54	@@ -407,8 +404,6 @@ client_x11_get_proto(const char display, const char xauth_path,
		55	unlink(xauthfile);
		56	rmdir(xauthdir);
		57	}
		58	- free(xauthdir);
		59	- free(xauthfile);
		60
		61	/*
		62	* If we didn't get authentication data, just make up some
		63	--
		64	1.9.1
		65


diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch new file mode 100644 index 0000000000..3dfc51af79 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch
@@ -0,0 +1,329 @@
		1	From ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Wed, 13 Jan 2016 23:04:47 +0000
		4	Subject: [PATCH] upstream commit
		5
		6	eliminate fallback from untrusted X11 forwarding to trusted
		7	forwarding when the X server disables the SECURITY extension; Reported by
		8	Thomas Hoger; ok deraadt@
		9
		10	Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
		11	Upstream-Status: Backport
		12	CVE: CVE-2016-1907
		13
		14	[YOCTO #8935]
		15
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	---
		19	clientloop.c \| 114 ++++++++++++++++++++++++++++++++++++-----------------------
		20	clientloop.h \| 4 +--
		21	mux.c \| 22 ++++++------
		22	ssh.c \| 23 +++++-------
		23	4 files changed, 93 insertions(+), 70 deletions(-)
		24
		25	Index: openssh-7.1p2/clientloop.c
		26	===================================================================
		27	--- openssh-7.1p2.orig/clientloop.c
		28	+++ openssh-7.1p2/clientloop.c
		29	@@ -1,4 +1,4 @@
		30	-/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */
		31	+/* $OpenBSD: clientloop.c,v 1.279 2016/01/13 23:04:47 djm Exp $ */
		32	/*
		33	* Author: Tatu Ylonen <ylo@cs.hut.fi>
		34	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
		35	@@ -288,6 +288,9 @@ client_x11_display_valid(const char *dis
		36	{
		37	size_t i, dlen;
		38
		39	+ if (display == NULL)
		40	+ return 0;
		41	+
		42	dlen = strlen(display);
		43	for (i = 0; i < dlen; i++) {
		44	if (!isalnum((u_char)display[i]) &&
		45	@@ -301,34 +304,33 @@ client_x11_display_valid(const char *dis
		46
		47	#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
		48	#define X11_TIMEOUT_SLACK 60
		49	-void
		50	+int
		51	client_x11_get_proto(const char display, const char xauth_path,
		52	u_int trusted, u_int timeout, char _proto, char _data)
		53	{
		54	- char cmd[1024];
		55	- char line[512];
		56	- char xdisplay[512];
		57	+ char cmd[1024], line[512], xdisplay[512];
		58	+ char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
		59	static char proto[512], data[512];
		60	FILE *f;
		61	- int got_data = 0, generated = 0, do_unlink = 0, i;
		62	- char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
		63	+ int got_data = 0, generated = 0, do_unlink = 0, i, r;
		64	struct stat st;
		65	u_int now, x11_timeout_real;
		66
		67	*_proto = proto;
		68	*_data = data;
		69	- proto[0] = data[0] = '\0';
		70	+ proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
		71
		72	- if (xauth_path == NULL \|\|(stat(xauth_path, &st) == -1)) {
		73	- debug("No xauth program.");
		74	- } else if (!client_x11_display_valid(display)) {
		75	- logit("DISPLAY '%s' invalid, falling back to fake xauth data",
		76	+ if (!client_x11_display_valid(display)) {
		77	+ logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
		78	display);
		79	- } else {
		80	- if (display == NULL) {
		81	- debug("x11_get_proto: DISPLAY not set");
		82	- return;
		83	- }
		84	+ return -1;
		85	+ }
		86	+ if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
		87	+ debug("No xauth program.");
		88	+ xauth_path = NULL;
		89	+ }
		90	+
		91	+ if (xauth_path != NULL) {
		92	/*
		93	* Handle FamilyLocal case where $DISPLAY does
		94	* not match an authorization entry. For this we
		95	@@ -337,43 +339,60 @@ client_x11_get_proto(const char *display
		96	* is not perfect.
		97	*/
		98	if (strncmp(display, "localhost:", 10) == 0) {
		99	- snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
		100	- display + 10);
		101	+ if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
		102	+ display + 10)) < 0 \|\|
		103	+ (size_t)r >= sizeof(xdisplay)) {
		104	+ error("%s: display name too long", __func__);
		105	+ return -1;
		106	+ }
		107	display = xdisplay;
		108	}
		109	if (trusted == 0) {
		110	- mktemp_proto(xauthdir, PATH_MAX);
		111	/*
		112	+ * Generate an untrusted X11 auth cookie.
		113	+ *
		114	* The authentication cookie should briefly outlive
		115	* ssh's willingness to forward X11 connections to
		116	* avoid nasty fail-open behaviour in the X server.
		117	*/
		118	+ mktemp_proto(xauthdir, sizeof(xauthdir));
		119	+ if (mkdtemp(xauthdir) == NULL) {
		120	+ error("%s: mkdtemp: %s",
		121	+ __func__, strerror(errno));
		122	+ return -1;
		123	+ }
		124	+ do_unlink = 1;
		125	+ if ((r = snprintf(xauthfile, sizeof(xauthfile),
		126	+ "%s/xauthfile", xauthdir)) < 0 \|\|
		127	+ (size_t)r >= sizeof(xauthfile)) {
		128	+ error("%s: xauthfile path too long", __func__);
		129	+ unlink(xauthfile);
		130	+ rmdir(xauthdir);
		131	+ return -1;
		132	+ }
		133	+
		134	if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
		135	x11_timeout_real = UINT_MAX;
		136	else
		137	x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
		138	- if (mkdtemp(xauthdir) != NULL) {
		139	- do_unlink = 1;
		140	- snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
		141	- xauthdir);
		142	- snprintf(cmd, sizeof(cmd),
		143	- "%s -f %s generate %s " SSH_X11_PROTO
		144	- " untrusted timeout %u 2>" _PATH_DEVNULL,
		145	- xauth_path, xauthfile, display,
		146	- x11_timeout_real);
		147	- debug2("x11_get_proto: %s", cmd);
		148	- if (x11_refuse_time == 0) {
		149	- now = monotime() + 1;
		150	- if (UINT_MAX - timeout < now)
		151	- x11_refuse_time = UINT_MAX;
		152	- else
		153	- x11_refuse_time = now + timeout;
		154	- channel_set_x11_refuse_time(
		155	- x11_refuse_time);
		156	- }
		157	- if (system(cmd) == 0)
		158	- generated = 1;
		159	+ if ((r = snprintf(cmd, sizeof(cmd),
		160	+ "%s -f %s generate %s " SSH_X11_PROTO
		161	+ " untrusted timeout %u 2>" _PATH_DEVNULL,
		162	+ xauth_path, xauthfile, display,
		163	+ x11_timeout_real)) < 0 \|\|
		164	+ (size_t)r >= sizeof(cmd))
		165	+ fatal("%s: cmd too long", __func__);
		166	+ debug2("%s: %s", __func__, cmd);
		167	+ if (x11_refuse_time == 0) {
		168	+ now = monotime() + 1;
		169	+ if (UINT_MAX - timeout < now)
		170	+ x11_refuse_time = UINT_MAX;
		171	+ else
		172	+ x11_refuse_time = now + timeout;
		173	+ channel_set_x11_refuse_time(x11_refuse_time);
		174	}
		175	+ if (system(cmd) == 0)
		176	+ generated = 1;
		177	}
		178
		179	/*
		180	@@ -395,9 +414,7 @@ client_x11_get_proto(const char *display
		181	got_data = 1;
		182	if (f)
		183	pclose(f);
		184	- } else
		185	- error("Warning: untrusted X11 forwarding setup failed: "
		186	- "xauth key data not generated");
		187	+ }
		188	}
		189
		190	if (do_unlink) {
		191	@@ -405,6 +422,13 @@ client_x11_get_proto(const char *display
		192	rmdir(xauthdir);
		193	}
		194
		195	+ /* Don't fall back to fake X11 data for untrusted forwarding */
		196	+ if (!trusted && !got_data) {
		197	+ error("Warning: untrusted X11 forwarding setup failed: "
		198	+ "xauth key data not generated");
		199	+ return -1;
		200	+ }
		201	+
		202	/*
		203	* If we didn't get authentication data, just make up some
		204	* data. The forwarding code will check the validity of the
		205	@@ -427,6 +451,8 @@ client_x11_get_proto(const char *display
		206	rnd >>= 8;
		207	}
		208	}
		209	+
		210	+ return 0;
		211	}
		212
		213	/*
		214	Index: openssh-7.1p2/clientloop.h
		215	===================================================================
		216	--- openssh-7.1p2.orig/clientloop.h
		217	+++ openssh-7.1p2/clientloop.h
		218	@@ -1,4 +1,4 @@
		219	-/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */
		220	+/* $OpenBSD: clientloop.h,v 1.32 2016/01/13 23:04:47 djm Exp $ */
		221
		222	/*
		223	* Author: Tatu Ylonen <ylo@cs.hut.fi>
		224	@@ -39,7 +39,7 @@
		225
		226	/* Client side main loop for the interactive session. */
		227	int client_loop(int, int, int);
		228	-void client_x11_get_proto(const char , const char , u_int, u_int,
		229	+int client_x11_get_proto(const char , const char , u_int, u_int,
		230	char , char );
		231	void client_global_request_reply_fwd(int, u_int32_t, void *);
		232	void client_session2_setup(int, int, int, const char , struct termios ,
		233	Index: openssh-7.1p2/mux.c
		234	===================================================================
		235	--- openssh-7.1p2.orig/mux.c
		236	+++ openssh-7.1p2/mux.c
		237	@@ -1,4 +1,4 @@
		238	-/* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */
		239	+/* $OpenBSD: mux.c,v 1.58 2016/01/13 23:04:47 djm Exp $ */
		240	/*
		241	* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
		242	*
		243	@@ -1354,16 +1354,18 @@ mux_session_confirm(int id, int success,
		244	char proto, data;
		245
		246	/* Get reasonable local authentication information. */
		247	- client_x11_get_proto(display, options.xauth_location,
		248	+ if (client_x11_get_proto(display, options.xauth_location,
		249	options.forward_x11_trusted, options.forward_x11_timeout,
		250	- &proto, &data);
		251	- /* Request forwarding with authentication spoofing. */
		252	- debug("Requesting X11 forwarding with authentication "
		253	- "spoofing.");
		254	- x11_request_forwarding_with_spoofing(id, display, proto,
		255	- data, 1);
		256	- client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN);
		257	- /* XXX exit_on_forward_failure */
		258	+ &proto, &data) == 0) {
		259	+ /* Request forwarding with authentication spoofing. */
		260	+ debug("Requesting X11 forwarding with authentication "
		261	+ "spoofing.");
		262	+ x11_request_forwarding_with_spoofing(id, display, proto,
		263	+ data, 1);
		264	+ /* XXX exit_on_forward_failure */
		265	+ client_expect_confirm(id, "X11 forwarding",
		266	+ CONFIRM_WARN);
		267	+ }
		268	}
		269
		270	if (cctx->want_agent_fwd && options.forward_agent) {
		271	Index: openssh-7.1p2/ssh.c
		272	===================================================================
		273	--- openssh-7.1p2.orig/ssh.c
		274	+++ openssh-7.1p2/ssh.c
		275	@@ -1,4 +1,4 @@
		276	-/* $OpenBSD: ssh.c,v 1.420 2015/07/30 00:01:34 djm Exp $ */
		277	+/* $OpenBSD: ssh.c,v 1.433 2016/01/13 23:04:47 djm Exp $ */
		278	/*
		279	* Author: Tatu Ylonen <ylo@cs.hut.fi>
		280	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
		281	@@ -1604,6 +1604,7 @@ ssh_session(void)
		282	struct winsize ws;
		283	char *cp;
		284	const char *display;
		285	+ char proto = NULL, data = NULL;
		286
		287	/* Enable compression if requested. */
		288	if (options.compression) {
		289	@@ -1674,13 +1675,9 @@ ssh_session(void)
		290	display = getenv("DISPLAY");
		291	if (display == NULL && options.forward_x11)
		292	debug("X11 forwarding requested but DISPLAY not set");
		293	- if (options.forward_x11 && display != NULL) {
		294	- char proto, data;
		295	- /* Get reasonable local authentication information. */
		296	- client_x11_get_proto(display, options.xauth_location,
		297	- options.forward_x11_trusted,
		298	- options.forward_x11_timeout,
		299	- &proto, &data);
		300	+ if (options.forward_x11 && client_x11_get_proto(display,
		301	+ options.xauth_location, options.forward_x11_trusted,
		302	+ options.forward_x11_timeout, &proto, &data) == 0) {
		303	/* Request forwarding with authentication spoofing. */
		304	debug("Requesting X11 forwarding with authentication "
		305	"spoofing.");
		306	@@ -1770,6 +1767,7 @@ ssh_session2_setup(int id, int success,
		307	extern char **environ;
		308	const char *display;
		309	int interactive = tty_flag;
		310	+ char proto = NULL, data = NULL;
		311
		312	if (!success)
		313	return; /* No need for error message, channels code sens one */
		314	@@ -1777,12 +1775,9 @@ ssh_session2_setup(int id, int success,
		315	display = getenv("DISPLAY");
		316	if (display == NULL && options.forward_x11)
		317	debug("X11 forwarding requested but DISPLAY not set");
		318	- if (options.forward_x11 && display != NULL) {
		319	- char proto, data;
		320	- /* Get reasonable local authentication information. */
		321	- client_x11_get_proto(display, options.xauth_location,
		322	- options.forward_x11_trusted,
		323	- options.forward_x11_timeout, &proto, &data);
		324	+ if (options.forward_x11 && client_x11_get_proto(display,
		325	+ options.xauth_location, options.forward_x11_trusted,
		326	+ options.forward_x11_timeout, &proto, &data) == 0) {
		327	/* Request forwarding with authentication spoofing. */
		328	debug("Requesting X11 forwarding with authentication "
		329	"spoofing.");


diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch new file mode 100644 index 0000000000..f3d132e43d --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch
@@ -0,0 +1,33 @@
		1	From d77148e3a3ef6c29b26ec74331455394581aa257 Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Sun, 8 Nov 2015 21:59:11 +0000
		4	Subject: [PATCH] upstream commit
		5
		6	fix OOB read in packet code caused by missing return
		7	statement found by Ben Hawkes; ok markus@ deraadt@
		8
		9	Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
		10
		11	Upstream-Status: Backport
		12	CVE: CVE-2016-1907
		13
		14	[YOCTO #8935]
		15
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	---
		19	packet.c \| 1 +
		20	1 file changed, 1 insertion(+)
		21
		22	Index: openssh-7.1p2/packet.c
		23	===================================================================
		24	--- openssh-7.1p2.orig/packet.c
		25	+++ openssh-7.1p2/packet.c
		26	@@ -1855,6 +1855,7 @@ ssh_packet_process_incoming(struct ssh *
		27	if (len >= state->packet_discard) {
		28	if ((r = ssh_packet_stop_discard(ssh)) != 0)
		29	return r;
		30	+ return SSH_ERR_CONN_CORRUPT;
		31	}
		32	state->packet_discard -= len;
		33	return 0;


diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb index ac824ee301..9c62d7894b 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
@@ -20,7 +20,10 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
20	file://sshdgenkeys.service \	20	file://sshdgenkeys.service \
21	file://volatiles.99_sshd \	21	file://volatiles.99_sshd \
22	file://add-test-support-for-busybox.patch \	22	file://add-test-support-for-busybox.patch \
23	file://run-ptest"	23	file://run-ptest \
		24	file://CVE-2016-1907_upstream_commit.patch \
		25	file://CVE-2016-1907_2.patch \
		26	file://CVE-2016-1907_3.patch "
24		27
25	PAM_SRC_URI = "file://sshd"	28	PAM_SRC_URI = "file://sshd"
26		29