summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2014-05-13 15:46:27 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-05-13 19:32:06 +0100
commitf5180963845442587431bb7e4aa04a143ca743c4 (patch)
tree6db81fb459b3d7ee46d71e930f9ece148a94da11 /meta/recipes-connectivity
parentfbf63c30c89b39e0b021af6708c53a24f43fe786 (diff)
downloadpoky-f5180963845442587431bb7e4aa04a143ca743c4.tar.gz
openssh: fix for CVE-2014-2653
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. (From OE-Core rev: 7b2fff61b3d1c0566429793ee348fa8978ef0cba) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch114
-rw-r--r--meta/recipes-connectivity/openssh/openssh_6.5p1.bb3
2 files changed, 116 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
new file mode 100644
index 0000000000..674d186044
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
@@ -0,0 +1,114 @@
1Upstream-Status: Backport
2
3This CVE could be removed if openssh is upgrade to 6.6 or higher.
4Below are some details.
5
6Attempt SSHFP lookup even if server presents a certificate
7
8Reference:
9https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
10
11If an ssh server presents a certificate to the client, then the client
12does not check the DNS for SSHFP records. This means that a malicious
13server can essentially disable DNS-host-key-checking, which means the
14client will fall back to asking the user (who will just say "yes" to
15the fingerprint, sadly).
16
17This patch means that the ssh client will, if necessary, extract the
18server key from the proffered certificate, and attempt to verify it
19against the DNS. The patch was written by Mark Wooding
20<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
21it, and tested it.
22
23Signed-off-by: Matthew Vernon <matthew@debian.org>
24Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
25---
26--- a/sshconnect.c
27+++ b/sshconnect.c
28@@ -1210,36 +1210,63 @@ fail:
29 return -1;
30 }
31
32+static int
33+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
34+{
35+ int rc = -1;
36+ int flags = 0;
37+ Key *raw_key = NULL;
38+
39+ if (!options.verify_host_key_dns)
40+ goto done;
41+
42+ /* XXX certs are not yet supported for DNS; try looking the raw key
43+ * up in the DNS anyway.
44+ */
45+ if (key_is_cert(host_key)) {
46+ debug2("Extracting key from cert for SSHFP lookup");
47+ raw_key = key_from_private(host_key);
48+ if (key_drop_cert(raw_key))
49+ fatal("Couldn't drop certificate");
50+ host_key = raw_key;
51+ }
52+
53+ if (verify_host_key_dns(host, hostaddr, host_key, &flags))
54+ goto done;
55+
56+ if (flags & DNS_VERIFY_FOUND) {
57+
58+ if (options.verify_host_key_dns == 1 &&
59+ flags & DNS_VERIFY_MATCH &&
60+ flags & DNS_VERIFY_SECURE) {
61+ rc = 0;
62+ } else if (flags & DNS_VERIFY_MATCH) {
63+ matching_host_key_dns = 1;
64+ } else {
65+ warn_changed_key(host_key);
66+ error("Update the SSHFP RR in DNS with the new "
67+ "host key to get rid of this message.");
68+ }
69+ }
70+
71+done:
72+ if (raw_key)
73+ key_free(raw_key);
74+ return rc;
75+}
76+
77 /* returns 0 if key verifies or -1 if key does NOT verify */
78 int
79 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
80 {
81- int flags = 0;
82 char *fp;
83
84 fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
85 debug("Server host key: %s %s", key_type(host_key), fp);
86 free(fp);
87
88- /* XXX certs are not yet supported for DNS */
89- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
90- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
91- if (flags & DNS_VERIFY_FOUND) {
92-
93- if (options.verify_host_key_dns == 1 &&
94- flags & DNS_VERIFY_MATCH &&
95- flags & DNS_VERIFY_SECURE)
96- return 0;
97-
98- if (flags & DNS_VERIFY_MATCH) {
99- matching_host_key_dns = 1;
100- } else {
101- warn_changed_key(host_key);
102- error("Update the SSHFP RR in DNS with the new "
103- "host key to get rid of this message.");
104- }
105- }
106- }
107+ if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
108+ return 0;
109
110 return check_host_key(host, hostaddr, options.port, host_key, RDRW,
111 options.user_hostfiles, options.num_user_hostfiles,
112--
1131.7.9.5
114
diff --git a/meta/recipes-connectivity/openssh/openssh_6.5p1.bb b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
index 230f38ab31..795e085202 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
@@ -30,7 +30,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
30 file://volatiles.99_sshd \ 30 file://volatiles.99_sshd \
31 file://add-test-support-for-busybox.patch \ 31 file://add-test-support-for-busybox.patch \
32 file://run-ptest \ 32 file://run-ptest \
33 file://openssh-CVE-2014-2532.patch" 33 file://openssh-CVE-2014-2532.patch \
34 file://openssh-CVE-2014-2653.patch"
34 35
35PAM_SRC_URI = "file://sshd" 36PAM_SRC_URI = "file://sshd"
36 37