diff options
| author | Jussi Kukkonen <jussi.kukkonen@intel.com> | 2016-08-22 15:23:15 +0300 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-08-23 17:44:42 +0100 |
| commit | 5a3947cce1289c72313364f803751e8db30430be (patch) | |
| tree | d875be7f4956144c8e25eddacdbb1218820c60f5 /meta | |
| parent | 2b7541d375c7df11cdf617cf8a3888123e55e8c1 (diff) | |
| download | poky-5a3947cce1289c72313364f803751e8db30430be.tar.gz | |
openssh: Upgrade 7.2p2 -> 7.3p1
Remove CVE-2015-8325.patch as it's included upstream. Rebase another
patch.
(From OE-Core rev: 4b695379dcf378e8d77deaf7e558e8cbd314683c)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch | 39 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch | 30 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssh/openssh_7.3p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_7.2p2.bb) | 5 |
3 files changed, 18 insertions, 56 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch deleted file mode 100644 index 226389718d..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch +++ /dev/null | |||
| @@ -1,39 +0,0 @@ | |||
| 1 | From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Damien Miller <djm@mindrot.org> | ||
| 3 | Date: Wed, 13 Apr 2016 10:39:57 +1000 | ||
| 4 | Subject: ignore PAM environment vars when UseLogin=yes | ||
| 5 | |||
| 6 | If PAM is configured to read user-specified environment variables | ||
| 7 | and UseLogin=yes in sshd_config, then a hostile local user may | ||
| 8 | attack /bin/login via LD_PRELOAD or similar environment variables | ||
| 9 | set via PAM. | ||
| 10 | |||
| 11 | CVE-2015-8325, found by Shayan Sadigh, via Colin Watson | ||
| 12 | |||
| 13 | |||
| 14 | |||
| 15 | https://anongit.mindrot.org/openssh.git/commit/session.c?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 | ||
| 16 | |||
| 17 | CVE: CVE-2015-8325 | ||
| 18 | Upstream-Status: Backport | ||
| 19 | Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> | ||
| 20 | --- | ||
| 21 | session.c | 2 +- | ||
| 22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 23 | |||
| 24 | diff --git a/session.c b/session.c | ||
| 25 | index 4859245..4653b09 100644 | ||
| 26 | --- a/session.c | ||
| 27 | +++ b/session.c | ||
| 28 | @@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell) | ||
| 29 | * Pull in any environment variables that may have | ||
| 30 | * been set by PAM. | ||
| 31 | */ | ||
| 32 | - if (options.use_pam) { | ||
| 33 | + if (options.use_pam && !options.use_login) { | ||
| 34 | char **p; | ||
| 35 | |||
| 36 | p = fetch_pam_child_environment(); | ||
| 37 | -- | ||
| 38 | cgit v0.11.2 | ||
| 39 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch index 2e59589479..2773c14e5a 100644 --- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch +++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch | |||
| @@ -1,18 +1,18 @@ | |||
| 1 | From 1cd94ed4750d5392cf3c09ed64d2c162a0833bdb Mon Sep 17 00:00:00 2001 | 1 | From d7eb26785ad4f25fb09fae46726ab8ca3fe16921 Mon Sep 17 00:00:00 2001 |
| 2 | From: Haiqing Bai <Haiqing.Bai@windriver.com> | 2 | From: Haiqing Bai <Haiqing.Bai@windriver.com> |
| 3 | Date: Fri, 18 Mar 2016 15:49:31 +0800 | 3 | Date: Mon, 22 Aug 2016 14:11:16 +0300 |
| 4 | Subject: [PATCH 2/3] remove des in cipher. | 4 | Subject: [PATCH] Remove des in cipher. |
| 5 | 5 | ||
| 6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
| 7 | 7 | ||
| 8 | Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> | 8 | Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> |
| 9 | 9 | Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> | |
| 10 | --- | 10 | --- |
| 11 | cipher.c | 18 ++++++++++++++++++ | 11 | cipher.c | 18 ++++++++++++++++++ |
| 12 | 1 file changed, 18 insertions(+) | 12 | 1 file changed, 18 insertions(+) |
| 13 | 13 | ||
| 14 | diff --git a/cipher.c b/cipher.c | 14 | diff --git a/cipher.c b/cipher.c |
| 15 | index 02dae6f..63d3c29 100644 | 15 | index 031bda9..6cd667a 100644 |
| 16 | --- a/cipher.c | 16 | --- a/cipher.c |
| 17 | +++ b/cipher.c | 17 | +++ b/cipher.c |
| 18 | @@ -53,8 +53,10 @@ | 18 | @@ -53,8 +53,10 @@ |
| @@ -26,7 +26,7 @@ index 02dae6f..63d3c29 100644 | |||
| 26 | #endif | 26 | #endif |
| 27 | 27 | ||
| 28 | struct sshcipher { | 28 | struct sshcipher { |
| 29 | @@ -79,13 +81,17 @@ struct sshcipher { | 29 | @@ -79,15 +81,19 @@ struct sshcipher { |
| 30 | 30 | ||
| 31 | static const struct sshcipher ciphers[] = { | 31 | static const struct sshcipher ciphers[] = { |
| 32 | #ifdef WITH_SSH1 | 32 | #ifdef WITH_SSH1 |
| @@ -34,17 +34,19 @@ index 02dae6f..63d3c29 100644 | |||
| 34 | { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, | 34 | { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, |
| 35 | { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, | 35 | { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, |
| 36 | +#endif /* OPENSSL_NO_DES */ | 36 | +#endif /* OPENSSL_NO_DES */ |
| 37 | # ifndef OPENSSL_NO_BF | ||
| 37 | { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, | 38 | { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, |
| 39 | # endif /* OPENSSL_NO_BF */ | ||
| 38 | #endif /* WITH_SSH1 */ | 40 | #endif /* WITH_SSH1 */ |
| 39 | #ifdef WITH_OPENSSL | 41 | #ifdef WITH_OPENSSL |
| 40 | { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, | 42 | { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, |
| 41 | +#ifndef OPENSSL_NO_DES | 43 | +#ifndef OPENSSL_NO_DES |
| 42 | { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, | 44 | { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, |
| 43 | +#endif /* OPENSSL_NO_DES */ | 45 | +#endif /* OPENSSL_NO_DES */ |
| 46 | # ifndef OPENSSL_NO_BF | ||
| 44 | { "blowfish-cbc", | 47 | { "blowfish-cbc", |
| 45 | SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, | 48 | SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, |
| 46 | { "cast128-cbc", | 49 | @@ -171,8 +177,10 @@ cipher_keylen(const struct sshcipher *c) |
| 47 | @@ -163,8 +169,10 @@ cipher_keylen(const struct sshcipher *c) | ||
| 48 | u_int | 50 | u_int |
| 49 | cipher_seclen(const struct sshcipher *c) | 51 | cipher_seclen(const struct sshcipher *c) |
| 50 | { | 52 | { |
| @@ -55,7 +57,7 @@ index 02dae6f..63d3c29 100644 | |||
| 55 | return cipher_keylen(c); | 57 | return cipher_keylen(c); |
| 56 | } | 58 | } |
| 57 | 59 | ||
| 58 | @@ -201,11 +209,13 @@ u_int | 60 | @@ -209,11 +217,13 @@ u_int |
| 59 | cipher_mask_ssh1(int client) | 61 | cipher_mask_ssh1(int client) |
| 60 | { | 62 | { |
| 61 | u_int mask = 0; | 63 | u_int mask = 0; |
| @@ -69,7 +71,7 @@ index 02dae6f..63d3c29 100644 | |||
| 69 | return mask; | 71 | return mask; |
| 70 | } | 72 | } |
| 71 | 73 | ||
| 72 | @@ -546,7 +556,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) | 74 | @@ -553,7 +563,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) |
| 73 | switch (c->number) { | 75 | switch (c->number) { |
| 74 | #ifdef WITH_OPENSSL | 76 | #ifdef WITH_OPENSSL |
| 75 | case SSH_CIPHER_SSH2: | 77 | case SSH_CIPHER_SSH2: |
| @@ -79,7 +81,7 @@ index 02dae6f..63d3c29 100644 | |||
| 79 | case SSH_CIPHER_BLOWFISH: | 81 | case SSH_CIPHER_BLOWFISH: |
| 80 | evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); | 82 | evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); |
| 81 | if (evplen == 0) | 83 | if (evplen == 0) |
| 82 | @@ -569,8 +581,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) | 84 | @@ -576,8 +588,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) |
| 83 | break; | 85 | break; |
| 84 | #endif | 86 | #endif |
| 85 | #ifdef WITH_SSH1 | 87 | #ifdef WITH_SSH1 |
| @@ -90,7 +92,7 @@ index 02dae6f..63d3c29 100644 | |||
| 90 | #endif | 92 | #endif |
| 91 | default: | 93 | default: |
| 92 | return SSH_ERR_INVALID_ARGUMENT; | 94 | return SSH_ERR_INVALID_ARGUMENT; |
| 93 | @@ -594,7 +608,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) | 95 | @@ -601,7 +615,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) |
| 94 | switch (c->number) { | 96 | switch (c->number) { |
| 95 | #ifdef WITH_OPENSSL | 97 | #ifdef WITH_OPENSSL |
| 96 | case SSH_CIPHER_SSH2: | 98 | case SSH_CIPHER_SSH2: |
| @@ -100,7 +102,7 @@ index 02dae6f..63d3c29 100644 | |||
| 100 | case SSH_CIPHER_BLOWFISH: | 102 | case SSH_CIPHER_BLOWFISH: |
| 101 | evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); | 103 | evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); |
| 102 | if (evplen <= 0) | 104 | if (evplen <= 0) |
| 103 | @@ -609,8 +625,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) | 105 | @@ -616,8 +632,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) |
| 104 | break; | 106 | break; |
| 105 | #endif | 107 | #endif |
| 106 | #ifdef WITH_SSH1 | 108 | #ifdef WITH_SSH1 |
| @@ -112,5 +114,5 @@ index 02dae6f..63d3c29 100644 | |||
| 112 | default: | 114 | default: |
| 113 | return SSH_ERR_INVALID_ARGUMENT; | 115 | return SSH_ERR_INVALID_ARGUMENT; |
| 114 | -- | 116 | -- |
| 115 | 1.9.1 | 117 | 2.1.4 |
| 116 | 118 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb index 3df825b777..b31972649d 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb | |||
| @@ -22,15 +22,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
| 22 | file://volatiles.99_sshd \ | 22 | file://volatiles.99_sshd \ |
| 23 | file://add-test-support-for-busybox.patch \ | 23 | file://add-test-support-for-busybox.patch \ |
| 24 | file://run-ptest \ | 24 | file://run-ptest \ |
| 25 | file://CVE-2015-8325.patch \ | ||
| 26 | file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ | 25 | file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ |
| 27 | file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ | 26 | file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ |
| 28 | " | 27 | " |
| 29 | 28 | ||
| 30 | PAM_SRC_URI = "file://sshd" | 29 | PAM_SRC_URI = "file://sshd" |
| 31 | 30 | ||
| 32 | SRC_URI[md5sum] = "13009a9156510d8f27e752659075cced" | 31 | SRC_URI[md5sum] = "dfadd9f035d38ce5d58a3bf130b86d08" |
| 33 | SRC_URI[sha256sum] = "a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c" | 32 | SRC_URI[sha256sum] = "3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc" |
| 34 | 33 | ||
| 35 | inherit useradd update-rc.d update-alternatives systemd | 34 | inherit useradd update-rc.d update-alternatives systemd |
| 36 | 35 | ||