openssh: Add fixes for CVEs reported for openssh

Applied patch for CVE-2020-14145 Link: https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d Also, whitelisted below CVEs: 1.CVE-2020-15778: As per upstream, because of the way scp is based on a historical protocol called rcp which relies on that style of argument passing and therefore encounters expansion problems. Making changes to how the scp command line works breaks the pattern used by scp consumers. Upstream therefore recommends the use of rsync in the place of scp for better security. https://bugzilla.redhat.com/show_bug.cgi?id=1860487 2.CVE-2008-3844: It was reported in OpenSSH on Red Hat Enterprise Linux and certain packages may have been compromised. This CVE is not applicable as our source is OpenBSD. Links: https://securitytracker.com/id?1020730 https://www.securityfocus.com/bid/30794 Also, for CVE-2007-2768 no fix is available yet as it's unavoidable drawback of using one time passwords as per https://bugzilla.suse.com/show_bug.cgi?id=CVE-2007-2768 Also it is marked as unimportant on debian https://security-tracker.debian.org/tracker/CVE-2007-2768 Mailed to CPE to update database for CVE-2020-15778, CVE-2008-3844 and CVE-2007-2768. We can upstream CVE-2020-14145 till we recieve response from CPE. (From OE-Core rev: 302a6828b380ba20bb244f11f22a5bc273f0e5e7) Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sana Kazi <Sana.Kazi@kpit.com> 2021-05-28 18:24:15 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-06-03 16:30:55 +0100
commit: f5882b194b58b6bbb06db511a2c3612f5d6430fd (patch)
tree: 9c72118c60d01f5c3a51f2a8b03861521868e00a /meta
parent: a59a11eb566abea85cb0527291b079de6f20bb59 (diff)
download: poky-f5882b194b58b6bbb06db511a2c3612f5d6430fd.tar.gz
2 files changed, 109 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
new file mode 100644
index 0000000000..3adb981fb4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
@@ -0,0 +1,97 @@
+From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 18 Sep 2020 05:23:03 +0000
+Subject: upstream: tweak the client hostkey preference ordering algorithm to
+prefer the default ordering if the user has a key that matches the
+best-preference default algorithm.
+feedback and ok markus@
+OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+CVE: CVE-2020-14145
+Upstream-Status: Backport [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
+Comment: Refreshed first hunk
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 347e348c..f64aae66 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2008 Damien Miller.  All rights reserved.
+@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+        return 0;
+ }
+ 
+/* Returns the first item from a comma-separated algorithm list */
+static char *
+first_alg(const char *algs)
+{
+       char *ret, *cp;
+
+       ret = xstrdup(algs);
+       if ((cp = strchr(ret, ',')) != NULL)
+               *cp = '\0';
+       return ret;
+}
+
+ static char *
+ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ {
+-       char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
+       char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
+       char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
+        size_t maxlen;
+-       struct hostkeys *hostkeys;
+       struct hostkeys *hostkeys = NULL;
+        int ktype;
+        u_int i;
+ 
+@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+        for (i = 0; i < options.num_system_hostfiles; i++)
+                load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+ 
+       /*
+        * If a plain public key exists that matches the type of the best
+        * preference HostkeyAlgorithms, then use the whole list as is.
+        * Note that we ignore whether the best preference algorithm is a
+        * certificate type, as sshconnect.c will downgrade certs to
+        * plain keys if necessary.
+        */
+       best = first_alg(options.hostkeyalgorithms);
+       if (lookup_key_in_hostkeys_by_type(hostkeys,
+           sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
+               debug3("%s: have matching best-preference key type %s, "
+                   "using HostkeyAlgorithms verbatim", __func__, best);
+               ret = xstrdup(options.hostkeyalgorithms);
+               goto out;
+       }
+
+       /*
+        * Otherwise, prefer the host key algorithms that match known keys
+        * while keeping the ordering of HostkeyAlgorithms as much as possible.
+        */
+        oavail = avail = xstrdup(options.hostkeyalgorithms);
+        maxlen = strlen(avail) + 1;
+        first = xmalloc(maxlen);
+@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+        if (*first != '\0')
+                debug3("%s: prefer hostkeyalgs: %s", __func__, first);
+ 
+ out:
+       free(best);
+        free(first);
+        free(last);
+        free(hostname);
+-- 
+cgit v1.2.3
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index 6ed54a8139..64a0a72a8f 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
           file://sshd_check_keys \
           file://add-test-support-for-busybox.patch \
+           file://CVE-2020-14145.patch \
           "
 SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
 SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
@@ -35,7 +36,17 @@ CVE_CHECK_WHITELIST += "CVE-2007-2768"
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
 CVE_CHECK_WHITELIST += "CVE-2014-9278"
-# CVE only applies to some distributed RHEL binaries
+# As per upstream, because of the way scp is based on a historical protocol called rcp
+# which relies on that style of argument passing and therefore encounters expansion
+# problems. Making changes to how the scp command line works breaks the pattern used
+# by scp consumers. Upstream therefore recommends the use of rsync in the place of
+# scp for better security. https://bugzilla.redhat.com/show_bug.cgi?id=1860487
+CVE_CHECK_WHITELIST += "CVE-2020-15778"
+# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and
+# certain packages may have been compromised. This CVE is not applicable
+# as our source is OpenBSD. https://securitytracker.com/id?1020730
+# https://www.securityfocus.com/bid/30794
 CVE_CHECK_WHITELIST += "CVE-2008-3844"
 PAM_SRC_URI = "file://sshd"
author	Sana Kazi <Sana.Kazi@kpit.com>	2021-05-28 18:24:15 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-06-03 16:30:55 +0100
commit	f5882b194b58b6bbb06db511a2c3612f5d6430fd (patch)
tree	9c72118c60d01f5c3a51f2a8b03861521868e00a /meta
parent	a59a11eb566abea85cb0527291b079de6f20bb59 (diff)
download	poky-f5882b194b58b6bbb06db511a2c3612f5d6430fd.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch new file mode 100644 index 0000000000..3adb981fb4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
@@ -0,0 +1,97 @@
		1	From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Fri, 18 Sep 2020 05:23:03 +0000
		4	Subject: upstream: tweak the client hostkey preference ordering algorithm to
		5
		6	prefer the default ordering if the user has a key that matches the
		7	best-preference default algorithm.
		8
		9	feedback and ok markus@
		10
		11	OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
		12
		13	Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
		14	---
		15	sshconnect2.c \| 41 ++++++++++++++++++++++++++++++++++++++---
		16	1 file changed, 38 insertions(+), 3 deletions(-)
		17
		18	CVE: CVE-2020-14145
		19	Upstream-Status: Backport [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
		20	Comment: Refreshed first hunk
		21
		22	diff --git a/sshconnect2.c b/sshconnect2.c
		23	index 347e348c..f64aae66 100644
		24	--- a/sshconnect2.c
		25	+++ b/sshconnect2.c
		26	@@ -1,4 +1,4 @@
		27	-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
		28	+/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
		29	/*
		30	* Copyright (c) 2000 Markus Friedl. All rights reserved.
		31	* Copyright (c) 2008 Damien Miller. All rights reserved.
		32	@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey hostkey, struct ssh ssh)
		33	return 0;
		34	}
		35
		36	+/* Returns the first item from a comma-separated algorithm list */
		37	+static char *
		38	+first_alg(const char *algs)
		39	+{
		40	+ char ret, cp;
		41	+
		42	+ ret = xstrdup(algs);
		43	+ if ((cp = strchr(ret, ',')) != NULL)
		44	+ *cp = '\0';
		45	+ return ret;
		46	+}
		47	+
		48	static char *
		49	order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port)
		50	{
		51	- char oavail, avail, first, last, alg, hostname, *ret;
		52	+ char oavail = NULL, avail = NULL, first = NULL, last = NULL;
		53	+ char alg = NULL, hostname = NULL, ret = NULL, best = NULL;
		54	size_t maxlen;
		55	- struct hostkeys *hostkeys;
		56	+ struct hostkeys *hostkeys = NULL;
		57	int ktype;
		58	u_int i;
		59
		60	@@ -119,6 +132,26 @@ order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port)
		61	for (i = 0; i < options.num_system_hostfiles; i++)
		62	load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
		63
		64	+ /*
		65	+ * If a plain public key exists that matches the type of the best
		66	+ * preference HostkeyAlgorithms, then use the whole list as is.
		67	+ * Note that we ignore whether the best preference algorithm is a
		68	+ * certificate type, as sshconnect.c will downgrade certs to
		69	+ * plain keys if necessary.
		70	+ */
		71	+ best = first_alg(options.hostkeyalgorithms);
		72	+ if (lookup_key_in_hostkeys_by_type(hostkeys,
		73	+ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
		74	+ debug3("%s: have matching best-preference key type %s, "
		75	+ "using HostkeyAlgorithms verbatim", __func__, best);
		76	+ ret = xstrdup(options.hostkeyalgorithms);
		77	+ goto out;
		78	+ }
		79	+
		80	+ /*
		81	+ * Otherwise, prefer the host key algorithms that match known keys
		82	+ * while keeping the ordering of HostkeyAlgorithms as much as possible.
		83	+ */
		84	oavail = avail = xstrdup(options.hostkeyalgorithms);
		85	maxlen = strlen(avail) + 1;
		86	first = xmalloc(maxlen);
		87	@@ -159,6 +192,8 @@ order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port)
		88	if (*first != '\0')
		89	debug3("%s: prefer hostkeyalgs: %s", __func__, first);
		90
		91	+ out:
		92	+ free(best);
		93	free(first);
		94	free(last);
		95	free(hostname);
		96	--
		97	cgit v1.2.3


diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index 6ed54a8139..64a0a72a8f 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
24	file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \	24	file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
25	file://sshd_check_keys \	25	file://sshd_check_keys \
26	file://add-test-support-for-busybox.patch \	26	file://add-test-support-for-busybox.patch \
		27	file://CVE-2020-14145.patch \
27	"	28	"
28	SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"	29	SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
29	SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"	30	SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
@@ -35,7 +36,17 @@ CVE_CHECK_WHITELIST += "CVE-2007-2768"
35	# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded	36	# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
36	CVE_CHECK_WHITELIST += "CVE-2014-9278"	37	CVE_CHECK_WHITELIST += "CVE-2014-9278"
37		38
38	# CVE only applies to some distributed RHEL binaries	39	# As per upstream, because of the way scp is based on a historical protocol called rcp
		40	# which relies on that style of argument passing and therefore encounters expansion
		41	# problems. Making changes to how the scp command line works breaks the pattern used
		42	# by scp consumers. Upstream therefore recommends the use of rsync in the place of
		43	# scp for better security. https://bugzilla.redhat.com/show_bug.cgi?id=1860487
		44	CVE_CHECK_WHITELIST += "CVE-2020-15778"
		45
		46	# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and
		47	# certain packages may have been compromised. This CVE is not applicable
		48	# as our source is OpenBSD. https://securitytracker.com/id?1020730
		49	# https://www.securityfocus.com/bid/30794
39	CVE_CHECK_WHITELIST += "CVE-2008-3844"	50	CVE_CHECK_WHITELIST += "CVE-2008-3844"
40		51
41	PAM_SRC_URI = "file://sshd"	52	PAM_SRC_URI = "file://sshd"