openssh: fix CVE-2021-41617

(From OE-Core rev: b2c329641f91630ecbb225e8cd0cdcaf461d7ef6) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2021-10-28 14:27:00 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-11-03 11:19:04 +0000
commit: 941fc8d40ad1694c135f935e38d18707424e180b (patch)
tree: 1c67eb0bfee7248fe7004a291bc2db4e2dc98736 /meta
parent: 452df8f85f289d4e35d0559d810d8f067edb3431 (diff)
download: poky-941fc8d40ad1694c135f935e38d18707424e180b.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
new file mode 100644
index 0000000000..9ca7c2f202
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
@@ -0,0 +1,49 @@
+From 1f0707e8e78ef290fd0f229df3fcd2236f29db89 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 28 Oct 2021 11:11:05 +0800
+Subject: [PATCH] upstream: need initgroups() before setresgid(); reported by
+ anton@,
+ok deraadt@
+OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
+CVE: CVE-2021-41617
+Upstream-Status: [Backport]
+https://github.com/openssh/openssh-portable/commit/f3cbe43e28fe71427d41cfe3a17125b972710455
+https://github.com/openssh/openssh-portable/commit/bf944e3794eff5413f2df1ef37cddf96918c6bde
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ misc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/misc.c b/misc.c
+index d988ce3..33eca1c 100644
+--- a/misc.c
+++ b/misc.c
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_PATHS_H
+ # include <paths.h>
+ #include <pwd.h>
+#include <grp.h>
+ #endif
+ #ifdef SSH_TUN_OPENBSD
+ #include <net/if.h>
+@@ -2629,6 +2630,13 @@ subprocess(const char *tag, const char *command,
+                }
+                closefrom(STDERR_FILENO + 1);
+ 
+               if (geteuid() == 0 &&
+                   initgroups(pw->pw_name, pw->pw_gid) == -1) {
+                       error("%s: initgroups(%s, %u): %s", tag,
+                           pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+                       _exit(1);
+               }
+
+                if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+                        error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+                            strerror(errno));
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/openssh/openssh_8.5p1.bb b/meta/recipes-connectivity/openssh/openssh_8.5p1.bb
index c6de519884..9a5f37bc39 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.5p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.5p1.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
           file://sshd_check_keys \
           file://add-test-support-for-busybox.patch \
+           file://CVE-2021-41617.patch \
           "
 SRC_URI[sha256sum] = "f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25"
author	Changqing Li <changqing.li@windriver.com>	2021-10-28 14:27:00 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-11-03 11:19:04 +0000
commit	941fc8d40ad1694c135f935e38d18707424e180b (patch)
tree	1c67eb0bfee7248fe7004a291bc2db4e2dc98736 /meta
parent	452df8f85f289d4e35d0559d810d8f067edb3431 (diff)
download	poky-941fc8d40ad1694c135f935e38d18707424e180b.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch new file mode 100644 index 0000000000..9ca7c2f202 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
@@ -0,0 +1,49 @@
		1	From 1f0707e8e78ef290fd0f229df3fcd2236f29db89 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Thu, 28 Oct 2021 11:11:05 +0800
		4	Subject: [PATCH] upstream: need initgroups() before setresgid(); reported by
		5	anton@,
		6
		7	ok deraadt@
		8
		9	OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
		10
		11	CVE: CVE-2021-41617
		12	Upstream-Status: [Backport]
		13	https://github.com/openssh/openssh-portable/commit/f3cbe43e28fe71427d41cfe3a17125b972710455
		14	https://github.com/openssh/openssh-portable/commit/bf944e3794eff5413f2df1ef37cddf96918c6bde
		15
		16	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		17	---
		18	misc.c \| 8 ++++++++
		19	1 file changed, 8 insertions(+)
		20
		21	diff --git a/misc.c b/misc.c
		22	index d988ce3..33eca1c 100644
		23	--- a/misc.c
		24	+++ b/misc.c
		25	@@ -56,6 +56,7 @@
		26	#ifdef HAVE_PATHS_H
		27	# include <paths.h>
		28	#include <pwd.h>
		29	+#include <grp.h>
		30	#endif
		31	#ifdef SSH_TUN_OPENBSD
		32	#include <net/if.h>
		33	@@ -2629,6 +2630,13 @@ subprocess(const char tag, const char command,
		34	}
		35	closefrom(STDERR_FILENO + 1);
		36
		37	+ if (geteuid() == 0 &&
		38	+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
		39	+ error("%s: initgroups(%s, %u): %s", tag,
		40	+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
		41	+ _exit(1);
		42	+ }
		43	+
		44	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
		45	error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
		46	strerror(errno));
		47	--
		48	2.17.1
		49


diff --git a/meta/recipes-connectivity/openssh/openssh_8.5p1.bb b/meta/recipes-connectivity/openssh/openssh_8.5p1.bb index c6de519884..9a5f37bc39 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.5p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.5p1.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
24	file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \	24	file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
25	file://sshd_check_keys \	25	file://sshd_check_keys \
26	file://add-test-support-for-busybox.patch \	26	file://add-test-support-for-busybox.patch \
		27	file://CVE-2021-41617.patch \
27	"	28	"
28	SRC_URI[sha256sum] = "f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25"	29	SRC_URI[sha256sum] = "f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25"
29		30