openssh: Fix CVE-2021-41617

Add patch to fix CVE-2021-41617 Link: https://bugzilla.suse.com/attachment.cgi?id=854015 (From OE-Core rev: a4e272700e18ca7e86e24ce4e24031ce7745c87b) Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: sana kazi <sanakazisk19@gmail.com> 2021-12-17 12:25:30 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-12-30 16:59:16 +0000
commit: f4a6761f471fd56a1bc1927c4bc0115aefac0d58 (patch)
tree: 69dd20c26f26b90d76765182ded5e44b5e193cab /meta
parent: 30231b235487973f4e6b1921b428d938ec20bec8 (diff)
download: poky-f4a6761f471fd56a1bc1927c4bc0115aefac0d58.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
new file mode 100644
index 0000000000..bda896f581
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
@@ -0,0 +1,52 @@
+From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
+From: Ali Abdallah <aabdallah@suse.de>
+Date: Wed, 24 Nov 2021 13:33:39 +0100
+Subject: [PATCH] CVE-2021-41617 fix
+backport of the following two upstream commits
+f3cbe43e28fe71427d41cfe3a17125b972710455
+bf944e3794eff5413f2df1ef37cddf96918c6bde
+CVE-2021-41617 failed to correctly initialise supplemental groups
+when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
+where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
+directive has been set to run the command as a different user. Instead
+these commands would inherit the groups that sshd(8) was started with.
+---
+ auth.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+CVE: CVE-2021-41617
+Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
+Comment: No change in any hunk
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+diff --git a/auth.c b/auth.c
+index 163038f..a47b267 100644
+--- a/auth.c
+++ b/auth.c
+@@ -52,6 +52,7 @@
+ #include <limits.h>
+ #include <netdb.h>
+ #include <time.h>
+#include <grp.h>
+ 
+ #include "xmalloc.h"
+ #include "match.h"
+@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
+                }
+                closefrom(STDERR_FILENO + 1);
+ 
+               if (geteuid() == 0 &&
+                   initgroups(pw->pw_name, pw->pw_gid) == -1) {
+                       error("%s: initgroups(%s, %u): %s", tag,
+                           pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+                       _exit(1);
+               }
+
+                /* Don't use permanently_set_uid() here to avoid fatal() */
+                if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+                        error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+-- 
+2.26.2
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index b60d1a6bd4..e903ec487d 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://add-test-support-for-busybox.patch \
           file://CVE-2020-14145.patch \
           file://CVE-2021-28041.patch \
+           file://CVE-2021-41617.patch \
           "
 SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
 SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
author	sana kazi <sanakazisk19@gmail.com>	2021-12-17 12:25:30 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-12-30 16:59:16 +0000
commit	f4a6761f471fd56a1bc1927c4bc0115aefac0d58 (patch)
tree	69dd20c26f26b90d76765182ded5e44b5e193cab /meta
parent	30231b235487973f4e6b1921b428d938ec20bec8 (diff)
download	poky-f4a6761f471fd56a1bc1927c4bc0115aefac0d58.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch new file mode 100644 index 0000000000..bda896f581 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
@@ -0,0 +1,52 @@
		1	From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
		2	From: Ali Abdallah <aabdallah@suse.de>
		3	Date: Wed, 24 Nov 2021 13:33:39 +0100
		4	Subject: [PATCH] CVE-2021-41617 fix
		5
		6	backport of the following two upstream commits
		7
		8	f3cbe43e28fe71427d41cfe3a17125b972710455
		9	bf944e3794eff5413f2df1ef37cddf96918c6bde
		10
		11	CVE-2021-41617 failed to correctly initialise supplemental groups
		12	when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
		13	where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
		14	directive has been set to run the command as a different user. Instead
		15	these commands would inherit the groups that sshd(8) was started with.
		16	---
		17	auth.c \| 8 ++++++++
		18	1 file changed, 8 insertions(+)
		19
		20	CVE: CVE-2021-41617
		21	Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
		22	Comment: No change in any hunk
		23	Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
		24
		25	diff --git a/auth.c b/auth.c
		26	index 163038f..a47b267 100644
		27	--- a/auth.c
		28	+++ b/auth.c
		29	@@ -52,6 +52,7 @@
		30	#include <limits.h>
		31	#include <netdb.h>
		32	#include <time.h>
		33	+#include <grp.h>
		34
		35	#include "xmalloc.h"
		36	#include "match.h"
		37	@@ -851,6 +852,13 @@ subprocess(const char tag, struct passwd pw, const char *command,
		38	}
		39	closefrom(STDERR_FILENO + 1);
		40
		41	+ if (geteuid() == 0 &&
		42	+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
		43	+ error("%s: initgroups(%s, %u): %s", tag,
		44	+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
		45	+ _exit(1);
		46	+ }
		47	+
		48	/* Don't use permanently_set_uid() here to avoid fatal() */
		49	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
		50	error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
		51	--
		52	2.26.2


diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index b60d1a6bd4..e903ec487d 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
26	file://add-test-support-for-busybox.patch \	26	file://add-test-support-for-busybox.patch \
27	file://CVE-2020-14145.patch \	27	file://CVE-2020-14145.patch \
28	file://CVE-2021-28041.patch \	28	file://CVE-2021-28041.patch \
		29	file://CVE-2021-41617.patch \
29	"	30	"
30	SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"	31	SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
31	SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"	32	SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"