diff options
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch | 97 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh_8.2p1.bb | 13 |
2 files changed, 109 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch new file mode 100644 index 0000000000..3adb981fb4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Fri, 18 Sep 2020 05:23:03 +0000 | ||
4 | Subject: upstream: tweak the client hostkey preference ordering algorithm to | ||
5 | |||
6 | prefer the default ordering if the user has a key that matches the | ||
7 | best-preference default algorithm. | ||
8 | |||
9 | feedback and ok markus@ | ||
10 | |||
11 | OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f | ||
12 | |||
13 | Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> | ||
14 | --- | ||
15 | sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++--- | ||
16 | 1 file changed, 38 insertions(+), 3 deletions(-) | ||
17 | |||
18 | CVE: CVE-2020-14145 | ||
19 | Upstream-Status: Backport [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d] | ||
20 | Comment: Refreshed first hunk | ||
21 | |||
22 | diff --git a/sshconnect2.c b/sshconnect2.c | ||
23 | index 347e348c..f64aae66 100644 | ||
24 | --- a/sshconnect2.c | ||
25 | +++ b/sshconnect2.c | ||
26 | @@ -1,4 +1,4 @@ | ||
27 | -/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */ | ||
28 | +/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */ | ||
29 | /* | ||
30 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | ||
31 | * Copyright (c) 2008 Damien Miller. All rights reserved. | ||
32 | @@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) | ||
33 | return 0; | ||
34 | } | ||
35 | |||
36 | +/* Returns the first item from a comma-separated algorithm list */ | ||
37 | +static char * | ||
38 | +first_alg(const char *algs) | ||
39 | +{ | ||
40 | + char *ret, *cp; | ||
41 | + | ||
42 | + ret = xstrdup(algs); | ||
43 | + if ((cp = strchr(ret, ',')) != NULL) | ||
44 | + *cp = '\0'; | ||
45 | + return ret; | ||
46 | +} | ||
47 | + | ||
48 | static char * | ||
49 | order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) | ||
50 | { | ||
51 | - char *oavail, *avail, *first, *last, *alg, *hostname, *ret; | ||
52 | + char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL; | ||
53 | + char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL; | ||
54 | size_t maxlen; | ||
55 | - struct hostkeys *hostkeys; | ||
56 | + struct hostkeys *hostkeys = NULL; | ||
57 | int ktype; | ||
58 | u_int i; | ||
59 | |||
60 | @@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) | ||
61 | for (i = 0; i < options.num_system_hostfiles; i++) | ||
62 | load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); | ||
63 | |||
64 | + /* | ||
65 | + * If a plain public key exists that matches the type of the best | ||
66 | + * preference HostkeyAlgorithms, then use the whole list as is. | ||
67 | + * Note that we ignore whether the best preference algorithm is a | ||
68 | + * certificate type, as sshconnect.c will downgrade certs to | ||
69 | + * plain keys if necessary. | ||
70 | + */ | ||
71 | + best = first_alg(options.hostkeyalgorithms); | ||
72 | + if (lookup_key_in_hostkeys_by_type(hostkeys, | ||
73 | + sshkey_type_plain(sshkey_type_from_name(best)), NULL)) { | ||
74 | + debug3("%s: have matching best-preference key type %s, " | ||
75 | + "using HostkeyAlgorithms verbatim", __func__, best); | ||
76 | + ret = xstrdup(options.hostkeyalgorithms); | ||
77 | + goto out; | ||
78 | + } | ||
79 | + | ||
80 | + /* | ||
81 | + * Otherwise, prefer the host key algorithms that match known keys | ||
82 | + * while keeping the ordering of HostkeyAlgorithms as much as possible. | ||
83 | + */ | ||
84 | oavail = avail = xstrdup(options.hostkeyalgorithms); | ||
85 | maxlen = strlen(avail) + 1; | ||
86 | first = xmalloc(maxlen); | ||
87 | @@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) | ||
88 | if (*first != '\0') | ||
89 | debug3("%s: prefer hostkeyalgs: %s", __func__, first); | ||
90 | |||
91 | + out: | ||
92 | + free(best); | ||
93 | free(first); | ||
94 | free(last); | ||
95 | free(hostname); | ||
96 | -- | ||
97 | cgit v1.2.3 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index 6ed54a8139..64a0a72a8f 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb | |||
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
24 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ | 24 | file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ |
25 | file://sshd_check_keys \ | 25 | file://sshd_check_keys \ |
26 | file://add-test-support-for-busybox.patch \ | 26 | file://add-test-support-for-busybox.patch \ |
27 | file://CVE-2020-14145.patch \ | ||
27 | " | 28 | " |
28 | SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" | 29 | SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" |
29 | SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" | 30 | SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" |
@@ -35,7 +36,17 @@ CVE_CHECK_WHITELIST += "CVE-2007-2768" | |||
35 | # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded | 36 | # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded |
36 | CVE_CHECK_WHITELIST += "CVE-2014-9278" | 37 | CVE_CHECK_WHITELIST += "CVE-2014-9278" |
37 | 38 | ||
38 | # CVE only applies to some distributed RHEL binaries | 39 | # As per upstream, because of the way scp is based on a historical protocol called rcp |
40 | # which relies on that style of argument passing and therefore encounters expansion | ||
41 | # problems. Making changes to how the scp command line works breaks the pattern used | ||
42 | # by scp consumers. Upstream therefore recommends the use of rsync in the place of | ||
43 | # scp for better security. https://bugzilla.redhat.com/show_bug.cgi?id=1860487 | ||
44 | CVE_CHECK_WHITELIST += "CVE-2020-15778" | ||
45 | |||
46 | # CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and | ||
47 | # certain packages may have been compromised. This CVE is not applicable | ||
48 | # as our source is OpenBSD. https://securitytracker.com/id?1020730 | ||
49 | # https://www.securityfocus.com/bid/30794 | ||
39 | CVE_CHECK_WHITELIST += "CVE-2008-3844" | 50 | CVE_CHECK_WHITELIST += "CVE-2008-3844" |
40 | 51 | ||
41 | PAM_SRC_URI = "file://sshd" | 52 | PAM_SRC_URI = "file://sshd" |