summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch39
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch30
-rw-r--r--meta/recipes-connectivity/openssh/openssh_7.3p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_7.2p2.bb)5
3 files changed, 18 insertions, 56 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch
deleted file mode 100644
index 226389718d..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch
+++ /dev/null
@@ -1,39 +0,0 @@
1From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Wed, 13 Apr 2016 10:39:57 +1000
4Subject: ignore PAM environment vars when UseLogin=yes
5
6If PAM is configured to read user-specified environment variables
7and UseLogin=yes in sshd_config, then a hostile local user may
8attack /bin/login via LD_PRELOAD or similar environment variables
9set via PAM.
10
11CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
12
13
14
15https://anongit.mindrot.org/openssh.git/commit/session.c?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
16
17CVE: CVE-2015-8325
18Upstream-Status: Backport
19Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
20---
21 session.c | 2 +-
22 1 file changed, 1 insertion(+), 1 deletion(-)
23
24diff --git a/session.c b/session.c
25index 4859245..4653b09 100644
26--- a/session.c
27+++ b/session.c
28@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell)
29 * Pull in any environment variables that may have
30 * been set by PAM.
31 */
32- if (options.use_pam) {
33+ if (options.use_pam && !options.use_login) {
34 char **p;
35
36 p = fetch_pam_child_environment();
37--
38cgit v0.11.2
39
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
index 2e59589479..2773c14e5a 100644
--- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
@@ -1,18 +1,18 @@
1From 1cd94ed4750d5392cf3c09ed64d2c162a0833bdb Mon Sep 17 00:00:00 2001 1From d7eb26785ad4f25fb09fae46726ab8ca3fe16921 Mon Sep 17 00:00:00 2001
2From: Haiqing Bai <Haiqing.Bai@windriver.com> 2From: Haiqing Bai <Haiqing.Bai@windriver.com>
3Date: Fri, 18 Mar 2016 15:49:31 +0800 3Date: Mon, 22 Aug 2016 14:11:16 +0300
4Subject: [PATCH 2/3] remove des in cipher. 4Subject: [PATCH] Remove des in cipher.
5 5
6Upstream-Status: Pending 6Upstream-Status: Pending
7 7
8Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> 8Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
9 9Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
10--- 10---
11 cipher.c | 18 ++++++++++++++++++ 11 cipher.c | 18 ++++++++++++++++++
12 1 file changed, 18 insertions(+) 12 1 file changed, 18 insertions(+)
13 13
14diff --git a/cipher.c b/cipher.c 14diff --git a/cipher.c b/cipher.c
15index 02dae6f..63d3c29 100644 15index 031bda9..6cd667a 100644
16--- a/cipher.c 16--- a/cipher.c
17+++ b/cipher.c 17+++ b/cipher.c
18@@ -53,8 +53,10 @@ 18@@ -53,8 +53,10 @@
@@ -26,7 +26,7 @@ index 02dae6f..63d3c29 100644
26 #endif 26 #endif
27 27
28 struct sshcipher { 28 struct sshcipher {
29@@ -79,13 +81,17 @@ struct sshcipher { 29@@ -79,15 +81,19 @@ struct sshcipher {
30 30
31 static const struct sshcipher ciphers[] = { 31 static const struct sshcipher ciphers[] = {
32 #ifdef WITH_SSH1 32 #ifdef WITH_SSH1
@@ -34,17 +34,19 @@ index 02dae6f..63d3c29 100644
34 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, 34 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
35 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, 35 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
36+#endif /* OPENSSL_NO_DES */ 36+#endif /* OPENSSL_NO_DES */
37 # ifndef OPENSSL_NO_BF
37 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, 38 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
39 # endif /* OPENSSL_NO_BF */
38 #endif /* WITH_SSH1 */ 40 #endif /* WITH_SSH1 */
39 #ifdef WITH_OPENSSL 41 #ifdef WITH_OPENSSL
40 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, 42 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
41+#ifndef OPENSSL_NO_DES 43+#ifndef OPENSSL_NO_DES
42 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, 44 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
43+#endif /* OPENSSL_NO_DES */ 45+#endif /* OPENSSL_NO_DES */
46 # ifndef OPENSSL_NO_BF
44 { "blowfish-cbc", 47 { "blowfish-cbc",
45 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, 48 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
46 { "cast128-cbc", 49@@ -171,8 +177,10 @@ cipher_keylen(const struct sshcipher *c)
47@@ -163,8 +169,10 @@ cipher_keylen(const struct sshcipher *c)
48 u_int 50 u_int
49 cipher_seclen(const struct sshcipher *c) 51 cipher_seclen(const struct sshcipher *c)
50 { 52 {
@@ -55,7 +57,7 @@ index 02dae6f..63d3c29 100644
55 return cipher_keylen(c); 57 return cipher_keylen(c);
56 } 58 }
57 59
58@@ -201,11 +209,13 @@ u_int 60@@ -209,11 +217,13 @@ u_int
59 cipher_mask_ssh1(int client) 61 cipher_mask_ssh1(int client)
60 { 62 {
61 u_int mask = 0; 63 u_int mask = 0;
@@ -69,7 +71,7 @@ index 02dae6f..63d3c29 100644
69 return mask; 71 return mask;
70 } 72 }
71 73
72@@ -546,7 +556,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) 74@@ -553,7 +563,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
73 switch (c->number) { 75 switch (c->number) {
74 #ifdef WITH_OPENSSL 76 #ifdef WITH_OPENSSL
75 case SSH_CIPHER_SSH2: 77 case SSH_CIPHER_SSH2:
@@ -79,7 +81,7 @@ index 02dae6f..63d3c29 100644
79 case SSH_CIPHER_BLOWFISH: 81 case SSH_CIPHER_BLOWFISH:
80 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 82 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
81 if (evplen == 0) 83 if (evplen == 0)
82@@ -569,8 +581,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) 84@@ -576,8 +588,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
83 break; 85 break;
84 #endif 86 #endif
85 #ifdef WITH_SSH1 87 #ifdef WITH_SSH1
@@ -90,7 +92,7 @@ index 02dae6f..63d3c29 100644
90 #endif 92 #endif
91 default: 93 default:
92 return SSH_ERR_INVALID_ARGUMENT; 94 return SSH_ERR_INVALID_ARGUMENT;
93@@ -594,7 +608,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) 95@@ -601,7 +615,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
94 switch (c->number) { 96 switch (c->number) {
95 #ifdef WITH_OPENSSL 97 #ifdef WITH_OPENSSL
96 case SSH_CIPHER_SSH2: 98 case SSH_CIPHER_SSH2:
@@ -100,7 +102,7 @@ index 02dae6f..63d3c29 100644
100 case SSH_CIPHER_BLOWFISH: 102 case SSH_CIPHER_BLOWFISH:
101 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 103 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
102 if (evplen <= 0) 104 if (evplen <= 0)
103@@ -609,8 +625,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) 105@@ -616,8 +632,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
104 break; 106 break;
105 #endif 107 #endif
106 #ifdef WITH_SSH1 108 #ifdef WITH_SSH1
@@ -112,5 +114,5 @@ index 02dae6f..63d3c29 100644
112 default: 114 default:
113 return SSH_ERR_INVALID_ARGUMENT; 115 return SSH_ERR_INVALID_ARGUMENT;
114-- 116--
1151.9.1 1172.1.4
116 118
diff --git a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
index 3df825b777..b31972649d 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
@@ -22,15 +22,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
22 file://volatiles.99_sshd \ 22 file://volatiles.99_sshd \
23 file://add-test-support-for-busybox.patch \ 23 file://add-test-support-for-busybox.patch \
24 file://run-ptest \ 24 file://run-ptest \
25 file://CVE-2015-8325.patch \
26 file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ 25 file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
27 file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ 26 file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
28 " 27 "
29 28
30PAM_SRC_URI = "file://sshd" 29PAM_SRC_URI = "file://sshd"
31 30
32SRC_URI[md5sum] = "13009a9156510d8f27e752659075cced" 31SRC_URI[md5sum] = "dfadd9f035d38ce5d58a3bf130b86d08"
33SRC_URI[sha256sum] = "a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c" 32SRC_URI[sha256sum] = "3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc"
34 33
35inherit useradd update-rc.d update-alternatives systemd 34inherit useradd update-rc.d update-alternatives systemd
36 35