diff options
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch | 39 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch | 30 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh_7.3p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_7.2p2.bb) | 5 |
3 files changed, 18 insertions, 56 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch deleted file mode 100644 index 226389718d..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Wed, 13 Apr 2016 10:39:57 +1000 | ||
4 | Subject: ignore PAM environment vars when UseLogin=yes | ||
5 | |||
6 | If PAM is configured to read user-specified environment variables | ||
7 | and UseLogin=yes in sshd_config, then a hostile local user may | ||
8 | attack /bin/login via LD_PRELOAD or similar environment variables | ||
9 | set via PAM. | ||
10 | |||
11 | CVE-2015-8325, found by Shayan Sadigh, via Colin Watson | ||
12 | |||
13 | |||
14 | |||
15 | https://anongit.mindrot.org/openssh.git/commit/session.c?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 | ||
16 | |||
17 | CVE: CVE-2015-8325 | ||
18 | Upstream-Status: Backport | ||
19 | Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> | ||
20 | --- | ||
21 | session.c | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/session.c b/session.c | ||
25 | index 4859245..4653b09 100644 | ||
26 | --- a/session.c | ||
27 | +++ b/session.c | ||
28 | @@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell) | ||
29 | * Pull in any environment variables that may have | ||
30 | * been set by PAM. | ||
31 | */ | ||
32 | - if (options.use_pam) { | ||
33 | + if (options.use_pam && !options.use_login) { | ||
34 | char **p; | ||
35 | |||
36 | p = fetch_pam_child_environment(); | ||
37 | -- | ||
38 | cgit v0.11.2 | ||
39 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch index 2e59589479..2773c14e5a 100644 --- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch +++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch | |||
@@ -1,18 +1,18 @@ | |||
1 | From 1cd94ed4750d5392cf3c09ed64d2c162a0833bdb Mon Sep 17 00:00:00 2001 | 1 | From d7eb26785ad4f25fb09fae46726ab8ca3fe16921 Mon Sep 17 00:00:00 2001 |
2 | From: Haiqing Bai <Haiqing.Bai@windriver.com> | 2 | From: Haiqing Bai <Haiqing.Bai@windriver.com> |
3 | Date: Fri, 18 Mar 2016 15:49:31 +0800 | 3 | Date: Mon, 22 Aug 2016 14:11:16 +0300 |
4 | Subject: [PATCH 2/3] remove des in cipher. | 4 | Subject: [PATCH] Remove des in cipher. |
5 | 5 | ||
6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> | 8 | Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> |
9 | 9 | Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> | |
10 | --- | 10 | --- |
11 | cipher.c | 18 ++++++++++++++++++ | 11 | cipher.c | 18 ++++++++++++++++++ |
12 | 1 file changed, 18 insertions(+) | 12 | 1 file changed, 18 insertions(+) |
13 | 13 | ||
14 | diff --git a/cipher.c b/cipher.c | 14 | diff --git a/cipher.c b/cipher.c |
15 | index 02dae6f..63d3c29 100644 | 15 | index 031bda9..6cd667a 100644 |
16 | --- a/cipher.c | 16 | --- a/cipher.c |
17 | +++ b/cipher.c | 17 | +++ b/cipher.c |
18 | @@ -53,8 +53,10 @@ | 18 | @@ -53,8 +53,10 @@ |
@@ -26,7 +26,7 @@ index 02dae6f..63d3c29 100644 | |||
26 | #endif | 26 | #endif |
27 | 27 | ||
28 | struct sshcipher { | 28 | struct sshcipher { |
29 | @@ -79,13 +81,17 @@ struct sshcipher { | 29 | @@ -79,15 +81,19 @@ struct sshcipher { |
30 | 30 | ||
31 | static const struct sshcipher ciphers[] = { | 31 | static const struct sshcipher ciphers[] = { |
32 | #ifdef WITH_SSH1 | 32 | #ifdef WITH_SSH1 |
@@ -34,17 +34,19 @@ index 02dae6f..63d3c29 100644 | |||
34 | { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, | 34 | { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, |
35 | { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, | 35 | { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, |
36 | +#endif /* OPENSSL_NO_DES */ | 36 | +#endif /* OPENSSL_NO_DES */ |
37 | # ifndef OPENSSL_NO_BF | ||
37 | { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, | 38 | { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, |
39 | # endif /* OPENSSL_NO_BF */ | ||
38 | #endif /* WITH_SSH1 */ | 40 | #endif /* WITH_SSH1 */ |
39 | #ifdef WITH_OPENSSL | 41 | #ifdef WITH_OPENSSL |
40 | { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, | 42 | { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, |
41 | +#ifndef OPENSSL_NO_DES | 43 | +#ifndef OPENSSL_NO_DES |
42 | { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, | 44 | { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, |
43 | +#endif /* OPENSSL_NO_DES */ | 45 | +#endif /* OPENSSL_NO_DES */ |
46 | # ifndef OPENSSL_NO_BF | ||
44 | { "blowfish-cbc", | 47 | { "blowfish-cbc", |
45 | SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, | 48 | SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, |
46 | { "cast128-cbc", | 49 | @@ -171,8 +177,10 @@ cipher_keylen(const struct sshcipher *c) |
47 | @@ -163,8 +169,10 @@ cipher_keylen(const struct sshcipher *c) | ||
48 | u_int | 50 | u_int |
49 | cipher_seclen(const struct sshcipher *c) | 51 | cipher_seclen(const struct sshcipher *c) |
50 | { | 52 | { |
@@ -55,7 +57,7 @@ index 02dae6f..63d3c29 100644 | |||
55 | return cipher_keylen(c); | 57 | return cipher_keylen(c); |
56 | } | 58 | } |
57 | 59 | ||
58 | @@ -201,11 +209,13 @@ u_int | 60 | @@ -209,11 +217,13 @@ u_int |
59 | cipher_mask_ssh1(int client) | 61 | cipher_mask_ssh1(int client) |
60 | { | 62 | { |
61 | u_int mask = 0; | 63 | u_int mask = 0; |
@@ -69,7 +71,7 @@ index 02dae6f..63d3c29 100644 | |||
69 | return mask; | 71 | return mask; |
70 | } | 72 | } |
71 | 73 | ||
72 | @@ -546,7 +556,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) | 74 | @@ -553,7 +563,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) |
73 | switch (c->number) { | 75 | switch (c->number) { |
74 | #ifdef WITH_OPENSSL | 76 | #ifdef WITH_OPENSSL |
75 | case SSH_CIPHER_SSH2: | 77 | case SSH_CIPHER_SSH2: |
@@ -79,7 +81,7 @@ index 02dae6f..63d3c29 100644 | |||
79 | case SSH_CIPHER_BLOWFISH: | 81 | case SSH_CIPHER_BLOWFISH: |
80 | evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); | 82 | evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); |
81 | if (evplen == 0) | 83 | if (evplen == 0) |
82 | @@ -569,8 +581,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) | 84 | @@ -576,8 +588,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) |
83 | break; | 85 | break; |
84 | #endif | 86 | #endif |
85 | #ifdef WITH_SSH1 | 87 | #ifdef WITH_SSH1 |
@@ -90,7 +92,7 @@ index 02dae6f..63d3c29 100644 | |||
90 | #endif | 92 | #endif |
91 | default: | 93 | default: |
92 | return SSH_ERR_INVALID_ARGUMENT; | 94 | return SSH_ERR_INVALID_ARGUMENT; |
93 | @@ -594,7 +608,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) | 95 | @@ -601,7 +615,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) |
94 | switch (c->number) { | 96 | switch (c->number) { |
95 | #ifdef WITH_OPENSSL | 97 | #ifdef WITH_OPENSSL |
96 | case SSH_CIPHER_SSH2: | 98 | case SSH_CIPHER_SSH2: |
@@ -100,7 +102,7 @@ index 02dae6f..63d3c29 100644 | |||
100 | case SSH_CIPHER_BLOWFISH: | 102 | case SSH_CIPHER_BLOWFISH: |
101 | evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); | 103 | evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); |
102 | if (evplen <= 0) | 104 | if (evplen <= 0) |
103 | @@ -609,8 +625,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) | 105 | @@ -616,8 +632,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) |
104 | break; | 106 | break; |
105 | #endif | 107 | #endif |
106 | #ifdef WITH_SSH1 | 108 | #ifdef WITH_SSH1 |
@@ -112,5 +114,5 @@ index 02dae6f..63d3c29 100644 | |||
112 | default: | 114 | default: |
113 | return SSH_ERR_INVALID_ARGUMENT; | 115 | return SSH_ERR_INVALID_ARGUMENT; |
114 | -- | 116 | -- |
115 | 1.9.1 | 117 | 2.1.4 |
116 | 118 | ||
diff --git a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb index 3df825b777..b31972649d 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb | |||
@@ -22,15 +22,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
22 | file://volatiles.99_sshd \ | 22 | file://volatiles.99_sshd \ |
23 | file://add-test-support-for-busybox.patch \ | 23 | file://add-test-support-for-busybox.patch \ |
24 | file://run-ptest \ | 24 | file://run-ptest \ |
25 | file://CVE-2015-8325.patch \ | ||
26 | file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ | 25 | file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ |
27 | file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ | 26 | file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ |
28 | " | 27 | " |
29 | 28 | ||
30 | PAM_SRC_URI = "file://sshd" | 29 | PAM_SRC_URI = "file://sshd" |
31 | 30 | ||
32 | SRC_URI[md5sum] = "13009a9156510d8f27e752659075cced" | 31 | SRC_URI[md5sum] = "dfadd9f035d38ce5d58a3bf130b86d08" |
33 | SRC_URI[sha256sum] = "a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c" | 32 | SRC_URI[sha256sum] = "3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc" |
34 | 33 | ||
35 | inherit useradd update-rc.d update-alternatives systemd | 34 | inherit useradd update-rc.d update-alternatives systemd |
36 | 35 | ||