1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
new file mode 100644
index 0000000000..3adb981fb4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
@@ -0,0 +1,97 @@
+From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 18 Sep 2020 05:23:03 +0000
+Subject: upstream: tweak the client hostkey preference ordering algorithm to
+prefer the default ordering if the user has a key that matches the
+best-preference default algorithm.
+feedback and ok markus@
+OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+CVE: CVE-2020-14145
+Upstream-Status: Backport [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
+Comment: Refreshed first hunk
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 347e348c..f64aae66 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2008 Damien Miller.  All rights reserved.
+@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+        return 0;
+ }
+ 
+/* Returns the first item from a comma-separated algorithm list */
+static char *
+first_alg(const char *algs)
+{
+       char *ret, *cp;
+
+       ret = xstrdup(algs);
+       if ((cp = strchr(ret, ',')) != NULL)
+               *cp = '\0';
+       return ret;
+}
+
+ static char *
+ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ {
+-       char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
+       char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
+       char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
+        size_t maxlen;
+-       struct hostkeys *hostkeys;
+       struct hostkeys *hostkeys = NULL;
+        int ktype;
+        u_int i;
+ 
+@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+        for (i = 0; i < options.num_system_hostfiles; i++)
+                load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+ 
+       /*
+        * If a plain public key exists that matches the type of the best
+        * preference HostkeyAlgorithms, then use the whole list as is.
+        * Note that we ignore whether the best preference algorithm is a
+        * certificate type, as sshconnect.c will downgrade certs to
+        * plain keys if necessary.
+        */
+       best = first_alg(options.hostkeyalgorithms);
+       if (lookup_key_in_hostkeys_by_type(hostkeys,
+           sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
+               debug3("%s: have matching best-preference key type %s, "
+                   "using HostkeyAlgorithms verbatim", __func__, best);
+               ret = xstrdup(options.hostkeyalgorithms);
+               goto out;
+       }
+
+       /*
+        * Otherwise, prefer the host key algorithms that match known keys
+        * while keeping the ordering of HostkeyAlgorithms as much as possible.
+        */
+        oavail = avail = xstrdup(options.hostkeyalgorithms);
+        maxlen = strlen(avail) + 1;
+        first = xmalloc(maxlen);
+@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+        if (*first != '\0')
+                debug3("%s: prefer hostkeyalgs: %s", __func__, first);
+ 
+ out:
+       free(best);
+        free(first);
+        free(last);
+        free(hostname);
+-- 
+cgit v1.2.3

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch new file mode 100644 index 0000000000..3adb981fb4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
@@ -0,0 +1,97 @@
	1	From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
	2	From: "djm@openbsd.org" <djm@openbsd.org>
	3	Date: Fri, 18 Sep 2020 05:23:03 +0000
	4	Subject: upstream: tweak the client hostkey preference ordering algorithm to
	5
	6	prefer the default ordering if the user has a key that matches the
	7	best-preference default algorithm.
	8
	9	feedback and ok markus@
	10
	11	OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
	12
	13	Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
	14	---
	15	sshconnect2.c \| 41 ++++++++++++++++++++++++++++++++++++++---
	16	1 file changed, 38 insertions(+), 3 deletions(-)
	17
	18	CVE: CVE-2020-14145
	19	Upstream-Status: Backport [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
	20	Comment: Refreshed first hunk
	21
	22	diff --git a/sshconnect2.c b/sshconnect2.c
	23	index 347e348c..f64aae66 100644
	24	--- a/sshconnect2.c
	25	+++ b/sshconnect2.c
	26	@@ -1,4 +1,4 @@
	27	-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
	28	+/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
	29	/*
	30	* Copyright (c) 2000 Markus Friedl. All rights reserved.
	31	* Copyright (c) 2008 Damien Miller. All rights reserved.
	32	@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey hostkey, struct ssh ssh)
	33	return 0;
	34	}
	35
	36	+/* Returns the first item from a comma-separated algorithm list */
	37	+static char *
	38	+first_alg(const char *algs)
	39	+{
	40	+ char ret, cp;
	41	+
	42	+ ret = xstrdup(algs);
	43	+ if ((cp = strchr(ret, ',')) != NULL)
	44	+ *cp = '\0';
	45	+ return ret;
	46	+}
	47	+
	48	static char *
	49	order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port)
	50	{
	51	- char oavail, avail, first, last, alg, hostname, *ret;
	52	+ char oavail = NULL, avail = NULL, first = NULL, last = NULL;
	53	+ char alg = NULL, hostname = NULL, ret = NULL, best = NULL;
	54	size_t maxlen;
	55	- struct hostkeys *hostkeys;
	56	+ struct hostkeys *hostkeys = NULL;
	57	int ktype;
	58	u_int i;
	59
	60	@@ -119,6 +132,26 @@ order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port)
	61	for (i = 0; i < options.num_system_hostfiles; i++)
	62	load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
	63
	64	+ /*
	65	+ * If a plain public key exists that matches the type of the best
	66	+ * preference HostkeyAlgorithms, then use the whole list as is.
	67	+ * Note that we ignore whether the best preference algorithm is a
	68	+ * certificate type, as sshconnect.c will downgrade certs to
	69	+ * plain keys if necessary.
	70	+ */
	71	+ best = first_alg(options.hostkeyalgorithms);
	72	+ if (lookup_key_in_hostkeys_by_type(hostkeys,
	73	+ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
	74	+ debug3("%s: have matching best-preference key type %s, "
	75	+ "using HostkeyAlgorithms verbatim", __func__, best);
	76	+ ret = xstrdup(options.hostkeyalgorithms);
	77	+ goto out;
	78	+ }
	79	+
	80	+ /*
	81	+ * Otherwise, prefer the host key algorithms that match known keys
	82	+ * while keeping the ordering of HostkeyAlgorithms as much as possible.
	83	+ */
	84	oavail = avail = xstrdup(options.hostkeyalgorithms);
	85	maxlen = strlen(avail) + 1;
	86	first = xmalloc(maxlen);
	87	@@ -159,6 +192,8 @@ order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port)
	88	if (*first != '\0')
	89	debug3("%s: prefer hostkeyalgs: %s", __func__, first);
	90
	91	+ out:
	92	+ free(best);
	93	free(first);
	94	free(last);
	95	free(hostname);
	96	--
	97	cgit v1.2.3