diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch new file mode 100644 index 0000000000..3adb981fb4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Fri, 18 Sep 2020 05:23:03 +0000 | ||
4 | Subject: upstream: tweak the client hostkey preference ordering algorithm to | ||
5 | |||
6 | prefer the default ordering if the user has a key that matches the | ||
7 | best-preference default algorithm. | ||
8 | |||
9 | feedback and ok markus@ | ||
10 | |||
11 | OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f | ||
12 | |||
13 | Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> | ||
14 | --- | ||
15 | sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++--- | ||
16 | 1 file changed, 38 insertions(+), 3 deletions(-) | ||
17 | |||
18 | CVE: CVE-2020-14145 | ||
19 | Upstream-Status: Backport [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d] | ||
20 | Comment: Refreshed first hunk | ||
21 | |||
22 | diff --git a/sshconnect2.c b/sshconnect2.c | ||
23 | index 347e348c..f64aae66 100644 | ||
24 | --- a/sshconnect2.c | ||
25 | +++ b/sshconnect2.c | ||
26 | @@ -1,4 +1,4 @@ | ||
27 | -/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */ | ||
28 | +/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */ | ||
29 | /* | ||
30 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | ||
31 | * Copyright (c) 2008 Damien Miller. All rights reserved. | ||
32 | @@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) | ||
33 | return 0; | ||
34 | } | ||
35 | |||
36 | +/* Returns the first item from a comma-separated algorithm list */ | ||
37 | +static char * | ||
38 | +first_alg(const char *algs) | ||
39 | +{ | ||
40 | + char *ret, *cp; | ||
41 | + | ||
42 | + ret = xstrdup(algs); | ||
43 | + if ((cp = strchr(ret, ',')) != NULL) | ||
44 | + *cp = '\0'; | ||
45 | + return ret; | ||
46 | +} | ||
47 | + | ||
48 | static char * | ||
49 | order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) | ||
50 | { | ||
51 | - char *oavail, *avail, *first, *last, *alg, *hostname, *ret; | ||
52 | + char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL; | ||
53 | + char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL; | ||
54 | size_t maxlen; | ||
55 | - struct hostkeys *hostkeys; | ||
56 | + struct hostkeys *hostkeys = NULL; | ||
57 | int ktype; | ||
58 | u_int i; | ||
59 | |||
60 | @@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) | ||
61 | for (i = 0; i < options.num_system_hostfiles; i++) | ||
62 | load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); | ||
63 | |||
64 | + /* | ||
65 | + * If a plain public key exists that matches the type of the best | ||
66 | + * preference HostkeyAlgorithms, then use the whole list as is. | ||
67 | + * Note that we ignore whether the best preference algorithm is a | ||
68 | + * certificate type, as sshconnect.c will downgrade certs to | ||
69 | + * plain keys if necessary. | ||
70 | + */ | ||
71 | + best = first_alg(options.hostkeyalgorithms); | ||
72 | + if (lookup_key_in_hostkeys_by_type(hostkeys, | ||
73 | + sshkey_type_plain(sshkey_type_from_name(best)), NULL)) { | ||
74 | + debug3("%s: have matching best-preference key type %s, " | ||
75 | + "using HostkeyAlgorithms verbatim", __func__, best); | ||
76 | + ret = xstrdup(options.hostkeyalgorithms); | ||
77 | + goto out; | ||
78 | + } | ||
79 | + | ||
80 | + /* | ||
81 | + * Otherwise, prefer the host key algorithms that match known keys | ||
82 | + * while keeping the ordering of HostkeyAlgorithms as much as possible. | ||
83 | + */ | ||
84 | oavail = avail = xstrdup(options.hostkeyalgorithms); | ||
85 | maxlen = strlen(avail) + 1; | ||
86 | first = xmalloc(maxlen); | ||
87 | @@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) | ||
88 | if (*first != '\0') | ||
89 | debug3("%s: prefer hostkeyalgs: %s", __func__, first); | ||
90 | |||
91 | + out: | ||
92 | + free(best); | ||
93 | free(first); | ||
94 | free(last); | ||
95 | free(hostname); | ||
96 | -- | ||
97 | cgit v1.2.3 | ||