1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
new file mode 100644
index 0000000000..bda896f581
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
@@ -0,0 +1,52 @@
+From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
+From: Ali Abdallah <aabdallah@suse.de>
+Date: Wed, 24 Nov 2021 13:33:39 +0100
+Subject: [PATCH] CVE-2021-41617 fix
+backport of the following two upstream commits
+f3cbe43e28fe71427d41cfe3a17125b972710455
+bf944e3794eff5413f2df1ef37cddf96918c6bde
+CVE-2021-41617 failed to correctly initialise supplemental groups
+when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
+where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
+directive has been set to run the command as a different user. Instead
+these commands would inherit the groups that sshd(8) was started with.
+---
+ auth.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+CVE: CVE-2021-41617
+Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
+Comment: No change in any hunk
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+diff --git a/auth.c b/auth.c
+index 163038f..a47b267 100644
+--- a/auth.c
+++ b/auth.c
+@@ -52,6 +52,7 @@
+ #include <limits.h>
+ #include <netdb.h>
+ #include <time.h>
+#include <grp.h>
+ 
+ #include "xmalloc.h"
+ #include "match.h"
+@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
+                }
+                closefrom(STDERR_FILENO + 1);
+ 
+               if (geteuid() == 0 &&
+                   initgroups(pw->pw_name, pw->pw_gid) == -1) {
+                       error("%s: initgroups(%s, %u): %s", tag,
+                           pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+                       _exit(1);
+               }
+
+                /* Don't use permanently_set_uid() here to avoid fatal() */
+                if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+                        error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+-- 
+2.26.2

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch new file mode 100644 index 0000000000..bda896f581 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
@@ -0,0 +1,52 @@
	1	From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
	2	From: Ali Abdallah <aabdallah@suse.de>
	3	Date: Wed, 24 Nov 2021 13:33:39 +0100
	4	Subject: [PATCH] CVE-2021-41617 fix
	5
	6	backport of the following two upstream commits
	7
	8	f3cbe43e28fe71427d41cfe3a17125b972710455
	9	bf944e3794eff5413f2df1ef37cddf96918c6bde
	10
	11	CVE-2021-41617 failed to correctly initialise supplemental groups
	12	when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
	13	where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
	14	directive has been set to run the command as a different user. Instead
	15	these commands would inherit the groups that sshd(8) was started with.
	16	---
	17	auth.c \| 8 ++++++++
	18	1 file changed, 8 insertions(+)
	19
	20	CVE: CVE-2021-41617
	21	Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
	22	Comment: No change in any hunk
	23	Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
	24
	25	diff --git a/auth.c b/auth.c
	26	index 163038f..a47b267 100644
	27	--- a/auth.c
	28	+++ b/auth.c
	29	@@ -52,6 +52,7 @@
	30	#include <limits.h>
	31	#include <netdb.h>
	32	#include <time.h>
	33	+#include <grp.h>
	34
	35	#include "xmalloc.h"
	36	#include "match.h"
	37	@@ -851,6 +852,13 @@ subprocess(const char tag, struct passwd pw, const char *command,
	38	}
	39	closefrom(STDERR_FILENO + 1);
	40
	41	+ if (geteuid() == 0 &&
	42	+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
	43	+ error("%s: initgroups(%s, %u): %s", tag,
	44	+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
	45	+ _exit(1);
	46	+ }
	47	+
	48	/* Don't use permanently_set_uid() here to avoid fatal() */
	49	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
	50	error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
	51	--
	52	2.26.2