1 files changed, 171 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
new file mode 100644
index 0000000000..e16e5e245e
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
@@ -0,0 +1,171 @@
+From 2f1be98e83feb90665b9292eff8bb734537fd491 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 14:02:27 +0000
+Subject: [PATCH 03/12] upstream: Ensure FIDO/PKCS11 libraries contain expected
+ symbols
+This checks via nlist(3) that candidate provider libraries contain one
+of the symbols that we will require prior to dlopen(), which can cause
+a number of side effects, including execution of constructors.
+Feedback deraadt; ok markus
+OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ misc.c       | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ misc.h       |  1 +
+ ssh-pkcs11.c |  4 +++
+ ssh-sk.c     |  6 ++--
+ 4 files changed, 86 insertions(+), 2 deletions(-)
+diff --git a/misc.c b/misc.c
+index 3a31d5c..8a107e4 100644
+--- a/misc.c
+++ b/misc.c
+@@ -28,6 +28,7 @@
+ #include <sys/types.h>
+ #include <sys/ioctl.h>
+#include <sys/mman.h>
+ #include <sys/socket.h>
+ #include <sys/stat.h>
+ #include <sys/time.h>
+@@ -41,6 +42,9 @@
+ #ifdef HAVE_POLL_H
+ #include <poll.h>
+ #endif
+#ifdef HAVE_NLIST_H
+#include <nlist.h>
+#endif
+ #include <signal.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -2266,3 +2270,76 @@ ssh_signal(int signum, sshsig_t handler)
+        }
+        return osa.sa_handler;
+ }
+
+
+/*
+ * Returns zero if the library at 'path' contains symbol 's', nonzero
+ * otherwise.
+ */
+int
+lib_contains_symbol(const char *path, const char *s)
+{
+#ifdef HAVE_NLIST_H
+       struct nlist nl[2];
+       int ret = -1, r;
+
+       memset(nl, 0, sizeof(nl));
+       nl[0].n_name = xstrdup(s);
+       nl[1].n_name = NULL;
+       if ((r = nlist(path, nl)) == -1) {
+               error("%s: nlist failed for %s", __func__, path);
+               goto out;
+       }
+       if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) {
+               error("%s: library %s does not contain symbol %s", __func__, path, s);
+               goto out;
+       }
+       /* success */
+       ret = 0;
+ out:
+       free(nl[0].n_name);
+       return ret;
+#else /* HAVE_NLIST_H */
+       int fd, ret = -1;
+       struct stat st;
+       void *m = NULL;
+       size_t sz = 0;
+
+       memset(&st, 0, sizeof(st));
+       if ((fd = open(path, O_RDONLY)) < 0) {
+               error("%s: open %s: %s", __func__, path, strerror(errno));
+               return -1;
+       }
+       if (fstat(fd, &st) != 0) {
+               error("%s: fstat %s: %s", __func__, path, strerror(errno));
+               goto out;
+       }
+       if (!S_ISREG(st.st_mode)) {
+               error("%s: %s is not a regular file", __func__, path);
+               goto out;
+       }
+       if (st.st_size < 0 ||
+           (size_t)st.st_size < strlen(s) ||
+           st.st_size >= INT_MAX/2) {
+               error("%s: %s bad size %lld", __func__, path, (long long)st.st_size);
+               goto out;
+       }
+       sz = (size_t)st.st_size;
+       if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED ||
+           m == NULL) {
+               error("%s: mmap %s: %s", __func__, path, strerror(errno));
+               goto out;
+       }
+       if (memmem(m, sz, s, strlen(s)) == NULL) {
+               error("%s: %s does not contain expected string %s", __func__, path, s);
+               goto out;
+       }
+       /* success */
+       ret = 0;
+ out:
+       if (m != NULL && m != MAP_FAILED)
+               munmap(m, sz);
+       close(fd);
+       return ret;
+#endif /* HAVE_NLIST_H */
+}
+diff --git a/misc.h b/misc.h
+index 4a05db2..3f9f4db 100644
+--- a/misc.h
+++ b/misc.h
+@@ -86,6 +86,7 @@ const char *atoi_err(const char *, int *);
+ int     parse_absolute_time(const char *, uint64_t *);
+ void    format_absolute_time(uint64_t, char *, size_t);
+ int     path_absolute(const char *);
+int     lib_contains_symbol(const char *, const char *);
+ void    sock_set_v6only(int);
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index b56a41b..639a6f7 100644
+--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
+@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_id, char *pin,
+                    __func__, provider_id);
+                goto fail;
+        }
+       if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) {
+               error("provider %s is not a PKCS11 library", provider_id);
+               goto fail;
+       }
+        /* open shared pkcs11-library */
+        if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {
+                error("dlopen %s failed: %s", provider_id, dlerror());
+diff --git a/ssh-sk.c b/ssh-sk.c
+index 5ff9381..9df12cc 100644
+--- a/ssh-sk.c
+++ b/ssh-sk.c
+@@ -119,10 +119,12 @@ sshsk_open(const char *path)
+ #endif
+                return ret;
+        }
+-       if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
+-               error("Provider \"%s\" dlopen failed: %s", path, dlerror());
+       if (lib_contains_symbol(path, "sk_api_version") != 0) {
+               error("provider %s is not an OpenSSH FIDO library", path);
+                goto fail;
+        }
+       if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL)
+               fatal("Provider \"%s\" dlopen failed: %s", path, dlerror());
+        if ((ret->sk_api_version = dlsym(ret->dlhandle,
+            "sk_api_version")) == NULL) {
+                error("Provider \"%s\" dlsym(sk_api_version) failed: %s",
+--
+2.41.0

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch new file mode 100644 index 0000000000..e16e5e245e --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
@@ -0,0 +1,171 @@
	1	From 2f1be98e83feb90665b9292eff8bb734537fd491 Mon Sep 17 00:00:00 2001
	2	From: "djm@openbsd.org" <djm@openbsd.org>
	3	Date: Wed, 19 Jul 2023 14:02:27 +0000
	4	Subject: [PATCH 03/12] upstream: Ensure FIDO/PKCS11 libraries contain expected
	5	symbols
	6
	7	This checks via nlist(3) that candidate provider libraries contain one
	8	of the symbols that we will require prior to dlopen(), which can cause
	9	a number of side effects, including execution of constructors.
	10
	11	Feedback deraadt; ok markus
	12
	13	OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
	14
	15	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77]
	16	CVE: CVE-2023-38408
	17	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
	18	---
	19	misc.c \| 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++
	20	misc.h \| 1 +
	21	ssh-pkcs11.c \| 4 +++
	22	ssh-sk.c \| 6 ++--
	23	4 files changed, 86 insertions(+), 2 deletions(-)
	24
	25	diff --git a/misc.c b/misc.c
	26	index 3a31d5c..8a107e4 100644
	27	--- a/misc.c
	28	+++ b/misc.c
	29	@@ -28,6 +28,7 @@
	30
	31	#include <sys/types.h>
	32	#include <sys/ioctl.h>
	33	+#include <sys/mman.h>
	34	#include <sys/socket.h>
	35	#include <sys/stat.h>
	36	#include <sys/time.h>
	37	@@ -41,6 +42,9 @@
	38	#ifdef HAVE_POLL_H
	39	#include <poll.h>
	40	#endif
	41	+#ifdef HAVE_NLIST_H
	42	+#include <nlist.h>
	43	+#endif
	44	#include <signal.h>
	45	#include <stdarg.h>
	46	#include <stdio.h>
	47	@@ -2266,3 +2270,76 @@ ssh_signal(int signum, sshsig_t handler)
	48	}
	49	return osa.sa_handler;
	50	}
	51	+
	52	+
	53	+/*
	54	+ * Returns zero if the library at 'path' contains symbol 's', nonzero
	55	+ * otherwise.
	56	+ */
	57	+int
	58	+lib_contains_symbol(const char path, const char s)
	59	+{
	60	+#ifdef HAVE_NLIST_H
	61	+ struct nlist nl[2];
	62	+ int ret = -1, r;
	63	+
	64	+ memset(nl, 0, sizeof(nl));
	65	+ nl[0].n_name = xstrdup(s);
	66	+ nl[1].n_name = NULL;
	67	+ if ((r = nlist(path, nl)) == -1) {
	68	+ error("%s: nlist failed for %s", __func__, path);
	69	+ goto out;
	70	+ }
	71	+ if (r != 0 \|\| nl[0].n_value == 0 \|\| nl[0].n_type == 0) {
	72	+ error("%s: library %s does not contain symbol %s", __func__, path, s);
	73	+ goto out;
	74	+ }
	75	+ /* success */
	76	+ ret = 0;
	77	+ out:
	78	+ free(nl[0].n_name);
	79	+ return ret;
	80	+#else /* HAVE_NLIST_H */
	81	+ int fd, ret = -1;
	82	+ struct stat st;
	83	+ void *m = NULL;
	84	+ size_t sz = 0;
	85	+
	86	+ memset(&st, 0, sizeof(st));
	87	+ if ((fd = open(path, O_RDONLY)) < 0) {
	88	+ error("%s: open %s: %s", __func__, path, strerror(errno));
	89	+ return -1;
	90	+ }
	91	+ if (fstat(fd, &st) != 0) {
	92	+ error("%s: fstat %s: %s", __func__, path, strerror(errno));
	93	+ goto out;
	94	+ }
	95	+ if (!S_ISREG(st.st_mode)) {
	96	+ error("%s: %s is not a regular file", __func__, path);
	97	+ goto out;
	98	+ }
	99	+ if (st.st_size < 0 \|\|
	100	+ (size_t)st.st_size < strlen(s) \|\|
	101	+ st.st_size >= INT_MAX/2) {
	102	+ error("%s: %s bad size %lld", __func__, path, (long long)st.st_size);
	103	+ goto out;
	104	+ }
	105	+ sz = (size_t)st.st_size;
	106	+ if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED \|\|
	107	+ m == NULL) {
	108	+ error("%s: mmap %s: %s", __func__, path, strerror(errno));
	109	+ goto out;
	110	+ }
	111	+ if (memmem(m, sz, s, strlen(s)) == NULL) {
	112	+ error("%s: %s does not contain expected string %s", __func__, path, s);
	113	+ goto out;
	114	+ }
	115	+ /* success */
	116	+ ret = 0;
	117	+ out:
	118	+ if (m != NULL && m != MAP_FAILED)
	119	+ munmap(m, sz);
	120	+ close(fd);
	121	+ return ret;
	122	+#endif /* HAVE_NLIST_H */
	123	+}
	124	diff --git a/misc.h b/misc.h
	125	index 4a05db2..3f9f4db 100644
	126	--- a/misc.h
	127	+++ b/misc.h
	128	@@ -86,6 +86,7 @@ const char atoi_err(const char , int *);
	129	int parse_absolute_time(const char , uint64_t );
	130	void format_absolute_time(uint64_t, char *, size_t);
	131	int path_absolute(const char *);
	132	+int lib_contains_symbol(const char , const char );
	133
	134	void sock_set_v6only(int);
	135
	136	diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
	137	index b56a41b..639a6f7 100644
	138	--- a/ssh-pkcs11.c
	139	+++ b/ssh-pkcs11.c
	140	@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char provider_id, char pin,
	141	__func__, provider_id);
	142	goto fail;
	143	}
	144	+ if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) {
	145	+ error("provider %s is not a PKCS11 library", provider_id);
	146	+ goto fail;
	147	+ }
	148	/* open shared pkcs11-library */
	149	if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {
	150	error("dlopen %s failed: %s", provider_id, dlerror());
	151	diff --git a/ssh-sk.c b/ssh-sk.c
	152	index 5ff9381..9df12cc 100644
	153	--- a/ssh-sk.c
	154	+++ b/ssh-sk.c
	155	@@ -119,10 +119,12 @@ sshsk_open(const char *path)
	156	#endif
	157	return ret;
	158	}
	159	- if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
	160	- error("Provider \"%s\" dlopen failed: %s", path, dlerror());
	161	+ if (lib_contains_symbol(path, "sk_api_version") != 0) {
	162	+ error("provider %s is not an OpenSSH FIDO library", path);
	163	goto fail;
	164	}
	165	+ if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL)
	166	+ fatal("Provider \"%s\" dlopen failed: %s", path, dlerror());
	167	if ((ret->sk_api_version = dlsym(ret->dlhandle,
	168	"sk_api_version")) == NULL) {
	169	error("Provider \"%s\" dlsym(sk_api_version) failed: %s",
	170	--
	171	2.41.0