1 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
new file mode 100644
index 0000000000..5e8040c9bf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
@@ -0,0 +1,34 @@
+From 0862f338941bfdfb2cadee87de6d5fdca1b8f457 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:55:53 +0000
+Subject: [PATCH 04/12] upstream: terminate process if requested to load a
+ PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@
+OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index 639a6f7..7530acc 100644
+--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
+@@ -1508,10 +1508,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
+                error("dlopen %s failed: %s", provider_id, dlerror());
+                goto fail;
+        }
+-       if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+-               error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+-               goto fail;
+-       }
+       if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
+               fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+        p = xcalloc(1, sizeof(*p));
+        p->name = xstrdup(provider_id);
+        p->handle = handle;
+--
+2.41.0

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch new file mode 100644 index 0000000000..5e8040c9bf --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
@@ -0,0 +1,34 @@
	1	From 0862f338941bfdfb2cadee87de6d5fdca1b8f457 Mon Sep 17 00:00:00 2001
	2	From: "djm@openbsd.org" <djm@openbsd.org>
	3	Date: Wed, 19 Jul 2023 13:55:53 +0000
	4	Subject: [PATCH 04/12] upstream: terminate process if requested to load a
	5	PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@
	6
	7	OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
	8
	9	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc]
	10	CVE: CVE-2023-38408
	11	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
	12	---
	13	ssh-pkcs11.c \| 6 ++----
	14	1 file changed, 2 insertions(+), 4 deletions(-)
	15
	16	diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
	17	index 639a6f7..7530acc 100644
	18	--- a/ssh-pkcs11.c
	19	+++ b/ssh-pkcs11.c
	20	@@ -1508,10 +1508,8 @@ pkcs11_register_provider(char provider_id, char pin,
	21	error("dlopen %s failed: %s", provider_id, dlerror());
	22	goto fail;
	23	}
	24	- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
	25	- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
	26	- goto fail;
	27	- }
	28	+ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
	29	+ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
	30	p = xcalloc(1, sizeof(*p));
	31	p->name = xstrdup(provider_id);
	32	p->handle = handle;
	33	--
	34	2.41.0