diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch | 125 |
1 files changed, 125 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch new file mode 100644 index 0000000000..0dcf23ae17 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch | |||
@@ -0,0 +1,125 @@ | |||
1 | From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Tue, 26 Jan 2021 00:47:47 +0000 | ||
4 | Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent | ||
5 | sockets table; | ||
6 | |||
7 | also clear socket entries that are being marked as unused. | ||
8 | |||
9 | spinkle in some debug2() spam to make it easier to watch an agent | ||
10 | do its thing. | ||
11 | |||
12 | ok markus | ||
13 | |||
14 | OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922 | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76] | ||
17 | CVE: CVE-2023-38408 | ||
18 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
19 | --- | ||
20 | ssh-agent.c | 20 ++++++++++++++++---- | ||
21 | 1 file changed, 16 insertions(+), 4 deletions(-) | ||
22 | |||
23 | diff --git a/ssh-agent.c b/ssh-agent.c | ||
24 | index 78f7268..2635bc5 100644 | ||
25 | --- a/ssh-agent.c | ||
26 | +++ b/ssh-agent.c | ||
27 | @@ -1,4 +1,4 @@ | ||
28 | -/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */ | ||
29 | +/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */ | ||
30 | /* | ||
31 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
32 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
33 | @@ -175,11 +175,12 @@ static void | ||
34 | close_socket(SocketEntry *e) | ||
35 | { | ||
36 | close(e->fd); | ||
37 | - e->fd = -1; | ||
38 | - e->type = AUTH_UNUSED; | ||
39 | sshbuf_free(e->input); | ||
40 | sshbuf_free(e->output); | ||
41 | sshbuf_free(e->request); | ||
42 | + memset(e, '\0', sizeof(*e)); | ||
43 | + e->fd = -1; | ||
44 | + e->type = AUTH_UNUSED; | ||
45 | } | ||
46 | |||
47 | static void | ||
48 | @@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e) | ||
49 | struct sshbuf *msg; | ||
50 | int r; | ||
51 | |||
52 | + debug2("%s: entering", __func__); | ||
53 | + | ||
54 | if ((msg = sshbuf_new()) == NULL) | ||
55 | fatal("%s: sshbuf_new failed", __func__); | ||
56 | if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 || | ||
57 | @@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e) | ||
58 | struct sshkey *key = NULL; | ||
59 | Identity *id; | ||
60 | |||
61 | + debug2("%s: entering", __func__); | ||
62 | if ((r = sshkey_froms(e->request, &key)) != 0) { | ||
63 | error("%s: get key: %s", __func__, ssh_err(r)); | ||
64 | goto done; | ||
65 | @@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e) | ||
66 | { | ||
67 | Identity *id; | ||
68 | |||
69 | + debug2("%s: entering", __func__); | ||
70 | /* Loop over all identities and clear the keys. */ | ||
71 | for (id = TAILQ_FIRST(&idtab->idlist); id; | ||
72 | id = TAILQ_FIRST(&idtab->idlist)) { | ||
73 | @@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e) | ||
74 | u_char ctype; | ||
75 | int r = SSH_ERR_INTERNAL_ERROR; | ||
76 | |||
77 | + debug2("%s: entering", __func__); | ||
78 | if ((r = sshkey_private_deserialize(e->request, &k)) != 0 || | ||
79 | k == NULL || | ||
80 | (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) { | ||
81 | @@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock) | ||
82 | static u_int fail_count = 0; | ||
83 | size_t pwlen; | ||
84 | |||
85 | + debug2("%s: entering", __func__); | ||
86 | /* | ||
87 | * This is deliberately fatal: the user has requested that we lock, | ||
88 | * but we can't parse their request properly. The only safe thing to | ||
89 | @@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e) | ||
90 | struct sshkey **keys = NULL, *k; | ||
91 | Identity *id; | ||
92 | |||
93 | + debug2("%s: entering", __func__); | ||
94 | if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || | ||
95 | (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { | ||
96 | error("%s: buffer error: %s", __func__, ssh_err(r)); | ||
97 | @@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e) | ||
98 | int r, success = 0; | ||
99 | Identity *id, *nxt; | ||
100 | |||
101 | + debug2("%s: entering", __func__); | ||
102 | if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || | ||
103 | (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { | ||
104 | error("%s: buffer error: %s", __func__, ssh_err(r)); | ||
105 | @@ -962,6 +971,8 @@ new_socket(sock_type type, int fd) | ||
106 | { | ||
107 | u_int i, old_alloc, new_alloc; | ||
108 | |||
109 | + debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" : | ||
110 | + (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); | ||
111 | set_nonblock(fd); | ||
112 | |||
113 | if (fd > max_fd) | ||
114 | @@ -981,7 +992,8 @@ new_socket(sock_type type, int fd) | ||
115 | } | ||
116 | old_alloc = sockets_alloc; | ||
117 | new_alloc = sockets_alloc + 10; | ||
118 | - sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0])); | ||
119 | + sockets = xrecallocarray(sockets, old_alloc, new_alloc, | ||
120 | + sizeof(sockets[0])); | ||
121 | for (i = old_alloc; i < new_alloc; i++) | ||
122 | sockets[i].type = AUTH_UNUSED; | ||
123 | sockets_alloc = new_alloc; | ||
124 | -- | ||
125 | 2.41.0 | ||