summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch125
1 files changed, 125 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
new file mode 100644
index 0000000000..0dcf23ae17
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
@@ -0,0 +1,125 @@
1From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Tue, 26 Jan 2021 00:47:47 +0000
4Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent
5 sockets table;
6
7also clear socket entries that are being marked as unused.
8
9spinkle in some debug2() spam to make it easier to watch an agent
10do its thing.
11
12ok markus
13
14OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922
15
16Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76]
17CVE: CVE-2023-38408
18Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
19---
20 ssh-agent.c | 20 ++++++++++++++++----
21 1 file changed, 16 insertions(+), 4 deletions(-)
22
23diff --git a/ssh-agent.c b/ssh-agent.c
24index 78f7268..2635bc5 100644
25--- a/ssh-agent.c
26+++ b/ssh-agent.c
27@@ -1,4 +1,4 @@
28-/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
29+/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
30 /*
31 * Author: Tatu Ylonen <ylo@cs.hut.fi>
32 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
33@@ -175,11 +175,12 @@ static void
34 close_socket(SocketEntry *e)
35 {
36 close(e->fd);
37- e->fd = -1;
38- e->type = AUTH_UNUSED;
39 sshbuf_free(e->input);
40 sshbuf_free(e->output);
41 sshbuf_free(e->request);
42+ memset(e, '\0', sizeof(*e));
43+ e->fd = -1;
44+ e->type = AUTH_UNUSED;
45 }
46
47 static void
48@@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e)
49 struct sshbuf *msg;
50 int r;
51
52+ debug2("%s: entering", __func__);
53+
54 if ((msg = sshbuf_new()) == NULL)
55 fatal("%s: sshbuf_new failed", __func__);
56 if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 ||
57@@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e)
58 struct sshkey *key = NULL;
59 Identity *id;
60
61+ debug2("%s: entering", __func__);
62 if ((r = sshkey_froms(e->request, &key)) != 0) {
63 error("%s: get key: %s", __func__, ssh_err(r));
64 goto done;
65@@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e)
66 {
67 Identity *id;
68
69+ debug2("%s: entering", __func__);
70 /* Loop over all identities and clear the keys. */
71 for (id = TAILQ_FIRST(&idtab->idlist); id;
72 id = TAILQ_FIRST(&idtab->idlist)) {
73@@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e)
74 u_char ctype;
75 int r = SSH_ERR_INTERNAL_ERROR;
76
77+ debug2("%s: entering", __func__);
78 if ((r = sshkey_private_deserialize(e->request, &k)) != 0 ||
79 k == NULL ||
80 (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) {
81@@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock)
82 static u_int fail_count = 0;
83 size_t pwlen;
84
85+ debug2("%s: entering", __func__);
86 /*
87 * This is deliberately fatal: the user has requested that we lock,
88 * but we can't parse their request properly. The only safe thing to
89@@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e)
90 struct sshkey **keys = NULL, *k;
91 Identity *id;
92
93+ debug2("%s: entering", __func__);
94 if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
95 (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
96 error("%s: buffer error: %s", __func__, ssh_err(r));
97@@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e)
98 int r, success = 0;
99 Identity *id, *nxt;
100
101+ debug2("%s: entering", __func__);
102 if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
103 (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
104 error("%s: buffer error: %s", __func__, ssh_err(r));
105@@ -962,6 +971,8 @@ new_socket(sock_type type, int fd)
106 {
107 u_int i, old_alloc, new_alloc;
108
109+ debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" :
110+ (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
111 set_nonblock(fd);
112
113 if (fd > max_fd)
114@@ -981,7 +992,8 @@ new_socket(sock_type type, int fd)
115 }
116 old_alloc = sockets_alloc;
117 new_alloc = sockets_alloc + 10;
118- sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0]));
119+ sockets = xrecallocarray(sockets, old_alloc, new_alloc,
120+ sizeof(sockets[0]));
121 for (i = old_alloc; i < new_alloc; i++)
122 sockets[i].type = AUTH_UNUSED;
123 sockets_alloc = new_alloc;
124--
1252.41.0