1 files changed, 125 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
new file mode 100644
index 0000000000..0dcf23ae17
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
@@ -0,0 +1,125 @@
+From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 Jan 2021 00:47:47 +0000
+Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent
+ sockets table;
+also clear socket entries that are being marked as unused.
+spinkle in some debug2() spam to make it easier to watch an agent
+do its thing.
+ok markus
+OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 78f7268..2635bc5 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -175,11 +175,12 @@ static void
+ close_socket(SocketEntry *e)
+ {
+        close(e->fd);
+-       e->fd = -1;
+-       e->type = AUTH_UNUSED;
+        sshbuf_free(e->input);
+        sshbuf_free(e->output);
+        sshbuf_free(e->request);
+       memset(e, '\0', sizeof(*e));
+       e->fd = -1;
+       e->type = AUTH_UNUSED;
+ }
+ static void
+@@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e)
+        struct sshbuf *msg;
+        int r;
+       debug2("%s: entering", __func__);
+
+        if ((msg = sshbuf_new()) == NULL)
+                fatal("%s: sshbuf_new failed", __func__);
+        if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 ||
+@@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e)
+        struct sshkey *key = NULL;
+        Identity *id;
+       debug2("%s: entering", __func__);
+        if ((r = sshkey_froms(e->request, &key)) != 0) {
+                error("%s: get key: %s", __func__, ssh_err(r));
+                goto done;
+@@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e)
+ {
+        Identity *id;
+       debug2("%s: entering", __func__);
+        /* Loop over all identities and clear the keys. */
+        for (id = TAILQ_FIRST(&idtab->idlist); id;
+            id = TAILQ_FIRST(&idtab->idlist)) {
+@@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e)
+        u_char ctype;
+        int r = SSH_ERR_INTERNAL_ERROR;
+       debug2("%s: entering", __func__);
+        if ((r = sshkey_private_deserialize(e->request, &k)) != 0 ||
+            k == NULL ||
+            (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) {
+@@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock)
+        static u_int fail_count = 0;
+        size_t pwlen;
+       debug2("%s: entering", __func__);
+        /*
+         * This is deliberately fatal: the user has requested that we lock,
+         * but we can't parse their request properly. The only safe thing to
+@@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e)
+        struct sshkey **keys = NULL, *k;
+        Identity *id;
+       debug2("%s: entering", __func__);
+        if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
+            (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
+                error("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e)
+        int r, success = 0;
+        Identity *id, *nxt;
+       debug2("%s: entering", __func__);
+        if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
+            (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
+                error("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -962,6 +971,8 @@ new_socket(sock_type type, int fd)
+ {
+        u_int i, old_alloc, new_alloc;
+       debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" :
+           (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
+        set_nonblock(fd);
+        if (fd > max_fd)
+@@ -981,7 +992,8 @@ new_socket(sock_type type, int fd)
+                }
+        old_alloc = sockets_alloc;
+        new_alloc = sockets_alloc + 10;
+-       sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0]));
+       sockets = xrecallocarray(sockets, old_alloc, new_alloc,
+           sizeof(sockets[0]));
+        for (i = old_alloc; i < new_alloc; i++)
+                sockets[i].type = AUTH_UNUSED;
+        sockets_alloc = new_alloc;
+--
+2.41.0

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch new file mode 100644 index 0000000000..0dcf23ae17 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
@@ -0,0 +1,125 @@
	1	From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001
	2	From: "djm@openbsd.org" <djm@openbsd.org>
	3	Date: Tue, 26 Jan 2021 00:47:47 +0000
	4	Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent
	5	sockets table;
	6
	7	also clear socket entries that are being marked as unused.
	8
	9	spinkle in some debug2() spam to make it easier to watch an agent
	10	do its thing.
	11
	12	ok markus
	13
	14	OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922
	15
	16	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76]
	17	CVE: CVE-2023-38408
	18	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
	19	---
	20	ssh-agent.c \| 20 ++++++++++++++++----
	21	1 file changed, 16 insertions(+), 4 deletions(-)
	22
	23	diff --git a/ssh-agent.c b/ssh-agent.c
	24	index 78f7268..2635bc5 100644
	25	--- a/ssh-agent.c
	26	+++ b/ssh-agent.c
	27	@@ -1,4 +1,4 @@
	28	-/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
	29	+/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
	30	/*
	31	* Author: Tatu Ylonen <ylo@cs.hut.fi>
	32	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	33	@@ -175,11 +175,12 @@ static void
	34	close_socket(SocketEntry *e)
	35	{
	36	close(e->fd);
	37	- e->fd = -1;
	38	- e->type = AUTH_UNUSED;
	39	sshbuf_free(e->input);
	40	sshbuf_free(e->output);
	41	sshbuf_free(e->request);
	42	+ memset(e, '\0', sizeof(*e));
	43	+ e->fd = -1;
	44	+ e->type = AUTH_UNUSED;
	45	}
	46
	47	static void
	48	@@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e)
	49	struct sshbuf *msg;
	50	int r;
	51
	52	+ debug2("%s: entering", __func__);
	53	+
	54	if ((msg = sshbuf_new()) == NULL)
	55	fatal("%s: sshbuf_new failed", __func__);
	56	if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 \|\|
	57	@@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e)
	58	struct sshkey *key = NULL;
	59	Identity *id;
	60
	61	+ debug2("%s: entering", __func__);
	62	if ((r = sshkey_froms(e->request, &key)) != 0) {
	63	error("%s: get key: %s", __func__, ssh_err(r));
	64	goto done;
	65	@@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e)
	66	{
	67	Identity *id;
	68
	69	+ debug2("%s: entering", __func__);
	70	/* Loop over all identities and clear the keys. */
	71	for (id = TAILQ_FIRST(&idtab->idlist); id;
	72	id = TAILQ_FIRST(&idtab->idlist)) {
	73	@@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e)
	74	u_char ctype;
	75	int r = SSH_ERR_INTERNAL_ERROR;
	76
	77	+ debug2("%s: entering", __func__);
	78	if ((r = sshkey_private_deserialize(e->request, &k)) != 0 \|\|
	79	k == NULL \|\|
	80	(r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) {
	81	@@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock)
	82	static u_int fail_count = 0;
	83	size_t pwlen;
	84
	85	+ debug2("%s: entering", __func__);
	86	/*
	87	* This is deliberately fatal: the user has requested that we lock,
	88	* but we can't parse their request properly. The only safe thing to
	89	@@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e)
	90	struct sshkey *keys = NULL, k;
	91	Identity *id;
	92
	93	+ debug2("%s: entering", __func__);
	94	if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 \|\|
	95	(r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
	96	error("%s: buffer error: %s", __func__, ssh_err(r));
	97	@@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e)
	98	int r, success = 0;
	99	Identity id, nxt;
	100
	101	+ debug2("%s: entering", __func__);
	102	if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 \|\|
	103	(r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
	104	error("%s: buffer error: %s", __func__, ssh_err(r));
	105	@@ -962,6 +971,8 @@ new_socket(sock_type type, int fd)
	106	{
	107	u_int i, old_alloc, new_alloc;
	108
	109	+ debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" :
	110	+ (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
	111	set_nonblock(fd);
	112
	113	if (fd > max_fd)
	114	@@ -981,7 +992,8 @@ new_socket(sock_type type, int fd)
	115	}
	116	old_alloc = sockets_alloc;
	117	new_alloc = sockets_alloc + 10;
	118	- sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0]));
	119	+ sockets = xrecallocarray(sockets, old_alloc, new_alloc,
	120	+ sizeof(sockets[0]));
	121	for (i = old_alloc; i < new_alloc; i++)
	122	sockets[i].type = AUTH_UNUSED;
	123	sockets_alloc = new_alloc;
	124	--
	125	2.41.0