diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch new file mode 100644 index 0000000000..934775bdec --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch | |||
@@ -0,0 +1,120 @@ | |||
1 | From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Wed, 19 Jul 2023 13:56:33 +0000 | ||
4 | Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11 | ||
5 | provider libraries to ssh-agent by default. | ||
6 | |||
7 | The old behaviour of allowing remote clients from loading providers | ||
8 | can be restored using `ssh-agent -O allow-remote-pkcs11`. | ||
9 | |||
10 | Detection of local/remote clients requires a ssh(1) that supports | ||
11 | the `session-bind@openssh.com` extension. Forwarding access to a | ||
12 | ssh-agent socket using non-OpenSSH tools may circumvent this control. | ||
13 | |||
14 | ok markus@ | ||
15 | |||
16 | OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c | ||
17 | |||
18 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a] | ||
19 | CVE: CVE-2023-38408 | ||
20 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
21 | --- | ||
22 | ssh-agent.1 | 20 ++++++++++++++++++++ | ||
23 | ssh-agent.c | 26 ++++++++++++++++++++++++-- | ||
24 | 2 files changed, 44 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/ssh-agent.1 b/ssh-agent.1 | ||
27 | index fff0db6..a0f1e21 100644 | ||
28 | --- a/ssh-agent.1 | ||
29 | +++ b/ssh-agent.1 | ||
30 | @@ -97,6 +97,26 @@ The default is | ||
31 | Kill the current agent (given by the | ||
32 | .Ev SSH_AGENT_PID | ||
33 | environment variable). | ||
34 | +Currently two options are supported: | ||
35 | +.Cm allow-remote-pkcs11 | ||
36 | +and | ||
37 | +.Pp | ||
38 | +The | ||
39 | +.Cm allow-remote-pkcs11 | ||
40 | +option allows clients of a forwarded | ||
41 | +.Nm | ||
42 | +to load PKCS#11 or FIDO provider libraries. | ||
43 | +By default only local clients may perform this operation. | ||
44 | +Note that signalling that a | ||
45 | +.Nm | ||
46 | +client remote is performed by | ||
47 | +.Xr ssh 1 , | ||
48 | +and use of other tools to forward access to the agent socket may circumvent | ||
49 | +this restriction. | ||
50 | +.Pp | ||
51 | +The | ||
52 | +.Cm no-restrict-websafe , | ||
53 | +instructs | ||
54 | .It Fl P Ar provider_whitelist | ||
55 | Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator | ||
56 | shared libraries that may be used with the | ||
57 | diff --git a/ssh-agent.c b/ssh-agent.c | ||
58 | index 01c7f2b..40c1b6b 100644 | ||
59 | --- a/ssh-agent.c | ||
60 | +++ b/ssh-agent.c | ||
61 | @@ -1,4 +1,4 @@ | ||
62 | -/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */ | ||
63 | +/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */ | ||
64 | /* | ||
65 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
66 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
67 | @@ -167,6 +167,12 @@ char socket_dir[PATH_MAX]; | ||
68 | /* PKCS#11/Security key path whitelist */ | ||
69 | static char *provider_whitelist; | ||
70 | |||
71 | +/* | ||
72 | + * Allows PKCS11 providers or SK keys that use non-internal providers to | ||
73 | + * be added over a remote connection (identified by session-bind@openssh.com). | ||
74 | + */ | ||
75 | +static int remote_add_provider; | ||
76 | + | ||
77 | /* locking */ | ||
78 | #define LOCK_SIZE 32 | ||
79 | #define LOCK_SALT_SIZE 16 | ||
80 | @@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e) | ||
81 | if (strcasecmp(sk_provider, "internal") == 0) { | ||
82 | debug("%s: internal provider", __func__); | ||
83 | } else { | ||
84 | + if (e->nsession_ids != 0 && !remote_add_provider) { | ||
85 | + verbose("failed add of SK provider \"%.100s\": " | ||
86 | + "remote addition of providers is disabled", | ||
87 | + sk_provider); | ||
88 | + free(sk_provider); | ||
89 | + free(comment); | ||
90 | + sshkey_free(k); | ||
91 | + goto send; | ||
92 | + } | ||
93 | if (realpath(sk_provider, canonical_provider) == NULL) { | ||
94 | verbose("failed provider \"%.100s\": " | ||
95 | "realpath: %s", sk_provider, | ||
96 | @@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e) | ||
97 | goto send; | ||
98 | } | ||
99 | } | ||
100 | + if (e->nsession_ids != 0 && !remote_add_provider) { | ||
101 | + verbose("failed PKCS#11 add of \"%.100s\": remote addition of " | ||
102 | + "providers is disabled", provider); | ||
103 | + goto send; | ||
104 | + } | ||
105 | if (realpath(provider, canonical_provider) == NULL) { | ||
106 | verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", | ||
107 | provider, strerror(errno)); | ||
108 | @@ -1556,7 +1576,9 @@ main(int ac, char **av) | ||
109 | break; | ||
110 | case 'O': | ||
111 | if (strcmp(optarg, "no-restrict-websafe") == 0) | ||
112 | - restrict_websafe = 0; | ||
113 | + restrict_websafe = 0; | ||
114 | + else if (strcmp(optarg, "allow-remote-pkcs11") == 0) | ||
115 | + remote_add_provider = 1; | ||
116 | else | ||
117 | fatal("Unknown -O option"); | ||
118 | break; | ||
119 | -- | ||
120 | 2.41.0 | ||