1 files changed, 120 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
new file mode 100644
index 0000000000..934775bdec
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
@@ -0,0 +1,120 @@
+From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:56:33 +0000
+Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11
+ provider libraries to ssh-agent by default.
+The old behaviour of allowing remote clients from loading providers
+can be restored using `ssh-agent -O allow-remote-pkcs11`.
+Detection of local/remote clients requires a ssh(1) that supports
+the `session-bind@openssh.com` extension. Forwarding access to a
+ssh-agent socket using non-OpenSSH tools may circumvent this control.
+ok markus@
+OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.1 | 20 ++++++++++++++++++++
+ ssh-agent.c | 26 ++++++++++++++++++++++++--
+ 2 files changed, 44 insertions(+), 2 deletions(-)
+diff --git a/ssh-agent.1 b/ssh-agent.1
+index fff0db6..a0f1e21 100644
+--- a/ssh-agent.1
+++ b/ssh-agent.1
+@@ -97,6 +97,26 @@ The default is
+ Kill the current agent (given by the
+ .Ev SSH_AGENT_PID
+ environment variable).
+Currently two options are supported:
+.Cm allow-remote-pkcs11
+and
+.Pp
+The
+.Cm allow-remote-pkcs11
+option allows clients of a forwarded
+.Nm
+to load PKCS#11 or FIDO provider libraries.
+By default only local clients may perform this operation.
+Note that signalling that a
+.Nm
+client remote is performed by
+.Xr ssh 1 ,
+and use of other tools to forward access to the agent socket may circumvent
+this restriction.
+.Pp
+The
+.Cm no-restrict-websafe ,
+instructs
+ .It Fl P Ar provider_whitelist
+ Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
+ shared libraries that may be used with the
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 01c7f2b..40c1b6b 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -167,6 +167,12 @@ char socket_dir[PATH_MAX];
+ /* PKCS#11/Security key path whitelist */
+ static char *provider_whitelist;
+/*
+ * Allows PKCS11 providers or SK keys that use non-internal providers to
+ * be added over a remote connection (identified by session-bind@openssh.com).
+ */
+static int remote_add_provider;
+
+ /* locking */
+ #define LOCK_SIZE      32
+ #define LOCK_SALT_SIZE 16
+@@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e)
+                if (strcasecmp(sk_provider, "internal") == 0) {
+                        debug("%s: internal provider", __func__);
+                } else {
+                       if (e->nsession_ids != 0 && !remote_add_provider) {
+                               verbose("failed add of SK provider \"%.100s\": "
+                                   "remote addition of providers is disabled",
+                                   sk_provider);
+                               free(sk_provider);
+                               free(comment);
+                               sshkey_free(k);
+                               goto send;
+                       }
+                        if (realpath(sk_provider, canonical_provider) == NULL) {
+                                verbose("failed provider \"%.100s\": "
+                                    "realpath: %s", sk_provider,
+@@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e)
+                        goto send;
+                }
+        }
+       if (e->nsession_ids != 0 && !remote_add_provider) {
+               verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
+                   "providers is disabled", provider);
+               goto send;
+       }
+        if (realpath(provider, canonical_provider) == NULL) {
+                verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+                    provider, strerror(errno));
+@@ -1556,7 +1576,9 @@ main(int ac, char **av)
+                        break;
+                case 'O':
+                        if (strcmp(optarg, "no-restrict-websafe") == 0)
+-                               restrict_websafe  = 0;
+                               restrict_websafe = 0;
+                       else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
+                               remote_add_provider = 1;
+                        else
+                                fatal("Unknown -O option");
+                        break;
+--
+2.41.0

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch new file mode 100644 index 0000000000..934775bdec --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
@@ -0,0 +1,120 @@
	1	From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001
	2	From: "djm@openbsd.org" <djm@openbsd.org>
	3	Date: Wed, 19 Jul 2023 13:56:33 +0000
	4	Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11
	5	provider libraries to ssh-agent by default.
	6
	7	The old behaviour of allowing remote clients from loading providers
	8	can be restored using `ssh-agent -O allow-remote-pkcs11`.
	9
	10	Detection of local/remote clients requires a ssh(1) that supports
	11	the `session-bind@openssh.com` extension. Forwarding access to a
	12	ssh-agent socket using non-OpenSSH tools may circumvent this control.
	13
	14	ok markus@
	15
	16	OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
	17
	18	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a]
	19	CVE: CVE-2023-38408
	20	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
	21	---
	22	ssh-agent.1 \| 20 ++++++++++++++++++++
	23	ssh-agent.c \| 26 ++++++++++++++++++++++++--
	24	2 files changed, 44 insertions(+), 2 deletions(-)
	25
	26	diff --git a/ssh-agent.1 b/ssh-agent.1
	27	index fff0db6..a0f1e21 100644
	28	--- a/ssh-agent.1
	29	+++ b/ssh-agent.1
	30	@@ -97,6 +97,26 @@ The default is
	31	Kill the current agent (given by the
	32	.Ev SSH_AGENT_PID
	33	environment variable).
	34	+Currently two options are supported:
	35	+.Cm allow-remote-pkcs11
	36	+and
	37	+.Pp
	38	+The
	39	+.Cm allow-remote-pkcs11
	40	+option allows clients of a forwarded
	41	+.Nm
	42	+to load PKCS#11 or FIDO provider libraries.
	43	+By default only local clients may perform this operation.
	44	+Note that signalling that a
	45	+.Nm
	46	+client remote is performed by
	47	+.Xr ssh 1 ,
	48	+and use of other tools to forward access to the agent socket may circumvent
	49	+this restriction.
	50	+.Pp
	51	+The
	52	+.Cm no-restrict-websafe ,
	53	+instructs
	54	.It Fl P Ar provider_whitelist
	55	Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
	56	shared libraries that may be used with the
	57	diff --git a/ssh-agent.c b/ssh-agent.c
	58	index 01c7f2b..40c1b6b 100644
	59	--- a/ssh-agent.c
	60	+++ b/ssh-agent.c
	61	@@ -1,4 +1,4 @@
	62	-/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
	63	+/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */
	64	/*
	65	* Author: Tatu Ylonen <ylo@cs.hut.fi>
	66	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	67	@@ -167,6 +167,12 @@ char socket_dir[PATH_MAX];
	68	/* PKCS#11/Security key path whitelist */
	69	static char *provider_whitelist;
	70
	71	+/*
	72	+ * Allows PKCS11 providers or SK keys that use non-internal providers to
	73	+ * be added over a remote connection (identified by session-bind@openssh.com).
	74	+ */
	75	+static int remote_add_provider;
	76	+
	77	/* locking */
	78	#define LOCK_SIZE 32
	79	#define LOCK_SALT_SIZE 16
	80	@@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e)
	81	if (strcasecmp(sk_provider, "internal") == 0) {
	82	debug("%s: internal provider", __func__);
	83	} else {
	84	+ if (e->nsession_ids != 0 && !remote_add_provider) {
	85	+ verbose("failed add of SK provider \"%.100s\": "
	86	+ "remote addition of providers is disabled",
	87	+ sk_provider);
	88	+ free(sk_provider);
	89	+ free(comment);
	90	+ sshkey_free(k);
	91	+ goto send;
	92	+ }
	93	if (realpath(sk_provider, canonical_provider) == NULL) {
	94	verbose("failed provider \"%.100s\": "
	95	"realpath: %s", sk_provider,
	96	@@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e)
	97	goto send;
	98	}
	99	}
	100	+ if (e->nsession_ids != 0 && !remote_add_provider) {
	101	+ verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
	102	+ "providers is disabled", provider);
	103	+ goto send;
	104	+ }
	105	if (realpath(provider, canonical_provider) == NULL) {
	106	verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
	107	provider, strerror(errno));
	108	@@ -1556,7 +1576,9 @@ main(int ac, char **av)
	109	break;
	110	case 'O':
	111	if (strcmp(optarg, "no-restrict-websafe") == 0)
	112	- restrict_websafe = 0;
	113	+ restrict_websafe = 0;
	114	+ else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
	115	+ remote_add_provider = 1;
	116	else
	117	fatal("Unknown -O option");
	118	break;
	119	--
	120	2.41.0