From c6d12aaaa21048373b280cff9d3dfc0082a025eb Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 22 Jan 2016 09:38:52 +0100 Subject: openssh: CVE-2016-0777 and CVE-2016-0778 Fixes following CVEs: CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature CVE-2016-0778 OpenSSH: Client buffer-overflow when using roaming connections References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778 Backported from: http://git.yoctoproject.org/cgit/cgit.cgi/poky/patch/ ?id=9845a542a76156adb5aef6fd33ad5bc5777acf64 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- .../openssh/CVE-2016-0777_CVE-2016-0778.patch | 56 ++++++++++++++++++++++ meta/recipes-connectivity/openssh/openssh_6.6p1.bb | 4 +- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2016-0777_CVE-2016-0778.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-0777_CVE-2016-0778.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-0777_CVE-2016-0778.patch new file mode 100644 index 0000000000..4cc462d277 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-0777_CVE-2016-0778.patch @@ -0,0 +1,56 @@ +From e6c85f8889c5c9eb04796fdb76d2807636b9eef5 Mon Sep 17 00:00:00 2001 +From: Damien Miller +Date: Fri, 15 Jan 2016 01:30:36 +1100 +Subject: [PATCH] forcibly disable roaming support in the client + + +Upstream-Status: Backport +CVE: CVE-2016-0777 +CVE: CVE-2016-0778 + +[Yocto #8935] + +Signed-off-by: Armin Kuster + +--- + readconf.c | 5 ++--- + ssh.c | 3 --- + 2 files changed, 2 insertions(+), 6 deletions(-) + +Index: openssh-6.7p1/readconf.c +=================================================================== +--- openssh-6.7p1.orig/readconf.c ++++ openssh-6.7p1/readconf.c +@@ -1597,7 +1597,7 @@ initialize_options(Options * options) + options->tun_remote = -1; + options->local_command = NULL; + options->permit_local_command = -1; +- options->use_roaming = -1; ++ options->use_roaming = 0; + options->visual_host_key = -1; + options->ip_qos_interactive = -1; + options->ip_qos_bulk = -1; +@@ -1768,8 +1768,7 @@ fill_default_options(Options * options) + options->tun_remote = SSH_TUNID_ANY; + if (options->permit_local_command == -1) + options->permit_local_command = 0; +- if (options->use_roaming == -1) +- options->use_roaming = 1; ++ options->use_roaming = 0; + if (options->visual_host_key == -1) + options->visual_host_key = 0; + if (options->ip_qos_interactive == -1) +Index: openssh-6.7p1/ssh.c +=================================================================== +--- openssh-6.7p1.orig/ssh.c ++++ openssh-6.7p1/ssh.c +@@ -1800,9 +1800,6 @@ ssh_session2(void) + fork_postauth(); + } + +- if (options.use_roaming) +- request_roaming(); +- + return client_loop(tty_flag, tty_flag ? + options.escape_char : SSH_ESCAPECHAR_NONE, id); + } diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb index 3807583d95..0ce84aa70e 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb @@ -26,7 +26,9 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. file://openssh-CVE-2014-2532.patch \ file://openssh-CVE-2014-2653.patch \ file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch \ - file://openssh-ptest-fix-sshconnect.patch" + file://openssh-ptest-fix-sshconnect.patch \ + file://CVE-2016-0777_CVE-2016-0778.patch \ + " PAM_SRC_URI = "file://sshd" -- cgit v1.2.3-54-g00ecf