openssh: CVE-2016-0777 and CVE-2016-0778

Fixes following CVEs: CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature CVE-2016-0778 OpenSSH: Client buffer-overflow when using roaming connections References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778 Backported from: http://git.yoctoproject.org/cgit/cgit.cgi/poky/patch/ ?id=9845a542a76156adb5aef6fd33ad5bc5777acf64 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-01-22 09:38:52 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2016-01-22 18:14:11 +0100
commit: c6d12aaaa21048373b280cff9d3dfc0082a025eb (patch)
tree: 7f571d3d83561fbfc4061109cdd26ccfbaac30f6
parent: 36009b0af396f7a0920d5508e67cf58ff955478e (diff)
download: poky-c6d12aaaa21048373b280cff9d3dfc0082a025eb.tar.gz
2 files changed, 59 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-0777_CVE-2016-0778.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-0777_CVE-2016-0778.patch
new file mode 100644
index 0000000000..4cc462d277
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-0777_CVE-2016-0778.patch
@@ -0,0 +1,56 @@
+From e6c85f8889c5c9eb04796fdb76d2807636b9eef5 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Fri, 15 Jan 2016 01:30:36 +1100
+Subject: [PATCH] forcibly disable roaming support in the client
+Upstream-Status: Backport
+CVE: CVE-2016-0777
+CVE: CVE-2016-0778
+[Yocto #8935]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ readconf.c | 5 ++---
+ ssh.c      | 3 ---
+ 2 files changed, 2 insertions(+), 6 deletions(-)
+Index: openssh-6.7p1/readconf.c
+===================================================================
+--- openssh-6.7p1.orig/readconf.c
+++ openssh-6.7p1/readconf.c
+@@ -1597,7 +1597,7 @@ initialize_options(Options * options)
+        options->tun_remote = -1;
+        options->local_command = NULL;
+        options->permit_local_command = -1;
+-       options->use_roaming = -1;
+       options->use_roaming = 0;
+        options->visual_host_key = -1;
+        options->ip_qos_interactive = -1;
+        options->ip_qos_bulk = -1;
+@@ -1768,8 +1768,7 @@ fill_default_options(Options * options)
+                options->tun_remote = SSH_TUNID_ANY;
+        if (options->permit_local_command == -1)
+                options->permit_local_command = 0;
+-       if (options->use_roaming == -1)
+-               options->use_roaming = 1;
+       options->use_roaming = 0;
+        if (options->visual_host_key == -1)
+                options->visual_host_key = 0;
+        if (options->ip_qos_interactive == -1)
+Index: openssh-6.7p1/ssh.c
+===================================================================
+--- openssh-6.7p1.orig/ssh.c
+++ openssh-6.7p1/ssh.c
+@@ -1800,9 +1800,6 @@ ssh_session2(void)
+                        fork_postauth();
+        }
+ 
+-       if (options.use_roaming)
+-               request_roaming();
+-
+        return client_loop(tty_flag, tty_flag ?
+            options.escape_char : SSH_ESCAPECHAR_NONE, id);
+ }
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
index 3807583d95..0ce84aa70e 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -26,7 +26,9 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
           file://openssh-CVE-2014-2532.patch \
           file://openssh-CVE-2014-2653.patch \
           file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch \
-           file://openssh-ptest-fix-sshconnect.patch"
+           file://openssh-ptest-fix-sshconnect.patch \
+           file://CVE-2016-0777_CVE-2016-0778.patch \
+           "
 PAM_SRC_URI = "file://sshd"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-01-22 09:38:52 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2016-01-22 18:14:11 +0100
commit	c6d12aaaa21048373b280cff9d3dfc0082a025eb (patch)
tree	7f571d3d83561fbfc4061109cdd26ccfbaac30f6
parent	36009b0af396f7a0920d5508e67cf58ff955478e (diff)
download	poky-c6d12aaaa21048373b280cff9d3dfc0082a025eb.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-0777_CVE-2016-0778.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-0777_CVE-2016-0778.patch new file mode 100644 index 0000000000..4cc462d277 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-0777_CVE-2016-0778.patch
@@ -0,0 +1,56 @@
		1	From e6c85f8889c5c9eb04796fdb76d2807636b9eef5 Mon Sep 17 00:00:00 2001
		2	From: Damien Miller <djm@mindrot.org>
		3	Date: Fri, 15 Jan 2016 01:30:36 +1100
		4	Subject: [PATCH] forcibly disable roaming support in the client
		5
		6
		7	Upstream-Status: Backport
		8	CVE: CVE-2016-0777
		9	CVE: CVE-2016-0778
		10
		11	[Yocto #8935]
		12
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15	---
		16	readconf.c \| 5 ++---
		17	ssh.c \| 3 ---
		18	2 files changed, 2 insertions(+), 6 deletions(-)
		19
		20	Index: openssh-6.7p1/readconf.c
		21	===================================================================
		22	--- openssh-6.7p1.orig/readconf.c
		23	+++ openssh-6.7p1/readconf.c
		24	@@ -1597,7 +1597,7 @@ initialize_options(Options * options)
		25	options->tun_remote = -1;
		26	options->local_command = NULL;
		27	options->permit_local_command = -1;
		28	- options->use_roaming = -1;
		29	+ options->use_roaming = 0;
		30	options->visual_host_key = -1;
		31	options->ip_qos_interactive = -1;
		32	options->ip_qos_bulk = -1;
		33	@@ -1768,8 +1768,7 @@ fill_default_options(Options * options)
		34	options->tun_remote = SSH_TUNID_ANY;
		35	if (options->permit_local_command == -1)
		36	options->permit_local_command = 0;
		37	- if (options->use_roaming == -1)
		38	- options->use_roaming = 1;
		39	+ options->use_roaming = 0;
		40	if (options->visual_host_key == -1)
		41	options->visual_host_key = 0;
		42	if (options->ip_qos_interactive == -1)
		43	Index: openssh-6.7p1/ssh.c
		44	===================================================================
		45	--- openssh-6.7p1.orig/ssh.c
		46	+++ openssh-6.7p1/ssh.c
		47	@@ -1800,9 +1800,6 @@ ssh_session2(void)
		48	fork_postauth();
		49	}
		50
		51	- if (options.use_roaming)
		52	- request_roaming();
		53	-
		54	return client_loop(tty_flag, tty_flag ?
		55	options.escape_char : SSH_ESCAPECHAR_NONE, id);
		56	}


diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb index 3807583d95..0ce84aa70e 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -26,7 +26,9 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
26	file://openssh-CVE-2014-2532.patch \	26	file://openssh-CVE-2014-2532.patch \
27	file://openssh-CVE-2014-2653.patch \	27	file://openssh-CVE-2014-2653.patch \
28	file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch \	28	file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch \
29	file://openssh-ptest-fix-sshconnect.patch"	29	file://openssh-ptest-fix-sshconnect.patch \
		30	file://CVE-2016-0777_CVE-2016-0778.patch \
		31	"
30		32
31	PAM_SRC_URI = "file://sshd"	33	PAM_SRC_URI = "file://sshd"
32		34