openssh: Security Fix CVE-2016-3115

opehssh <= 7.2 (From OE-Core rev: 7d6abd0b7b89f28343741c2188da22c6d1c6c8ea) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-04-27 17:47:20 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-04-29 07:41:43 +0100
commit: 3c6ead9129d35b71c6067c7d46ab3a8d12a121de (patch)
tree: 12f5f6b0a3298090b7bb8ce22013afc5fcff9615
parent: 3f75a6478b6b6a62ddd9e086770efc84f8666928 (diff)
download: poky-3c6ead9129d35b71c6067c7d46ab3a8d12a121de.tar.gz
2 files changed, 87 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch
new file mode 100644
index 0000000000..9a9ad776ce
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch
@@ -0,0 +1,84 @@
+From 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 10 Mar 2016 11:47:57 +0000
+Subject: [PATCH] upstream commit
+sanitise characters destined for xauth reported by
+ github.com/tintinweb feedback and ok deraadt and markus
+Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
+Upstream-Status: Backport
+CVE: CVE-2016-3115
+https://anongit.mindrot.org/openssh.git/commit/?id=4b4bfb01cd40b9ddb948e6026ddd287cc303d871
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ session.c | 34 +++++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+Index: openssh-7.1p2/session.c
+===================================================================
+--- openssh-7.1p2.orig/session.c
+++ openssh-7.1p2/session.c
+@@ -46,6 +46,7 @@
+ 
+ #include <arpa/inet.h>
+ 
+#include <ctype.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
+@@ -273,6 +274,21 @@ do_authenticated(Authctxt *authctxt)
+        do_cleanup(authctxt);
+ }
+ 
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+       size_t i;
+
+       for (i = 0; s[i] != '\0'; i++) {
+               if (!isalnum((u_char)s[i]) &&
+                   s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+                   s[i] != '-' && s[i] != '_')
+               return 0;
+       }
+       return 1;
+}
+
+ /*
+  * Prepares for an interactive session.  This is called after the user has
+  * been successfully authenticated.  During this message exchange, pseudo
+@@ -346,7 +362,13 @@ do_authenticated1(Authctxt *authctxt)
+                                s->screen = 0;
+                        }
+                        packet_check_eom();
+-                       success = session_setup_x11fwd(s);
+                       if (xauth_valid_string(s->auth_proto) &&
+                           xauth_valid_string(s->auth_data))
+                               success = session_setup_x11fwd(s);
+                       else {
+                               success = 0;
+                               error("Invalid X11 forwarding data");
+                       }
+                        if (!success) {
+                                free(s->auth_proto);
+                                free(s->auth_data);
+@@ -2181,7 +2203,13 @@ session_x11_req(Session *s)
+        s->screen = packet_get_int();
+        packet_check_eom();
+ 
+-       success = session_setup_x11fwd(s);
+       if (xauth_valid_string(s->auth_proto) &&
+           xauth_valid_string(s->auth_data))
+               success = session_setup_x11fwd(s);
+       else {
+               success = 0;
+               error("Invalid X11 forwarding data");
+       }
+        if (!success) {
+                free(s->auth_proto);
+                free(s->auth_data);
diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
index 3b5e28a1d7..c1b0fb28a0 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
@@ -23,7 +23,9 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
           file://run-ptest \
           file://CVE-2016-1907_upstream_commit.patch \
           file://CVE-2016-1907_2.patch \
-           file://CVE-2016-1907_3.patch "
+           file://CVE-2016-1907_3.patch \
+           file://CVE-2016-3115.patch \
+           "
 PAM_SRC_URI = "file://sshd"
author	Armin Kuster <akuster@mvista.com>	2016-04-27 17:47:20 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-04-29 07:41:43 +0100
commit	3c6ead9129d35b71c6067c7d46ab3a8d12a121de (patch)
tree	12f5f6b0a3298090b7bb8ce22013afc5fcff9615
parent	3f75a6478b6b6a62ddd9e086770efc84f8666928 (diff)
download	poky-3c6ead9129d35b71c6067c7d46ab3a8d12a121de.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch new file mode 100644 index 0000000000..9a9ad776ce --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch
@@ -0,0 +1,84 @@
		1	From 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Thu, 10 Mar 2016 11:47:57 +0000
		4	Subject: [PATCH] upstream commit
		5
		6	sanitise characters destined for xauth reported by
		7	github.com/tintinweb feedback and ok deraadt and markus
		8
		9	Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
		10
		11	Upstream-Status: Backport
		12	CVE: CVE-2016-3115
		13	https://anongit.mindrot.org/openssh.git/commit/?id=4b4bfb01cd40b9ddb948e6026ddd287cc303d871
		14
		15	Signed-off-by: Armin Kuster <akuster@mvista.com>
		16
		17	---
		18	session.c \| 34 +++++++++++++++++++++++++++++++---
		19	1 file changed, 31 insertions(+), 3 deletions(-)
		20
		21	Index: openssh-7.1p2/session.c
		22	===================================================================
		23	--- openssh-7.1p2.orig/session.c
		24	+++ openssh-7.1p2/session.c
		25	@@ -46,6 +46,7 @@
		26
		27	#include <arpa/inet.h>
		28
		29	+#include <ctype.h>
		30	#include <errno.h>
		31	#include <fcntl.h>
		32	#include <grp.h>
		33	@@ -273,6 +274,21 @@ do_authenticated(Authctxt *authctxt)
		34	do_cleanup(authctxt);
		35	}
		36
		37	+/* Check untrusted xauth strings for metacharacters */
		38	+static int
		39	+xauth_valid_string(const char *s)
		40	+{
		41	+ size_t i;
		42	+
		43	+ for (i = 0; s[i] != '\0'; i++) {
		44	+ if (!isalnum((u_char)s[i]) &&
		45	+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
		46	+ s[i] != '-' && s[i] != '_')
		47	+ return 0;
		48	+ }
		49	+ return 1;
		50	+}
		51	+
		52	/*
		53	* Prepares for an interactive session. This is called after the user has
		54	* been successfully authenticated. During this message exchange, pseudo
		55	@@ -346,7 +362,13 @@ do_authenticated1(Authctxt *authctxt)
		56	s->screen = 0;
		57	}
		58	packet_check_eom();
		59	- success = session_setup_x11fwd(s);
		60	+ if (xauth_valid_string(s->auth_proto) &&
		61	+ xauth_valid_string(s->auth_data))
		62	+ success = session_setup_x11fwd(s);
		63	+ else {
		64	+ success = 0;
		65	+ error("Invalid X11 forwarding data");
		66	+ }
		67	if (!success) {
		68	free(s->auth_proto);
		69	free(s->auth_data);
		70	@@ -2181,7 +2203,13 @@ session_x11_req(Session *s)
		71	s->screen = packet_get_int();
		72	packet_check_eom();
		73
		74	- success = session_setup_x11fwd(s);
		75	+ if (xauth_valid_string(s->auth_proto) &&
		76	+ xauth_valid_string(s->auth_data))
		77	+ success = session_setup_x11fwd(s);
		78	+ else {
		79	+ success = 0;
		80	+ error("Invalid X11 forwarding data");
		81	+ }
		82	if (!success) {
		83	free(s->auth_proto);
		84	free(s->auth_data);


diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb index 3b5e28a1d7..c1b0fb28a0 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.1p2.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
@@ -23,7 +23,9 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
23	file://run-ptest \	23	file://run-ptest \
24	file://CVE-2016-1907_upstream_commit.patch \	24	file://CVE-2016-1907_upstream_commit.patch \
25	file://CVE-2016-1907_2.patch \	25	file://CVE-2016-1907_2.patch \
26	file://CVE-2016-1907_3.patch "	26	file://CVE-2016-1907_3.patch \
		27	file://CVE-2016-3115.patch \
		28	"
27		29
28	PAM_SRC_URI = "file://sshd"	30	PAM_SRC_URI = "file://sshd"
29		31