From 98efb78dba3c2720d186af665a7bd06288a5664d Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 11 Dec 2023 16:49:22 +0300 Subject: [PATCH] import openssh-8.0p1-19.el8_8 --- SOURCES/openssh-8.0p1-sshd_include.patch | 13 ++++++++ SOURCES/openssh-9.1p1-sshbanner.patch | 32 +++++++++++++++++++ ...penssh-9.3p1-upstream-cve-2023-38408.patch | 17 ++++++++++ SPECS/openssh.spec | 23 +++++++++++-- 4 files changed, 82 insertions(+), 3 deletions(-) create mode 100644 SOURCES/openssh-9.1p1-sshbanner.patch create mode 100644 SOURCES/openssh-9.3p1-upstream-cve-2023-38408.patch diff --git a/SOURCES/openssh-8.0p1-sshd_include.patch b/SOURCES/openssh-8.0p1-sshd_include.patch index 9b634cc..ff51340 100644 --- a/SOURCES/openssh-8.0p1-sshd_include.patch +++ b/SOURCES/openssh-8.0p1-sshd_include.patch @@ -790,3 +790,16 @@ diff -up openssh-8.0p1/sshd.c.sshdinclude openssh-8.0p1/sshd.c dump_config(&options); } +diff -up openssh-8.0p1/sshbuf-getput-basic.c.stringb openssh-8.0p1/sshbuf-getput-basic.c +--- openssh-8.0p1/sshbuf-getput-basic.c.stringb 2022-12-21 12:18:43.274799163 +0100 ++++ openssh-8.0p1/sshbuf-getput-basic.c 2022-12-21 12:19:19.758081516 +0100 +@@ -371,6 +371,9 @@ sshbuf_put_cstring(struct sshbuf *buf, c + int + sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v) + { ++ if (v == NULL) ++ return sshbuf_put_string(buf, NULL, 0); ++ + return sshbuf_put_string(buf, sshbuf_ptr(v), sshbuf_len(v)); + } + diff --git a/SOURCES/openssh-9.1p1-sshbanner.patch b/SOURCES/openssh-9.1p1-sshbanner.patch new file mode 100644 index 0000000..0e40770 --- /dev/null +++ b/SOURCES/openssh-9.1p1-sshbanner.patch @@ -0,0 +1,32 @@ +diff --git a/ssh-keyscan.c b/ssh-keyscan.c +index d29a03b4..d7283136 100644 +--- a/ssh-keyscan.c ++++ b/ssh-keyscan.c +@@ -490,6 +490,15 @@ congreet(int s) + return; + } + ++ /* ++ * Read the server banner as per RFC4253 section 4.2. The "SSH-" ++ * protocol identification string may be preceeded by an arbitarily ++ * large banner which we must read and ignore. Loop while reading ++ * newline-terminated lines until we have one starting with "SSH-". ++ * The ID string cannot be longer than 255 characters although the ++ * preceeding banner lines may (in which case they'll be discarded ++ * in multiple iterations of the outer loop). ++ */ + for (;;) { + memset(buf, '\0', sizeof(buf)); + bufsiz = sizeof(buf); +@@ -517,6 +526,11 @@ congreet(int s) + conrecycle(s); + return; + } ++ if (cp >= buf + sizeof(buf)) { ++ error("%s: greeting exceeds allowable length", c->c_name); ++ confree(s); ++ return; ++ } + if (*cp != '\n' && *cp != '\r') { + error("%s: bad greeting", c->c_name); + confree(s); diff --git a/SOURCES/openssh-9.3p1-upstream-cve-2023-38408.patch b/SOURCES/openssh-9.3p1-upstream-cve-2023-38408.patch new file mode 100644 index 0000000..5632ba1 --- /dev/null +++ b/SOURCES/openssh-9.3p1-upstream-cve-2023-38408.patch @@ -0,0 +1,17 @@ +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 6be647ec..ebddf6c3 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin, + error("dlopen %s failed: %s", provider_module, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + + p->module->handle = handle; + /* setup the pkcs11 callbacks */ diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 34a50f0..9affdf7 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -66,7 +66,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.0p1 -%global openssh_rel 17 +%global openssh_rel 19 %global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_rel 7 @@ -252,6 +252,7 @@ Patch980: openssh-8.7p1-upstream-cve-2021-41617.patch # c2bd7f74b0e0f3a3ee9d19ac549e6ba89013abaf~1..677d0ece67634262b3b96c3cd6410b19f3a603b7 # 8bdc3bb7cf4c82c3344cfcb82495a43406e87e83 # 47adfdc07f4f8ea0064a1495500244de08d311ed~1..7af1e92cd289b7eaa9a683e9a6f2fddd98f37a01 +# supplementary commit 612b1dd1ec91ffb1e01f58cca0c6eb1d47bf4423 Patch981: openssh-8.0p1-sshd_include.patch # Port upstream ClientAliveCountMax behaviour # upstream commit: @@ -272,8 +273,13 @@ Patch984: openssh-8.0p1-crypto-policy-doc.patch # 0fa33683223c76289470a954404047bc762be84c # f8df0413f0a057b6a3d3dd7bd8bc7c5d80911d3a Patch985: openssh-8.7p1-minimize-sha1-use.patch +# Upstream ff89b1bed80721295555bd083b173247a9c0484e +Patch986: openssh-9.1p1-sshbanner.patch # Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6 Patch987: openssh-8.0p1-ipv6-process.patch +# upsream commit +# b23fe83f06ee7e721033769cfa03ae840476d280 +Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch License: BSD Group: Applications/Internet @@ -505,6 +511,7 @@ popd %patch983 -p1 -b .sftp-realpath %patch984 -p1 -b .crypto-policy-doc %patch985 -p1 -b .minimize-sha1-use +%patch986 -p1 -b .banner %patch987 -p1 -b .sftp_ipv6 %patch200 -p1 -b .audit @@ -512,6 +519,7 @@ popd %patch700 -p1 -b .fips %patch100 -p1 -b .coverity +%patch1015 -p1 -b .cve-2023-38408 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -797,8 +805,17 @@ getent passwd sshd >/dev/null || \ %endif %changelog -* Mon Jan 23 2023 Dmitry Belyavskiy - 8.0p1-17 -- Fix parsing of IPv6 IPs in sftp client (#2162733) +* Thu Jul 20 2023 Dmitry Belyavskiy - 8.0p1-19 +- rebuilt + +* Thu Jul 20 2023 Dmitry Belyavskiy - 8.0p1-18 +- Avoid remote code execution in ssh-agent PKCS#11 support + Resolves: CVE-2023-38408 + +* Tue Dec 20 2022 Dmitry Belyavskiy - 8.0p1-17 +- Fix parsing of IPv6 IPs in sftp client (#2151334) +- Avoid ssh banner one-byte overflow (#2138344) +- Avoid crash of sshd when Include folder does not exist (#2133087) * Wed Jun 29 2022 Zoltan Fridrich - 8.0p1-16 - Omit client side from minimize-sha1-use.patch to prevent regression (#2093897)