Merging debian version 1:7.9p1-10+deb10u3.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-05-07 05:37:55 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-05-07 05:37:55 +0000
commit: 085377d0cee4cd384fd4bbb67ec162bf8e4367cb (patch)
tree: 371f72295843f8b4cfb6740441673e202bb29b2a
parent: Releasing progress-linux version 1:7.9p1-10+deb10u2progress5u1. (diff)
download: openssh-085377d0cee4cd384fd4bbb67ec162bf8e4367cb.tar.xz
openssh-085377d0cee4cd384fd4bbb67ec162bf8e4367cb.zip
7 files changed, 225 insertions, 25 deletions
diff --git a/debian/.gitignore b/debian/.gitignore
deleted file mode 100644
index 988323b..0000000
--- a/debian/.gitignore
+++ /dev/null
@@ -1,17 +0,0 @@
-/*.debhelper*
-/*substvars
-/build-deb
-/build-udeb
-/files
-/keygen-test/key1
-/keygen-test/key1.pub
-/keygen-test/key2
-/keygen-test/key2.pub
-/openssh-client
-/openssh-client-udeb
-/openssh-server
-/openssh-server-udeb
-/ssh
-/ssh-askpass-gnome
-/ssh-krb5
-/tmp
diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml
index 845003c..4816152 100644
--- a/debian/.gitlab-ci.yml
+++ b/debian/.gitlab-ci.yml
@@ -1,9 +1,9 @@
-image: registry.gitlab.com/eighthave/ci-image-git-buildpackage:latest
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
 
-build:
-  artifacts:
-    paths:
-    - "*.deb"
-    expire_in: 1 day
-  script:
-    - gitlab-ci-git-buildpackage-all
+variables:
+  RELEASE: 'buster'
+  SALSA_CI_COMPONENTS: 'main contrib non-free'
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_DISABLE_LINTIAN: 1
+  SALSA_CI_DISABLE_PIUPARTS: 1
diff --git a/debian/changelog b/debian/changelog
index 487c0a2..f855717 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+openssh (1:7.9p1-10+deb10u3) buster-security; urgency=high
+
+  * Non-maintainer upload.
+
+  [ Salvatore Bonaccorso ]
+  * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout
+    and ConnectionAttempts directives - connection attempts after the
+    first were ignoring the requested timeout (LP: #1798049).
+
+  [ Utkarsh Gupta ]
+  * remote code execution relating to PKCS#11 providers
+    - debian/patches/CVE-2023-38408-1.patch: terminate process if requested
+      to load a PKCS#11 provider that isn't a PKCS#11 provider in
+      ssh-pkcs11.c.
+    - debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries
+      contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c.
+    - CVE-2023-38408
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Wed, 29 Mar 2023 11:02:23 +0200
+
 openssh (1:7.9p1-10+deb10u2progress5u1) engywuck; urgency=medium
 
   * Initial reupload to engywuck.
diff --git a/debian/patches/CVE-2023-38408-1.patch b/debian/patches/CVE-2023-38408-1.patch
new file mode 100644
index 0000000..277979f
--- /dev/null
+++ b/debian/patches/CVE-2023-38408-1.patch
@@ -0,0 +1,28 @@
+From 892506b13654301f69f9545f48213fc210e5c5cc Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:55:53 +0000
+Subject: [PATCH] upstream: terminate process if requested to load a PKCS#11
+ provider
+
+that isn't a PKCS#11 provider; from / ok markus@
+
+OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
+---
+ ssh-pkcs11.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -612,10 +612,8 @@
+ 		error("dlopen %s failed: %s", provider_id, dlerror());
+ 		goto fail;
+ 	}
+-	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+-		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+-		goto fail;
+-	}
++	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+ 	p = xcalloc(1, sizeof(*p));
+ 	p->name = xstrdup(provider_id);
+ 	p->handle = handle;
diff --git a/debian/patches/CVE-2023-38408-3.patch b/debian/patches/CVE-2023-38408-3.patch
new file mode 100644
index 0000000..acbdf84
--- /dev/null
+++ b/debian/patches/CVE-2023-38408-3.patch
@@ -0,0 +1,140 @@
+Backport of:
+
+From 29ef8a04866ca14688d5b7fed7b8b9deab851f77 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 14:02:27 +0000
+Subject: [PATCH] upstream: Ensure FIDO/PKCS11 libraries contain expected
+ symbols
+
+This checks via nlist(3) that candidate provider libraries contain one
+of the symbols that we will require prior to dlopen(), which can cause
+a number of side effects, including execution of constructors.
+
+Feedback deraadt; ok markus
+
+OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
+---
+ misc.c       | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ misc.h       |  3 +-
+ ssh-pkcs11.c |  6 +++-
+ 3 files changed, 83 insertions(+), 4 deletions(-)
+
+--- a/misc.c
++++ b/misc.c
+@@ -28,6 +28,7 @@
+ 
+ #include <sys/types.h>
+ #include <sys/ioctl.h>
++#include <sys/mman.h>
+ #include <sys/socket.h>
+ #include <sys/stat.h>
+ #include <sys/time.h>
+@@ -38,6 +39,9 @@
+ #ifdef HAVE_LIBGEN_H
+ # include <libgen.h>
+ #endif
++#ifdef HAVE_NLIST_H
++#include <nlist.h>
++#endif
+ #include <signal.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -2085,3 +2089,75 @@
+ 	localtime_r(&tt, &tm);
+ 	strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm);
+ }
++
++/*
++ * Returns zero if the library at 'path' contains symbol 's', nonzero
++ * otherwise.
++ */
++int
++lib_contains_symbol(const char *path, const char *s)
++{
++#ifdef HAVE_NLIST_H
++	struct nlist nl[2];
++	int ret = -1, r;
++
++	memset(nl, 0, sizeof(nl));
++	nl[0].n_name = xstrdup(s);
++	nl[1].n_name = NULL;
++	if ((r = nlist(path, nl)) == -1) {
++		error("nlist failed for %s", path);
++		goto out;
++	}
++	if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) {
++		error("library %s does not contain symbol %s", path, s);
++		goto out;
++	}
++	/* success */
++	ret = 0;
++ out:
++	free(nl[0].n_name);
++	return ret;
++#else /* HAVE_NLIST_H */
++	int fd, ret = -1;
++	struct stat st;
++	void *m = NULL;
++	size_t sz = 0;
++
++	memset(&st, 0, sizeof(st));
++	if ((fd = open(path, O_RDONLY)) < 0) {
++		error("open %s: %s", path, strerror(errno));
++		return -1;
++	}
++	if (fstat(fd, &st) != 0) {
++		error("fstat %s: %s", path, strerror(errno));
++		goto out;
++	}
++	if (!S_ISREG(st.st_mode)) {
++		error("%s is not a regular file", path);
++		goto out;
++	}
++	if (st.st_size < 0 ||
++	    (size_t)st.st_size < strlen(s) ||
++	    st.st_size >= INT_MAX/2) {
++		error("%s bad size %lld", path, (long long)st.st_size);
++		goto out;
++	}
++	sz = (size_t)st.st_size;
++	if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED ||
++	    m == NULL) {
++		error("mmap %s: %s", path, strerror(errno));
++		goto out;
++	}
++	if (memmem(m, sz, s, strlen(s)) == NULL) {
++		error("%s does not contain expected string %s", path, s);
++		goto out;
++	}
++	/* success */
++	ret = 0;
++ out:
++	if (m != NULL && m != MAP_FAILED)
++		munmap(m, sz);
++	close(fd);
++	return ret;
++#endif /* HAVE_NLIST_H */
++}
+--- a/misc.h
++++ b/misc.h
+@@ -78,6 +78,7 @@
+ const char *atoi_err(const char *, int *);
+ int	 parse_absolute_time(const char *, uint64_t *);
+ void	 format_absolute_time(uint64_t, char *, size_t);
++int	 lib_contains_symbol(const char *, const char *);
+ 
+ void	 sock_set_v6only(int);
+ 
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -607,6 +607,10 @@
+ 		    __func__, provider_id);
+ 		goto fail;
+ 	}
++	if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) {
++		error("provider %s is not a PKCS11 library", provider_id);
++		goto fail;
++	}
+ 	/* open shared pkcs11-libarary */
+ 	if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {
+ 		error("dlopen %s failed: %s", provider_id, dlerror());
diff --git a/debian/patches/bug2918.patch b/debian/patches/bug2918.patch
new file mode 100644
index 0000000..751259c
--- /dev/null
+++ b/debian/patches/bug2918.patch
@@ -0,0 +1,26 @@
+Description: ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives
+ Connection attempts after the first were ignoring the requested timeout
+Origin: upstream, https://bugzilla.mindrot.org/attachment.cgi?id=3233
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2918
+Forwarded: no
+Last-Update: 2023-03-29
+
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -500,7 +500,7 @@
+     struct sockaddr_storage *hostaddr, u_short port, int family,
+     int connection_attempts, int *timeout_ms, int want_keepalive)
+ {
+-	int on = 1;
++	int on = 1, saved_timeout_ms = *timeout_ms;
+ 	int oerrno, sock = -1, attempt;
+ 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+ 	struct addrinfo *ai;
+@@ -544,6 +544,7 @@
+ 				continue;
+ 			}
+ 
++			*timeout_ms = saved_timeout_ms;
+ 			if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen,
+ 			    timeout_ms) >= 0) {
+ 				/* Successful connection. */
diff --git a/debian/patches/series b/debian/patches/series
index e408778..0a1d885 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -34,6 +34,9 @@ scp-handle-braces.patch
 revert-ipqos-defaults.patch
 seccomp-handle-shm.patch
 sandbox-seccomp-ipc.patch
+bug2918.patch
+CVE-2023-38408-1.patch
+CVE-2023-38408-3.patch
 progress-linux/0001-ssh-keygen-default-key-type.patch
 progress-linux/0002-ssh-keygen-default-rsa-size.patch
 progress-linux/0003-ssh-keygen-default-ecdsa-size.patch
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-05-07 05:37:55 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-05-07 05:37:55 +0000
commit	085377d0cee4cd384fd4bbb67ec162bf8e4367cb (patch)
tree	371f72295843f8b4cfb6740441673e202bb29b2a
parent	Releasing progress-linux version 1:7.9p1-10+deb10u2progress5u1. (diff)
download	openssh-085377d0cee4cd384fd4bbb67ec162bf8e4367cb.tar.xz openssh-085377d0cee4cd384fd4bbb67ec162bf8e4367cb.zip