diff options
| -rw-r--r-- | debian/.gitignore | 17 | ||||
| -rw-r--r-- | debian/.gitlab-ci.yml | 16 | ||||
| -rw-r--r-- | debian/changelog | 20 | ||||
| -rw-r--r-- | debian/patches/CVE-2023-38408-1.patch | 28 | ||||
| -rw-r--r-- | debian/patches/CVE-2023-38408-3.patch | 140 | ||||
| -rw-r--r-- | debian/patches/bug2918.patch | 26 | ||||
| -rw-r--r-- | debian/patches/series | 3 |
7 files changed, 225 insertions, 25 deletions
diff --git a/debian/.gitignore b/debian/.gitignore deleted file mode 100644 index 988323b..0000000 --- a/debian/.gitignore +++ /dev/null @@ -1,17 +0,0 @@ -/*.debhelper* -/*substvars -/build-deb -/build-udeb -/files -/keygen-test/key1 -/keygen-test/key1.pub -/keygen-test/key2 -/keygen-test/key2.pub -/openssh-client -/openssh-client-udeb -/openssh-server -/openssh-server-udeb -/ssh -/ssh-askpass-gnome -/ssh-krb5 -/tmp diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml index 845003c..4816152 100644 --- a/debian/.gitlab-ci.yml +++ b/debian/.gitlab-ci.yml @@ -1,9 +1,9 @@ -image: registry.gitlab.com/eighthave/ci-image-git-buildpackage:latest +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml -build: - artifacts: - paths: - - "*.deb" - expire_in: 1 day - script: - - gitlab-ci-git-buildpackage-all +variables: + RELEASE: 'buster' + SALSA_CI_COMPONENTS: 'main contrib non-free' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1 + SALSA_CI_DISABLE_PIUPARTS: 1 diff --git a/debian/changelog b/debian/changelog index 852e8b9..0e30cc0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,23 @@ +openssh (1:7.9p1-10+deb10u3) buster-security; urgency=high + + * Non-maintainer upload. + + [ Salvatore Bonaccorso ] + * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout + and ConnectionAttempts directives - connection attempts after the + first were ignoring the requested timeout (LP: #1798049). + + [ Utkarsh Gupta ] + * remote code execution relating to PKCS#11 providers + - debian/patches/CVE-2023-38408-1.patch: terminate process if requested + to load a PKCS#11 provider that isn't a PKCS#11 provider in + ssh-pkcs11.c. + - debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries + contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c. + - CVE-2023-38408 + + -- Utkarsh Gupta <utkarsh@debian.org> Wed, 29 Mar 2023 11:02:23 +0200 + openssh (1:7.9p1-10+deb10u2) buster; urgency=medium * Apply upstream patch to deny (non-fatally) ipc in the seccomp sandbox, diff --git a/debian/patches/CVE-2023-38408-1.patch b/debian/patches/CVE-2023-38408-1.patch new file mode 100644 index 0000000..277979f --- /dev/null +++ b/debian/patches/CVE-2023-38408-1.patch @@ -0,0 +1,28 @@ +From 892506b13654301f69f9545f48213fc210e5c5cc Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 13:55:53 +0000 +Subject: [PATCH] upstream: terminate process if requested to load a PKCS#11 + provider + +that isn't a PKCS#11 provider; from / ok markus@ + +OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c +--- + ssh-pkcs11.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -612,10 +612,8 @@ + error("dlopen %s failed: %s", provider_id, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + p = xcalloc(1, sizeof(*p)); + p->name = xstrdup(provider_id); + p->handle = handle; diff --git a/debian/patches/CVE-2023-38408-3.patch b/debian/patches/CVE-2023-38408-3.patch new file mode 100644 index 0000000..acbdf84 --- /dev/null +++ b/debian/patches/CVE-2023-38408-3.patch @@ -0,0 +1,140 @@ +Backport of: + +From 29ef8a04866ca14688d5b7fed7b8b9deab851f77 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 14:02:27 +0000 +Subject: [PATCH] upstream: Ensure FIDO/PKCS11 libraries contain expected + symbols + +This checks via nlist(3) that candidate provider libraries contain one +of the symbols that we will require prior to dlopen(), which can cause +a number of side effects, including execution of constructors. + +Feedback deraadt; ok markus + +OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe +--- + misc.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++- + misc.h | 3 +- + ssh-pkcs11.c | 6 +++- + 3 files changed, 83 insertions(+), 4 deletions(-) + +--- a/misc.c ++++ b/misc.c +@@ -28,6 +28,7 @@ + + #include <sys/types.h> + #include <sys/ioctl.h> ++#include <sys/mman.h> + #include <sys/socket.h> + #include <sys/stat.h> + #include <sys/time.h> +@@ -38,6 +39,9 @@ + #ifdef HAVE_LIBGEN_H + # include <libgen.h> + #endif ++#ifdef HAVE_NLIST_H ++#include <nlist.h> ++#endif + #include <signal.h> + #include <stdarg.h> + #include <stdio.h> +@@ -2085,3 +2089,75 @@ + localtime_r(&tt, &tm); + strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm); + } ++ ++/* ++ * Returns zero if the library at 'path' contains symbol 's', nonzero ++ * otherwise. ++ */ ++int ++lib_contains_symbol(const char *path, const char *s) ++{ ++#ifdef HAVE_NLIST_H ++ struct nlist nl[2]; ++ int ret = -1, r; ++ ++ memset(nl, 0, sizeof(nl)); ++ nl[0].n_name = xstrdup(s); ++ nl[1].n_name = NULL; ++ if ((r = nlist(path, nl)) == -1) { ++ error("nlist failed for %s", path); ++ goto out; ++ } ++ if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) { ++ error("library %s does not contain symbol %s", path, s); ++ goto out; ++ } ++ /* success */ ++ ret = 0; ++ out: ++ free(nl[0].n_name); ++ return ret; ++#else /* HAVE_NLIST_H */ ++ int fd, ret = -1; ++ struct stat st; ++ void *m = NULL; ++ size_t sz = 0; ++ ++ memset(&st, 0, sizeof(st)); ++ if ((fd = open(path, O_RDONLY)) < 0) { ++ error("open %s: %s", path, strerror(errno)); ++ return -1; ++ } ++ if (fstat(fd, &st) != 0) { ++ error("fstat %s: %s", path, strerror(errno)); ++ goto out; ++ } ++ if (!S_ISREG(st.st_mode)) { ++ error("%s is not a regular file", path); ++ goto out; ++ } ++ if (st.st_size < 0 || ++ (size_t)st.st_size < strlen(s) || ++ st.st_size >= INT_MAX/2) { ++ error("%s bad size %lld", path, (long long)st.st_size); ++ goto out; ++ } ++ sz = (size_t)st.st_size; ++ if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED || ++ m == NULL) { ++ error("mmap %s: %s", path, strerror(errno)); ++ goto out; ++ } ++ if (memmem(m, sz, s, strlen(s)) == NULL) { ++ error("%s does not contain expected string %s", path, s); ++ goto out; ++ } ++ /* success */ ++ ret = 0; ++ out: ++ if (m != NULL && m != MAP_FAILED) ++ munmap(m, sz); ++ close(fd); ++ return ret; ++#endif /* HAVE_NLIST_H */ ++} +--- a/misc.h ++++ b/misc.h +@@ -78,6 +78,7 @@ + const char *atoi_err(const char *, int *); + int parse_absolute_time(const char *, uint64_t *); + void format_absolute_time(uint64_t, char *, size_t); ++int lib_contains_symbol(const char *, const char *); + + void sock_set_v6only(int); + +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -607,6 +607,10 @@ + __func__, provider_id); + goto fail; + } ++ if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) { ++ error("provider %s is not a PKCS11 library", provider_id); ++ goto fail; ++ } + /* open shared pkcs11-libarary */ + if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) { + error("dlopen %s failed: %s", provider_id, dlerror()); diff --git a/debian/patches/bug2918.patch b/debian/patches/bug2918.patch new file mode 100644 index 0000000..751259c --- /dev/null +++ b/debian/patches/bug2918.patch @@ -0,0 +1,26 @@ +Description: ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives + Connection attempts after the first were ignoring the requested timeout +Origin: upstream, https://bugzilla.mindrot.org/attachment.cgi?id=3233 +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2918 +Forwarded: no +Last-Update: 2023-03-29 + +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -500,7 +500,7 @@ + struct sockaddr_storage *hostaddr, u_short port, int family, + int connection_attempts, int *timeout_ms, int want_keepalive) + { +- int on = 1; ++ int on = 1, saved_timeout_ms = *timeout_ms; + int oerrno, sock = -1, attempt; + char ntop[NI_MAXHOST], strport[NI_MAXSERV]; + struct addrinfo *ai; +@@ -544,6 +544,7 @@ + continue; + } + ++ *timeout_ms = saved_timeout_ms; + if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen, + timeout_ms) >= 0) { + /* Successful connection. */ diff --git a/debian/patches/series b/debian/patches/series index aed9546..2aca60f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -34,3 +34,6 @@ scp-handle-braces.patch revert-ipqos-defaults.patch seccomp-handle-shm.patch sandbox-seccomp-ipc.patch +bug2918.patch +CVE-2023-38408-1.patch +CVE-2023-38408-3.patch |