summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.gitignore17
-rw-r--r--debian/.gitlab-ci.yml16
-rw-r--r--debian/changelog20
-rw-r--r--debian/patches/CVE-2023-38408-1.patch28
-rw-r--r--debian/patches/CVE-2023-38408-3.patch140
-rw-r--r--debian/patches/bug2918.patch26
-rw-r--r--debian/patches/series3
7 files changed, 225 insertions, 25 deletions
diff --git a/debian/.gitignore b/debian/.gitignore
deleted file mode 100644
index 988323b..0000000
--- a/debian/.gitignore
+++ /dev/null
@@ -1,17 +0,0 @@
-/*.debhelper*
-/*substvars
-/build-deb
-/build-udeb
-/files
-/keygen-test/key1
-/keygen-test/key1.pub
-/keygen-test/key2
-/keygen-test/key2.pub
-/openssh-client
-/openssh-client-udeb
-/openssh-server
-/openssh-server-udeb
-/ssh
-/ssh-askpass-gnome
-/ssh-krb5
-/tmp
diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml
index 845003c..4816152 100644
--- a/debian/.gitlab-ci.yml
+++ b/debian/.gitlab-ci.yml
@@ -1,9 +1,9 @@
-image: registry.gitlab.com/eighthave/ci-image-git-buildpackage:latest
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
-build:
- artifacts:
- paths:
- - "*.deb"
- expire_in: 1 day
- script:
- - gitlab-ci-git-buildpackage-all
+variables:
+ RELEASE: 'buster'
+ SALSA_CI_COMPONENTS: 'main contrib non-free'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1
+ SALSA_CI_DISABLE_PIUPARTS: 1
diff --git a/debian/changelog b/debian/changelog
index 852e8b9..0e30cc0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+openssh (1:7.9p1-10+deb10u3) buster-security; urgency=high
+
+ * Non-maintainer upload.
+
+ [ Salvatore Bonaccorso ]
+ * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout
+ and ConnectionAttempts directives - connection attempts after the
+ first were ignoring the requested timeout (LP: #1798049).
+
+ [ Utkarsh Gupta ]
+ * remote code execution relating to PKCS#11 providers
+ - debian/patches/CVE-2023-38408-1.patch: terminate process if requested
+ to load a PKCS#11 provider that isn't a PKCS#11 provider in
+ ssh-pkcs11.c.
+ - debian/patches/CVE-2023-38408-3.patch: ensure FIDO/PKCS11 libraries
+ contain expected symbols in misc.c, misc.h, ssh-pkcs11.c, ssh-sk.c.
+ - CVE-2023-38408
+
+ -- Utkarsh Gupta <utkarsh@debian.org> Wed, 29 Mar 2023 11:02:23 +0200
+
openssh (1:7.9p1-10+deb10u2) buster; urgency=medium
* Apply upstream patch to deny (non-fatally) ipc in the seccomp sandbox,
diff --git a/debian/patches/CVE-2023-38408-1.patch b/debian/patches/CVE-2023-38408-1.patch
new file mode 100644
index 0000000..277979f
--- /dev/null
+++ b/debian/patches/CVE-2023-38408-1.patch
@@ -0,0 +1,28 @@
+From 892506b13654301f69f9545f48213fc210e5c5cc Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:55:53 +0000
+Subject: [PATCH] upstream: terminate process if requested to load a PKCS#11
+ provider
+
+that isn't a PKCS#11 provider; from / ok markus@
+
+OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
+---
+ ssh-pkcs11.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -612,10 +612,8 @@
+ error("dlopen %s failed: %s", provider_id, dlerror());
+ goto fail;
+ }
+- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+- goto fail;
+- }
++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+ p = xcalloc(1, sizeof(*p));
+ p->name = xstrdup(provider_id);
+ p->handle = handle;
diff --git a/debian/patches/CVE-2023-38408-3.patch b/debian/patches/CVE-2023-38408-3.patch
new file mode 100644
index 0000000..acbdf84
--- /dev/null
+++ b/debian/patches/CVE-2023-38408-3.patch
@@ -0,0 +1,140 @@
+Backport of:
+
+From 29ef8a04866ca14688d5b7fed7b8b9deab851f77 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 14:02:27 +0000
+Subject: [PATCH] upstream: Ensure FIDO/PKCS11 libraries contain expected
+ symbols
+
+This checks via nlist(3) that candidate provider libraries contain one
+of the symbols that we will require prior to dlopen(), which can cause
+a number of side effects, including execution of constructors.
+
+Feedback deraadt; ok markus
+
+OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
+---
+ misc.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ misc.h | 3 +-
+ ssh-pkcs11.c | 6 +++-
+ 3 files changed, 83 insertions(+), 4 deletions(-)
+
+--- a/misc.c
++++ b/misc.c
+@@ -28,6 +28,7 @@
+
+ #include <sys/types.h>
+ #include <sys/ioctl.h>
++#include <sys/mman.h>
+ #include <sys/socket.h>
+ #include <sys/stat.h>
+ #include <sys/time.h>
+@@ -38,6 +39,9 @@
+ #ifdef HAVE_LIBGEN_H
+ # include <libgen.h>
+ #endif
++#ifdef HAVE_NLIST_H
++#include <nlist.h>
++#endif
+ #include <signal.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -2085,3 +2089,75 @@
+ localtime_r(&tt, &tm);
+ strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm);
+ }
++
++/*
++ * Returns zero if the library at 'path' contains symbol 's', nonzero
++ * otherwise.
++ */
++int
++lib_contains_symbol(const char *path, const char *s)
++{
++#ifdef HAVE_NLIST_H
++ struct nlist nl[2];
++ int ret = -1, r;
++
++ memset(nl, 0, sizeof(nl));
++ nl[0].n_name = xstrdup(s);
++ nl[1].n_name = NULL;
++ if ((r = nlist(path, nl)) == -1) {
++ error("nlist failed for %s", path);
++ goto out;
++ }
++ if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) {
++ error("library %s does not contain symbol %s", path, s);
++ goto out;
++ }
++ /* success */
++ ret = 0;
++ out:
++ free(nl[0].n_name);
++ return ret;
++#else /* HAVE_NLIST_H */
++ int fd, ret = -1;
++ struct stat st;
++ void *m = NULL;
++ size_t sz = 0;
++
++ memset(&st, 0, sizeof(st));
++ if ((fd = open(path, O_RDONLY)) < 0) {
++ error("open %s: %s", path, strerror(errno));
++ return -1;
++ }
++ if (fstat(fd, &st) != 0) {
++ error("fstat %s: %s", path, strerror(errno));
++ goto out;
++ }
++ if (!S_ISREG(st.st_mode)) {
++ error("%s is not a regular file", path);
++ goto out;
++ }
++ if (st.st_size < 0 ||
++ (size_t)st.st_size < strlen(s) ||
++ st.st_size >= INT_MAX/2) {
++ error("%s bad size %lld", path, (long long)st.st_size);
++ goto out;
++ }
++ sz = (size_t)st.st_size;
++ if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED ||
++ m == NULL) {
++ error("mmap %s: %s", path, strerror(errno));
++ goto out;
++ }
++ if (memmem(m, sz, s, strlen(s)) == NULL) {
++ error("%s does not contain expected string %s", path, s);
++ goto out;
++ }
++ /* success */
++ ret = 0;
++ out:
++ if (m != NULL && m != MAP_FAILED)
++ munmap(m, sz);
++ close(fd);
++ return ret;
++#endif /* HAVE_NLIST_H */
++}
+--- a/misc.h
++++ b/misc.h
+@@ -78,6 +78,7 @@
+ const char *atoi_err(const char *, int *);
+ int parse_absolute_time(const char *, uint64_t *);
+ void format_absolute_time(uint64_t, char *, size_t);
++int lib_contains_symbol(const char *, const char *);
+
+ void sock_set_v6only(int);
+
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -607,6 +607,10 @@
+ __func__, provider_id);
+ goto fail;
+ }
++ if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) {
++ error("provider %s is not a PKCS11 library", provider_id);
++ goto fail;
++ }
+ /* open shared pkcs11-libarary */
+ if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {
+ error("dlopen %s failed: %s", provider_id, dlerror());
diff --git a/debian/patches/bug2918.patch b/debian/patches/bug2918.patch
new file mode 100644
index 0000000..751259c
--- /dev/null
+++ b/debian/patches/bug2918.patch
@@ -0,0 +1,26 @@
+Description: ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives
+ Connection attempts after the first were ignoring the requested timeout
+Origin: upstream, https://bugzilla.mindrot.org/attachment.cgi?id=3233
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2918
+Forwarded: no
+Last-Update: 2023-03-29
+
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -500,7 +500,7 @@
+ struct sockaddr_storage *hostaddr, u_short port, int family,
+ int connection_attempts, int *timeout_ms, int want_keepalive)
+ {
+- int on = 1;
++ int on = 1, saved_timeout_ms = *timeout_ms;
+ int oerrno, sock = -1, attempt;
+ char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+ struct addrinfo *ai;
+@@ -544,6 +544,7 @@
+ continue;
+ }
+
++ *timeout_ms = saved_timeout_ms;
+ if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen,
+ timeout_ms) >= 0) {
+ /* Successful connection. */
diff --git a/debian/patches/series b/debian/patches/series
index aed9546..2aca60f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -34,3 +34,6 @@ scp-handle-braces.patch
revert-ipqos-defaults.patch
seccomp-handle-shm.patch
sandbox-seccomp-ipc.patch
+bug2918.patch
+CVE-2023-38408-1.patch
+CVE-2023-38408-3.patch