summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2023-38408-2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/CVE-2023-38408-2.patch')
-rw-r--r--debian/patches/CVE-2023-38408-2.patch104
1 files changed, 104 insertions, 0 deletions
diff --git a/debian/patches/CVE-2023-38408-2.patch b/debian/patches/CVE-2023-38408-2.patch
new file mode 100644
index 0000000..c8f5980
--- /dev/null
+++ b/debian/patches/CVE-2023-38408-2.patch
@@ -0,0 +1,104 @@
+From 5c06b89189eb27f692b900526d60bf744918511e Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Fri, 7 Jul 2023 13:30:15 +1000
+Subject: disallow remote addition of FIDO/PKCS11 keys
+
+Depends on the local client performing the session-bind@openssh.com
+operation, so non-OpenSSH local client may circumvent this.
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d7790cdce72a1b6982795baa2b4d6f0bdbb0100d
+Last-Update: 2023-09-17
+
+Patch-Name: CVE-2023-38408-2.patch
+---
+ ssh-agent.1 | 22 ++++++++++++++++++++--
+ ssh-agent.c | 21 ++++++++++++++++++++-
+ 2 files changed, 40 insertions(+), 3 deletions(-)
+
+diff --git a/ssh-agent.1 b/ssh-agent.1
+index ba418bb41..0e5b6c15c 100644
+--- a/ssh-agent.1
++++ b/ssh-agent.1
+@@ -107,9 +107,27 @@ environment variable).
+ .It Fl O Ar option
+ Specify an option when starting
+ .Nm .
+-Currently only one option is supported:
++Currently two options are supported:
++.Cm allow-remote-pkcs11
++and
+ .Cm no-restrict-websafe .
+-This instructs
++.Pp
++The
++.Cm allow-remote-pkcs11
++option allows clients of a forwarded
++.Nm
++to load PKCS#11 or FIDO provider libraries.
++By default only local clients may perform this operation.
++Note that signalling that a
++.Nm
++client remote is performed by
++.Xr ssh 1 ,
++and use of other tools to forward access to the agent socket may circumvent
++this restriction.
++.Pp
++The
++.Cm no-restrict-websafe ,
++instructs
+ .Nm
+ to permit signatures using FIDO keys that might be web authentication
+ requests.
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 63e1137bc..dce2849d8 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -170,6 +170,12 @@ char socket_dir[PATH_MAX];
+ /* Pattern-list of allowed PKCS#11/Security key paths */
+ static char *allowed_providers;
+
++/*
++ * Allows PKCS11 providers or SK keys that use non-internal providers to
++ * be added over a remote connection (identified by session-bind@openssh.com).
++ */
++static int remote_add_provider;
++
+ /* locking */
+ #define LOCK_SIZE 32
+ #define LOCK_SALT_SIZE 16
+@@ -1229,6 +1235,12 @@ process_add_identity(SocketEntry *e)
+ if (strcasecmp(sk_provider, "internal") == 0) {
+ debug_f("internal provider");
+ } else {
++ if (e->nsession_ids != 0 && !remote_add_provider) {
++ verbose("failed add of SK provider \"%.100s\": "
++ "remote addition of providers is disabled",
++ sk_provider);
++ goto out;
++ }
+ if (realpath(sk_provider, canonical_provider) == NULL) {
+ verbose("failed provider \"%.100s\": "
+ "realpath: %s", sk_provider,
+@@ -1392,6 +1404,11 @@ process_add_smartcard_key(SocketEntry *e)
+ error_f("failed to parse constraints");
+ goto send;
+ }
++ if (e->nsession_ids != 0 && !remote_add_provider) {
++ verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
++ "providers is disabled", provider);
++ goto send;
++ }
+ if (realpath(provider, canonical_provider) == NULL) {
+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+ provider, strerror(errno));
+@@ -2052,7 +2069,9 @@ main(int ac, char **av)
+ break;
+ case 'O':
+ if (strcmp(optarg, "no-restrict-websafe") == 0)
+- restrict_websafe = 0;
++ restrict_websafe = 0;
++ else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
++ remote_add_provider = 1;
+ else
+ fatal("Unknown -O option");
+ break;