diff options
Diffstat (limited to 'debian/patches/CVE-2023-38408-2.patch')
-rw-r--r-- | debian/patches/CVE-2023-38408-2.patch | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/debian/patches/CVE-2023-38408-2.patch b/debian/patches/CVE-2023-38408-2.patch new file mode 100644 index 0000000..c8f5980 --- /dev/null +++ b/debian/patches/CVE-2023-38408-2.patch @@ -0,0 +1,104 @@ +From 5c06b89189eb27f692b900526d60bf744918511e Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Fri, 7 Jul 2023 13:30:15 +1000 +Subject: disallow remote addition of FIDO/PKCS11 keys + +Depends on the local client performing the session-bind@openssh.com +operation, so non-OpenSSH local client may circumvent this. + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d7790cdce72a1b6982795baa2b4d6f0bdbb0100d +Last-Update: 2023-09-17 + +Patch-Name: CVE-2023-38408-2.patch +--- + ssh-agent.1 | 22 ++++++++++++++++++++-- + ssh-agent.c | 21 ++++++++++++++++++++- + 2 files changed, 40 insertions(+), 3 deletions(-) + +diff --git a/ssh-agent.1 b/ssh-agent.1 +index ba418bb41..0e5b6c15c 100644 +--- a/ssh-agent.1 ++++ b/ssh-agent.1 +@@ -107,9 +107,27 @@ environment variable). + .It Fl O Ar option + Specify an option when starting + .Nm . +-Currently only one option is supported: ++Currently two options are supported: ++.Cm allow-remote-pkcs11 ++and + .Cm no-restrict-websafe . +-This instructs ++.Pp ++The ++.Cm allow-remote-pkcs11 ++option allows clients of a forwarded ++.Nm ++to load PKCS#11 or FIDO provider libraries. ++By default only local clients may perform this operation. ++Note that signalling that a ++.Nm ++client remote is performed by ++.Xr ssh 1 , ++and use of other tools to forward access to the agent socket may circumvent ++this restriction. ++.Pp ++The ++.Cm no-restrict-websafe , ++instructs + .Nm + to permit signatures using FIDO keys that might be web authentication + requests. +diff --git a/ssh-agent.c b/ssh-agent.c +index 63e1137bc..dce2849d8 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -170,6 +170,12 @@ char socket_dir[PATH_MAX]; + /* Pattern-list of allowed PKCS#11/Security key paths */ + static char *allowed_providers; + ++/* ++ * Allows PKCS11 providers or SK keys that use non-internal providers to ++ * be added over a remote connection (identified by session-bind@openssh.com). ++ */ ++static int remote_add_provider; ++ + /* locking */ + #define LOCK_SIZE 32 + #define LOCK_SALT_SIZE 16 +@@ -1229,6 +1235,12 @@ process_add_identity(SocketEntry *e) + if (strcasecmp(sk_provider, "internal") == 0) { + debug_f("internal provider"); + } else { ++ if (e->nsession_ids != 0 && !remote_add_provider) { ++ verbose("failed add of SK provider \"%.100s\": " ++ "remote addition of providers is disabled", ++ sk_provider); ++ goto out; ++ } + if (realpath(sk_provider, canonical_provider) == NULL) { + verbose("failed provider \"%.100s\": " + "realpath: %s", sk_provider, +@@ -1392,6 +1404,11 @@ process_add_smartcard_key(SocketEntry *e) + error_f("failed to parse constraints"); + goto send; + } ++ if (e->nsession_ids != 0 && !remote_add_provider) { ++ verbose("failed PKCS#11 add of \"%.100s\": remote addition of " ++ "providers is disabled", provider); ++ goto send; ++ } + if (realpath(provider, canonical_provider) == NULL) { + verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", + provider, strerror(errno)); +@@ -2052,7 +2069,9 @@ main(int ac, char **av) + break; + case 'O': + if (strcmp(optarg, "no-restrict-websafe") == 0) +- restrict_websafe = 0; ++ restrict_websafe = 0; ++ else if (strcmp(optarg, "allow-remote-pkcs11") == 0) ++ remote_add_provider = 1; + else + fatal("Unknown -O option"); + break; |