1 files changed, 104 insertions, 0 deletions

diff --git a/debian/patches/CVE-2023-38408-2.patch b/debian/patches/CVE-2023-38408-2.patch
new file mode 100644
index 0000000..c8f5980
--- /dev/null
+++ b/debian/patches/CVE-2023-38408-2.patch
@@ -0,0 +1,104 @@
+From 5c06b89189eb27f692b900526d60bf744918511e Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Fri, 7 Jul 2023 13:30:15 +1000
+Subject: disallow remote addition of FIDO/PKCS11 keys
+
+Depends on the local client performing the session-bind@openssh.com
+operation, so non-OpenSSH local client may circumvent this.
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d7790cdce72a1b6982795baa2b4d6f0bdbb0100d
+Last-Update: 2023-09-17
+
+Patch-Name: CVE-2023-38408-2.patch
+---
+ ssh-agent.1 | 22 ++++++++++++++++++++--
+ ssh-agent.c | 21 ++++++++++++++++++++-
+ 2 files changed, 40 insertions(+), 3 deletions(-)
+
+diff --git a/ssh-agent.1 b/ssh-agent.1
+index ba418bb41..0e5b6c15c 100644
+--- a/ssh-agent.1
++++ b/ssh-agent.1
+@@ -107,9 +107,27 @@ environment variable).
+ .It Fl O Ar option
+ Specify an option when starting
+ .Nm .
+-Currently only one option is supported:
++Currently two options are supported:
++.Cm allow-remote-pkcs11
++and
+ .Cm no-restrict-websafe .
+-This instructs
++.Pp
++The
++.Cm allow-remote-pkcs11
++option allows clients of a forwarded
++.Nm
++to load PKCS#11 or FIDO provider libraries.
++By default only local clients may perform this operation.
++Note that signalling that a
++.Nm
++client remote is performed by
++.Xr ssh 1 ,
++and use of other tools to forward access to the agent socket may circumvent
++this restriction.
++.Pp
++The
++.Cm no-restrict-websafe ,
++instructs
+ .Nm
+ to permit signatures using FIDO keys that might be web authentication
+ requests.
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 63e1137bc..dce2849d8 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -170,6 +170,12 @@ char socket_dir[PATH_MAX];
+ /* Pattern-list of allowed PKCS#11/Security key paths */
+ static char *allowed_providers;
+ 
++/*
++ * Allows PKCS11 providers or SK keys that use non-internal providers to
++ * be added over a remote connection (identified by session-bind@openssh.com).
++ */
++static int remote_add_provider;
++
+ /* locking */
+ #define LOCK_SIZE	32
+ #define LOCK_SALT_SIZE	16
+@@ -1229,6 +1235,12 @@ process_add_identity(SocketEntry *e)
+ 		if (strcasecmp(sk_provider, "internal") == 0) {
+ 			debug_f("internal provider");
+ 		} else {
++			if (e->nsession_ids != 0 && !remote_add_provider) {
++				verbose("failed add of SK provider \"%.100s\": "
++				    "remote addition of providers is disabled",
++				    sk_provider);
++				goto out;
++			}
+ 			if (realpath(sk_provider, canonical_provider) == NULL) {
+ 				verbose("failed provider \"%.100s\": "
+ 				    "realpath: %s", sk_provider,
+@@ -1392,6 +1404,11 @@ process_add_smartcard_key(SocketEntry *e)
+ 		error_f("failed to parse constraints");
+ 		goto send;
+ 	}
++	if (e->nsession_ids != 0 && !remote_add_provider) {
++		verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
++		    "providers is disabled", provider);
++		goto send;
++	}
+ 	if (realpath(provider, canonical_provider) == NULL) {
+ 		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+ 		    provider, strerror(errno));
+@@ -2052,7 +2069,9 @@ main(int ac, char **av)
+ 			break;
+ 		case 'O':
+ 			if (strcmp(optarg, "no-restrict-websafe") == 0)
+-				restrict_websafe  = 0;
++				restrict_websafe = 0;
++			else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
++				remote_add_provider = 1;
+ 			else
+ 				fatal("Unknown -O option");
+ 			break;