'Re: [OE-core] [poky][dunfell][PATCH] openssh: Add fix for CVE-2020-14145'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openembedded-core
Subject:    Re: [OE-core] [poky][dunfell][PATCH] openssh: Add fix for CVE-2020-14145
From:       "Steve Sakoman" <steve () sakoman ! com>
Date:       2021-03-31 15:07:22
Message-ID: CAOSpxdbA3KfgbkqXMyM498z1cFs6Xq3QnVLoTNM_L0ftrc0xPQ () mail ! gmail ! com
[Download RAW message or body]

This patch fails on the autobuilder:

stdio: ERROR: openssh-8.2p1-r0 do_patch: Command Error: 'quilt
--quiltrc /home/pokybuild/yocto-worker/beaglebone-alt/build/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/openssh/8.2p1-r0/recipe-sysroot-native/etc/quiltrc
 push' exited with 0 Output:

Steve

On Tue, Mar 30, 2021 at 8:22 PM Sana Kazi <Sana.Kazi@kpit.com> wrote:
> 
> Applied patch for CVE-2020-14145 which fixes
> man-in-the-middle attack.
> Link: https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d
>  
> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> ---
> .../openssh/openssh/CVE-2020-14145.patch      | 97 +++++++++++++++++++
> .../openssh/openssh_8.2p1.bb                  |  1 +
> 2 files changed, 98 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> 
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch \
> b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch new file mode \
> 100644 index 0000000000..3adb981fb4
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> @@ -0,0 +1,97 @@
> +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
> +From: "djm@openbsd.org" <djm@openbsd.org>
> +Date: Fri, 18 Sep 2020 05:23:03 +0000
> +Subject: upstream: tweak the client hostkey preference ordering algorithm to
> +
> +prefer the default ordering if the user has a key that matches the
> +best-preference default algorithm.
> +
> +feedback and ok markus@
> +
> +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
> +
> +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> +---
> + sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
> + 1 file changed, 38 insertions(+), 3 deletions(-)
> +
> +CVE: CVE-2020-14145
> +Upstream-Status: Backport \
> [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
>  +Comment: Refreshed first hunk
> +
> +diff --git a/sshconnect2.c b/sshconnect2.c
> +index 347e348c..f64aae66 100644
> +--- a/sshconnect2.c
> ++++ b/sshconnect2.c
> +@@ -1,4 +1,4 @@
> +-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
> ++/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
> + /*
> +  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
> +  * Copyright (c) 2008 Damien Miller.  All rights reserved.
> +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh \
> *ssh) +       return 0;
> + }
> +
> ++/* Returns the first item from a comma-separated algorithm list */
> ++static char *
> ++first_alg(const char *algs)
> ++{
> ++      char *ret, *cp;
> ++
> ++      ret = xstrdup(algs);
> ++      if ((cp = strchr(ret, ',')) != NULL)
> ++              *cp = '\0';
> ++      return ret;
> ++}
> ++
> + static char *
> + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> + {
> +-      char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
> ++      char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
> ++      char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
> +       size_t maxlen;
> +-      struct hostkeys *hostkeys;
> ++      struct hostkeys *hostkeys = NULL;
> +       int ktype;
> +       u_int i;
> +
> +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, \
> u_short port) +       for (i = 0; i < options.num_system_hostfiles; i++)
> +               load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
> +
> ++      /*
> ++       * If a plain public key exists that matches the type of the best
> ++       * preference HostkeyAlgorithms, then use the whole list as is.
> ++       * Note that we ignore whether the best preference algorithm is a
> ++       * certificate type, as sshconnect.c will downgrade certs to
> ++       * plain keys if necessary.
> ++       */
> ++      best = first_alg(options.hostkeyalgorithms);
> ++      if (lookup_key_in_hostkeys_by_type(hostkeys,
> ++          sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
> ++              debug3("%s: have matching best-preference key type %s, "
> ++                  "using HostkeyAlgorithms verbatim", __func__, best);
> ++              ret = xstrdup(options.hostkeyalgorithms);
> ++              goto out;
> ++      }
> ++
> ++      /*
> ++       * Otherwise, prefer the host key algorithms that match known keys
> ++       * while keeping the ordering of HostkeyAlgorithms as much as possible.
> ++       */
> +       oavail = avail = xstrdup(options.hostkeyalgorithms);
> +       maxlen = strlen(avail) + 1;
> +       first = xmalloc(maxlen);
> +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, \
> u_short port) +       if (*first != '\0')
> +               debug3("%s: prefer hostkeyalgs: %s", __func__, first);
> +
> ++ out:
> ++      free(best);
> +       free(first);
> +       free(last);
> +       free(hostname);
> +--
> +cgit v1.2.3
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb \
> b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index fe94f30503..17965557a7 \
>                 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> @@ -24,6 +24,7 @@ SRC_URI = \
> "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar \
> file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ \
> file://sshd_check_keys \ file://add-test-support-for-busybox.patch \
> +           file://CVE-2020-14145.patch \
> "
> SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
> SRC_URI[sha256sum] = \
>                 "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
> --
> 2.17.1
> 
> This message contains information that may be privileged or confidential and is the \
> property of the KPIT Technologies Ltd. It is intended only for the person to whom \
> it is addressed. If you are not the intended recipient, you are not authorized to \
> read, print, retain copy, disseminate, distribute, or use this message or any part \
> thereof. If you receive this message in error, please notify the sender immediately \
> and delete all copies of this message. KPIT Technologies Ltd. does not accept any \
> liability for virus infected mails. 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#150118): https://lists.openembedded.org/g/openembedded-core/message/150118
Mute This Topic: https://lists.openembedded.org/mt/81743977/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic