[prev in list] [next in list] [prev in thread] [next in thread]
List: openembedded-core
Subject: Re: [OE-core] [poky][dunfell][PATCH] openssh: Add fix for CVE-2020-14145
From: "Steve Sakoman" <steve () sakoman ! com>
Date: 2021-03-31 15:07:22
Message-ID: CAOSpxdbA3KfgbkqXMyM498z1cFs6Xq3QnVLoTNM_L0ftrc0xPQ () mail ! gmail ! com
[Download RAW message or body]
This patch fails on the autobuilder:
stdio: ERROR: openssh-8.2p1-r0 do_patch: Command Error: 'quilt
--quiltrc /home/pokybuild/yocto-worker/beaglebone-alt/build/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/openssh/8.2p1-r0/recipe-sysroot-native/etc/quiltrc
push' exited with 0 Output:
Steve
On Tue, Mar 30, 2021 at 8:22 PM Sana Kazi <Sana.Kazi@kpit.com> wrote:
>
> Applied patch for CVE-2020-14145 which fixes
> man-in-the-middle attack.
> Link: https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d
>
> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> ---
> .../openssh/openssh/CVE-2020-14145.patch | 97 +++++++++++++++++++
> .../openssh/openssh_8.2p1.bb | 1 +
> 2 files changed, 98 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch \
> b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch new file mode \
> 100644 index 0000000000..3adb981fb4
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> @@ -0,0 +1,97 @@
> +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
> +From: "djm@openbsd.org" <djm@openbsd.org>
> +Date: Fri, 18 Sep 2020 05:23:03 +0000
> +Subject: upstream: tweak the client hostkey preference ordering algorithm to
> +
> +prefer the default ordering if the user has a key that matches the
> +best-preference default algorithm.
> +
> +feedback and ok markus@
> +
> +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
> +
> +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> +---
> + sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
> + 1 file changed, 38 insertions(+), 3 deletions(-)
> +
> +CVE: CVE-2020-14145
> +Upstream-Status: Backport \
> [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
> +Comment: Refreshed first hunk
> +
> +diff --git a/sshconnect2.c b/sshconnect2.c
> +index 347e348c..f64aae66 100644
> +--- a/sshconnect2.c
> ++++ b/sshconnect2.c
> +@@ -1,4 +1,4 @@
> +-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
> ++/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
> + /*
> + * Copyright (c) 2000 Markus Friedl. All rights reserved.
> + * Copyright (c) 2008 Damien Miller. All rights reserved.
> +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh \
> *ssh) + return 0;
> + }
> +
> ++/* Returns the first item from a comma-separated algorithm list */
> ++static char *
> ++first_alg(const char *algs)
> ++{
> ++ char *ret, *cp;
> ++
> ++ ret = xstrdup(algs);
> ++ if ((cp = strchr(ret, ',')) != NULL)
> ++ *cp = '\0';
> ++ return ret;
> ++}
> ++
> + static char *
> + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> + {
> +- char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
> ++ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
> ++ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
> + size_t maxlen;
> +- struct hostkeys *hostkeys;
> ++ struct hostkeys *hostkeys = NULL;
> + int ktype;
> + u_int i;
> +
> +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, \
> u_short port) + for (i = 0; i < options.num_system_hostfiles; i++)
> + load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
> +
> ++ /*
> ++ * If a plain public key exists that matches the type of the best
> ++ * preference HostkeyAlgorithms, then use the whole list as is.
> ++ * Note that we ignore whether the best preference algorithm is a
> ++ * certificate type, as sshconnect.c will downgrade certs to
> ++ * plain keys if necessary.
> ++ */
> ++ best = first_alg(options.hostkeyalgorithms);
> ++ if (lookup_key_in_hostkeys_by_type(hostkeys,
> ++ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
> ++ debug3("%s: have matching best-preference key type %s, "
> ++ "using HostkeyAlgorithms verbatim", __func__, best);
> ++ ret = xstrdup(options.hostkeyalgorithms);
> ++ goto out;
> ++ }
> ++
> ++ /*
> ++ * Otherwise, prefer the host key algorithms that match known keys
> ++ * while keeping the ordering of HostkeyAlgorithms as much as possible.
> ++ */
> + oavail = avail = xstrdup(options.hostkeyalgorithms);
> + maxlen = strlen(avail) + 1;
> + first = xmalloc(maxlen);
> +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, \
> u_short port) + if (*first != '\0')
> + debug3("%s: prefer hostkeyalgs: %s", __func__, first);
> +
> ++ out:
> ++ free(best);
> + free(first);
> + free(last);
> + free(hostname);
> +--
> +cgit v1.2.3
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb \
> b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index fe94f30503..17965557a7 \
> 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> @@ -24,6 +24,7 @@ SRC_URI = \
> "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar \
> file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ \
> file://sshd_check_keys \ file://add-test-support-for-busybox.patch \
> + file://CVE-2020-14145.patch \
> "
> SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
> SRC_URI[sha256sum] = \
> "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the \
> property of the KPIT Technologies Ltd. It is intended only for the person to whom \
> it is addressed. If you are not the intended recipient, you are not authorized to \
> read, print, retain copy, disseminate, distribute, or use this message or any part \
> thereof. If you receive this message in error, please notify the sender immediately \
> and delete all copies of this message. KPIT Technologies Ltd. does not accept any \
> liability for virus infected mails.
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#150118): https://lists.openembedded.org/g/openembedded-core/message/150118
Mute This Topic: https://lists.openembedded.org/mt/81743977/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic