[prev in list] [next in list] [prev in thread] [next in thread]
List: openembedded-core
Subject: Re: [OE-core][dunfell 02/14] openssh: Fix CVE-2021-41617
From: "Jacob Kroon" <jacob.kroon () gmail ! com>
Date: 2021-12-30 21:59:45
Message-ID: CAPbeDCm1Z0n9kuLSi4FsVPRsYwyzcpRv1cnXp5n0d-Pv9RxFmg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Thu, 30 Dec 2021, 21:17 Steve Sakoman, <steve@sakoman.com> wrote:
On Thu, Dec 30, 2021 at 9:04 AM Jacob Kroon <jacob.kroon@gmail.com> wrote:
>
> On 12/30/21 19:54, Jacob Kroon via lists.openembedded.org wrote:
> > On 12/22/21 15:12, Steve Sakoman wrote:
> >> From: sana kazi <sanakazisk19@gmail.com>
> >>
> >> Add patch to fix CVE-2021-41617
> >> Link: https://bugzilla.suse.com/attachment.cgi?id=854015
> >>
> >> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> >> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
> >> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> >> ---
> >> .../openssh/openssh/CVE-2021-41617.patch | 52 +++++++++++++++++++
> >> .../openssh/openssh_8.2p1.bb | 1 +
> >> 2 files changed, 53 insertions(+)
> >> create mode 100644
meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> >>
> >> diff --git
a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> >> new file mode 100644
> >> index 0000000000..bda896f581
> >> --- /dev/null
> >> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> >> @@ -0,0 +1,52 @@
> >> +From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
> >> +From: Ali Abdallah <aabdallah@suse.de>
> >> +Date: Wed, 24 Nov 2021 13:33:39 +0100
> >> +Subject: [PATCH] CVE-2021-41617 fix
> >> +
> >> +backport of the following two upstream commits
> >> +
> >> +f3cbe43e28fe71427d41cfe3a17125b972710455
> >> +bf944e3794eff5413f2df1ef37cddf96918c6bde
> >> +
> >> +CVE-2021-41617 failed to correctly initialise supplemental groups
> >> +when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand,
> >> +where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
> >> +directive has been set to run the command as a different user. Instead
> >> +these commands would inherit the groups that sshd(8) was started with.
> >> +---
> >> + auth.c | 8 ++++++++
> >> + 1 file changed, 8 insertions(+)
> >> +
> >> +CVE: CVE-2021-41617
> >> +Upstream-Status: Backport [
https://bugzilla.suse.com/attachment.cgi?id=854015]
> >> +Comment: No change in any hunk
> >> +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> >> +
> >> +diff --git a/auth.c b/auth.c
> >> +index 163038f..a47b267 100644
> >> +--- a/auth.c
> >> ++++ b/auth.c
> >> +@@ -52,6 +52,7 @@
> >> + #include <limits.h>
> >> + #include <netdb.h>
> >> + #include <time.h>
> >> ++#include <grp.h>
> >> +
> >> + #include "xmalloc.h"
> >> + #include "match.h"
> >> +@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw,
const char *command,
> >> + }
> >> + closefrom(STDERR_FILENO + 1);
> >> +
> >> ++ if (geteuid() == 0 &&
> >> ++ initgroups(pw->pw_name, pw->pw_gid) == -1) {
> >> ++ error("%s: initgroups(%s, %u): %s", tag,
> >> ++ pw->pw_name, (u_int)pw->pw_gid,
strerror(errno));
> >> ++ _exit(1);
> >> ++ }
> >> ++
> >> + /* Don't use permanently_set_uid() here to avoid fatal()
*/
> >> + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
> >> + error("%s: setresgid %u: %s", tag,
(u_int)pw->pw_gid,
> >> +--
> >> +2.26.2
> >> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> >> index b60d1a6bd4..e903ec487d 100644
> >> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> >> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> >> @@ -26,6 +26,7 @@ SRC_URI = "
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
> >> file://add-test-support-for-busybox.patch \
> >> file://CVE-2020-14145.patch \
> >> file://CVE-2021-28041.patch \
> >> + file://CVE-2021-41617.patch \
> >> "
> >> SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
> >> SRC_URI[sha256sum] =
"43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
> >>
> >>
> >>
> >>
> >>
> >
> > I would have expected this patch to leave a mark in my buildhistory, but
> > nothing related to openssh(d) shows up.
> >
> > Size of /usr/sbin/sshd stays the same, which at least to me is a little
> > odd.. but I can see that the sha256sum output of sshd changes.
> >
> > (It would be nice to have sha256sum hashes of files in buildhistory)
> >
> > Am I the only one who thinks this is a little strange ?
> >
> > /Jacob
> >
>
> Let me rephrase, I do see changes related to debug information and the
> debug package, but no change in the resulting '/usr/sbin/sshd' size that
> goes in the final image.
Yes, it is unusual that the size of sshd is the same pre and post patch.
I checked the size of auth.o pre and post patch, and it is also the
same (not surprisingly!)
However I've verified that the patch modifies auth.c as desired, and
the md5sums for both auth.o and ssshd are different pre and post patch
(as expected)
So this is just one of those cases where different code results in the
same size!
Steve
Thanks for double checking.
/Jacob
[Attachment #5 (text/html)]
<div dir="auto"><div dir="auto"><div class="elided-text" dir="auto"><div dir="ltr">On \
Thu, 30 Dec 2021, 21:17 Steve Sakoman, <<a \
href="mailto:steve@sakoman.com">steve@sakoman.com</a>> wrote:<br></div><blockquote \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">On Thu, Dec 30, 2021 at 9:04 AM Jacob Kroon <<a \
href="mailto:jacob.kroon@gmail.com">jacob.kroon@gmail.com</a>> \
wrote:<br>><br>> On 12/30/21 19:54, Jacob Kroon via <a \
href="http://lists.openembedded.org/">lists.openembedded.org</a> wrote:<br>> > \
On 12/22/21 15:12, Steve Sakoman wrote:<br>> >> From: sana kazi <<a \
href="mailto:sanakazisk19@gmail.com">sanakazisk19@gmail.com</a>><br>> \
>><br>> >> Add patch to fix CVE-2021-41617<br>> >> Link: <a \
href="https://bugzilla.suse.com/attachment.cgi?id=854015">https://bugzilla.suse.com/attachment.cgi?id=854015</a><br>> \
>><br>> >> Signed-off-by: Sana Kazi <<a \
href="mailto:Sana.Kazi@kpit.com">Sana.Kazi@kpit.com</a>><br>> >> \
Signed-off-by: Sana Kazi <<a \
href="mailto:sanakazisk19@gmail.com">sanakazisk19@gmail.com</a>><br>> >> \
Signed-off-by: Steve Sakoman <<a \
href="mailto:steve@sakoman.com">steve@sakoman.com</a>><br>> >> \
---<br>> >> .../openssh/openssh/CVE-2021-41617.patch | 52 \
+++++++++++++++++++<br>> >> .../openssh/<a \
href="http://openssh_8.2p1.bb/">openssh_8.2p1.bb</a> | 1 \
+<br>> >> 2 files changed, 53 insertions(+)<br>> >> create mode \
100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch<br>> \
>><br>> >> diff --git \
a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch \
b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch<br>> >> new \
file mode 100644<br>> >> index 0000000000..bda896f581<br>> >> --- \
/dev/null<br>> >> +++ \
b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch<br>> >> @@ \
-0,0 +1,52 @@<br>> >> +From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep \
17 00:00:00 2001<br>> >> +From: Ali Abdallah <<a \
href="mailto:aabdallah@suse.de">aabdallah@suse.de</a>><br>> >> +Date: \
Wed, 24 Nov 2021 13:33:39 +0100<br>> >> +Subject: [PATCH] CVE-2021-41617 \
fix<br>> >> +<br>> >> +backport of the following two upstream \
commits<br>> >> +<br>> >> \
+f3cbe43e28fe71427d41cfe3a17125b972710455<br>> >> \
+bf944e3794eff5413f2df1ef37cddf96918c6bde<br>> >> +<br>> >> \
+CVE-2021-41617 failed to correctly initialise supplemental groups<br>> >> \
+when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,<br>> \
>> +where a AuthorizedKeysCommandUser or \
AuthorizedPrincipalsCommandUser<br>> >> +directive has been set to run the \
command as a different user. Instead<br>> >> +these commands would inherit \
the groups that sshd(8) was started with.<br>> >> +---<br>> >> + \
auth.c | 8 ++++++++<br>> >> + 1 file changed, 8 insertions(+)<br>> \
>> +<br>> >> +CVE: CVE-2021-41617<br>> >> +Upstream-Status: \
Backport [<a href="https://bugzilla.suse.com/attachment.cgi?id=854015">https://bugzilla.suse.com/attachment.cgi?id=854015</a>]<br>> \
>> +Comment: No change in any hunk<br>> >> +Signed-off-by: Sana Kazi \
<<a href="mailto:Sana.Kazi@kpit.com">Sana.Kazi@kpit.com</a>><br>> >> \
+<br>> >> +diff --git a/auth.c b/auth.c<br>> >> +index \
163038f..a47b267 100644<br>> >> +--- a/auth.c<br>> >> ++++ \
b/auth.c<br>> >> +@@ -52,6 +52,7 @@<br>> >> + #include \
<limits.h><br>> >> + #include <netdb.h><br>> >> + \
#include <time.h><br>> >> ++#include <grp.h><br>> >> \
+<br>> >> + #include "xmalloc.h"<br>> >> + #include \
"match.h"<br>> >> +@@ -851,6 +852,13 @@ subprocess(const char \
*tag, struct passwd *pw, const char *command,<br>> >> + \
}<br>> >> + closefrom(STDERR_FILENO + 1);<br>> >> \
+<br>> >> ++ if (geteuid() == 0 &&<br>> >> \
++ initgroups(pw->pw_name, pw->pw_gid) == -1) {<br>> \
>> ++ error("%s: initgroups(%s, %u): %s", \
tag,<br>> >> ++ pw->pw_name, \
(u_int)pw->pw_gid, strerror(errno));<br>> >> ++ \
_exit(1);<br>> >> ++ }<br>> >> ++<br>> >> \
+ /* Don't use permanently_set_uid() here to avoid fatal() \
*/<br>> >> + if (setresgid(pw->pw_gid, pw->pw_gid, \
pw->pw_gid) == -1) {<br>> >> + \
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,<br>> >> \
+--<br>> >> +2.26.2<br>> >> diff --git \
a/meta/recipes-connectivity/openssh/<a \
href="http://openssh_8.2p1.bb/">openssh_8.2p1.bb</a> \
b/meta/recipes-connectivity/openssh/<a \
href="http://openssh_8.2p1.bb/">openssh_8.2p1.bb</a><br>> >> index \
b60d1a6bd4..e903ec487d 100644<br>> >> --- \
a/meta/recipes-connectivity/openssh/<a \
href="http://openssh_8.2p1.bb/">openssh_8.2p1.bb</a><br>> >> +++ \
b/meta/recipes-connectivity/openssh/<a \
href="http://openssh_8.2p1.bb/">openssh_8.2p1.bb</a><br>> >> @@ -26,6 +26,7 \
@@ SRC_URI = "<a \
href="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$%7BPV%7D.tar">http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar</a><br>> \
>> file://add-test-support-for-busybox.patch \<br>> \
>> file://CVE-2020-14145.patch \<br>> >> \
file://CVE-2021-28041.patch \<br>> >> + \
file://CVE-2021-41617.patch \<br>> >> "<br>> \
>> SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"<br>> \
>> SRC_URI[sha256sum] = \
"43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"<br>> \
>><br>> >><br>> >><br>> >><br>> >><br>> \
><br>> > I would have expected this patch to leave a mark in my \
buildhistory, but<br>> > nothing related to openssh(d) shows up.<br>> \
><br>> > Size of /usr/sbin/sshd stays the same, which at least to me is a \
little<br>> > odd.. but I can see that the sha256sum output of sshd \
changes.<br>> ><br>> > (It would be nice to have sha256sum hashes of \
files in buildhistory)<br>> ><br>> > Am I the only one who thinks this is \
a little strange ?<br>> ><br>> > /Jacob<br>> ><br>><br>> Let \
me rephrase, I do see changes related to debug information and the<br>> debug \
package, but no change in the resulting '/usr/sbin/sshd' size that<br>> \
goes in the final image.<br><br>Yes, it is unusual that the size of sshd is the same \
pre and post patch.<br><br>I checked the size of auth.o pre and post patch, and it is \
also the<br>same (not surprisingly!)<br><br>However I've verified that the patch \
modifies auth.c as desired, and<br>the md5sums for both auth.o and ssshd are \
different pre and post patch<br>(as expected)<br><br>So this is just one of those \
cases where different code results in the<br>same \
size!<br><br>Steve</blockquote></div></div><div dir="auto"><br></div>Thanks for \
double checking.<div dir="auto">/Jacob</div></div>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#160067): https://lists.openembedded.org/g/openembedded-core/message/160067
Mute This Topic: https://lists.openembedded.org/mt/87898179/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic