[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/files/, net-misc/openssh-contrib/

Tue, 02 Jul 2024 10:07:27 -0700 

commit:     615ab9d0a7ea42e3fa992a2f728c45019f8706c2
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Tue Jul  2 17:02:29 2024 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Tue Jul  2 17:07:07 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=615ab9d0

net-misc/openssh-contrib: Revbump, add fix for CVE-2024-6387

Bug: https://bugs.gentoo.org/935271
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssh-9.6_p1-CVE-2024-6387.patch       | 19 ++++++++++++++
 .../files/openssh-9.6_p1-chaff-logic.patch         | 16 ++++++++++++
 .../files/openssh-9.6_p1-fix-xmss-c99.patch        | 20 +++++++++++++++
 .../files/openssh-9.7_p1-X509-CVE-2024-6387.patch  | 29 ++++++++++++++++++++++
 ...-r3.ebuild => openssh-contrib-9.7_p1-r4.ebuild} | 11 +++++++-
 5 files changed, 94 insertions(+), 1 deletion(-)

diff --git a/net-misc/openssh-contrib/files/openssh-9.6_p1-CVE-2024-6387.patch 
b/net-misc/openssh-contrib/files/openssh-9.6_p1-CVE-2024-6387.patch
new file mode 100644
index 000000000000..7b7fb70380d9
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-9.6_p1-CVE-2024-6387.patch
@@ -0,0 +1,19 @@
+https://bugs.gentoo.org/935271
+Backport proposed by upstream at 
https://marc.info/?l=oss-security&m=171982317624594&w=2.
+--- a/log.c
++++ b/log.c
+@@ -451,12 +451,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#ifdef SYSLOG_R_SAFE_IN_SIGHAND
+       va_list args;
+ 
+       va_start(args, fmt);
+       sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+           suffix, fmt, args);
+       va_end(args);
++#endif
+       _exit(1);
+ }
+ 

diff --git a/net-misc/openssh-contrib/files/openssh-9.6_p1-chaff-logic.patch 
b/net-misc/openssh-contrib/files/openssh-9.6_p1-chaff-logic.patch
new file mode 100644
index 000000000000..90544d1a457e
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-9.6_p1-chaff-logic.patch
@@ -0,0 +1,16 @@
+"Minor logic error in ObscureKeystrokeTiming"
+https://marc.info/?l=oss-security&m=171982317624594&w=2
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct 
timespec *timeout,
+               if (timespeccmp(&now, &chaff_until, >=)) {
+                       /* Stop if there have been no keystrokes for a while */
+                       stop_reason = "chaff time expired";
+-              } else if (timespeccmp(&now, &next_interval, >=)) {
+-                      /* Otherwise if we were due to send, then send chaff */
++              } else if (timespeccmp(&now, &next_interval, >=) &&
++                  !ssh_packet_have_data_to_write(ssh)) {
++                      /* If due to send but have no data, then send chaff */
+                       if (send_chaff(ssh))
+                               nchaff++;
+               }

diff --git a/net-misc/openssh-contrib/files/openssh-9.6_p1-fix-xmss-c99.patch 
b/net-misc/openssh-contrib/files/openssh-9.6_p1-fix-xmss-c99.patch
new file mode 100644
index 000000000000..cf06b80cd5fa
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-9.6_p1-fix-xmss-c99.patch
@@ -0,0 +1,20 @@
+xmss_hash.c: In function ‘core_hash_SHA2’:
+xmss_hash.c:56:5: error: implicit declaration of function ‘SHA256’ 
[-Wimplicit-function-declaration]
+   56 |     SHA256(buf, inlen + keylen + n, out);
+      |     ^~~~~~
+xmss_hash.c:61:7: error: implicit declaration of function ‘SHA512’ 
[-Wimplicit-function-declaration]
+   61 |       SHA512(buf, inlen + keylen + n, out);
+      |       ^~~~~~
+
+diff --git a/xmss_hash.c b/xmss_hash.c
+index 70c126ae2..cb17de2af 100644
+--- a/xmss_hash.c
++++ b/xmss_hash.c
+@@ -12,6 +12,7 @@ Public domain.
+ #include "xmss_hash_address.h"
+ #include "xmss_commons.h"
+ #include "xmss_hash.h"
++#include <openssl/sha.h>
+ 
+ #include <stddef.h>
+ #ifdef HAVE_STDINT_H

diff --git 
a/net-misc/openssh-contrib/files/openssh-9.7_p1-X509-CVE-2024-6387.patch 
b/net-misc/openssh-contrib/files/openssh-9.7_p1-X509-CVE-2024-6387.patch
new file mode 100644
index 000000000000..7de772777107
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-9.7_p1-X509-CVE-2024-6387.patch
@@ -0,0 +1,29 @@
+diff -u a/openssh-9.7p1+x509-15.0.diff b/openssh-9.7p1+x509-15.0.diff
+--- a/openssh-9.7p1+x509-15.0.diff     2024-07-02 08:34:12.300470515 -0700
++++ b/openssh-9.7p1+x509-15.0.diff     2024-07-02 08:35:27.016991183 -0700
+@@ -69916,7 +69916,7 @@
+               closelog();
+  #endif
+       }
+-@@ -424,81 +473,121 @@
++@@ -424,81 +473,113 @@
+  }
+  
+  void
+@@ -69955,15 +69955,7 @@
+ +sshsigdie(const char *file, const char *func, int line,
+ +    const char *fmt,...)
+  {
+-+#if 1
+-+/* NOTE: "OpenSSH bug 3286". See grace_alarm_handler() in sshd.c.
+-+ * Logging in signal handler cannot be considered as safe.
+-+ * Let enable log as now daemon does not sent explicitly alarm
+-+ * signal. This should avoid logging in child signal handler.
+-+ */
+-+# define DO_LOG_SAFE_IN_SIGHAND
+-+#endif
+-+#ifdef DO_LOG_SAFE_IN_SIGHAND
+++#ifdef SYSLOG_R_SAFE_IN_SIGHAND
+       va_list args;
+  
+       va_start(args, fmt);

diff --git a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r3.ebuild 
b/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild
similarity index 98%
rename from net-misc/openssh-contrib/openssh-contrib-9.7_p1-r3.ebuild
rename to net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild
index 928f72db3060..6686d35c898f 100644
--- a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r3.ebuild
+++ b/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild
@@ -105,11 +105,16 @@ BDEPEND="
 "
 
 PATCHES=(
-       
"${FILESDIR}/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
        
"${FILESDIR}/openssh-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
+       "${FILESDIR}/openssh-9.6_p1-fix-xmss-c99.patch"
        "${FILESDIR}/openssh-9.7_p1-config-tweaks.patch"
 )
 
+NON_X509_PATCHES=(
+       "${FILESDIR}/openssh-9.6_p1-chaff-logic.patch"
+       "${FILESDIR}/openssh-9.6_p1-CVE-2024-6387.patch"
+)
+
 pkg_pretend() {
        # this sucks, but i'd rather have people unable to `emerge -u openssh`
        # than not be able to log in to their server any more
@@ -156,6 +161,7 @@ src_prepare() {
        if use X509 ; then
                pushd "${WORKDIR}" &>/dev/null || die
                eapply "${WORKDIR}/${X509_GLUE_PATCH}"
+               eapply "${FILESDIR}/openssh-9.7_p1-X509-CVE-2024-6387.patch"
                popd &>/dev/null || die
 
                eapply "${WORKDIR}"/${X509_PATCH%.*}
@@ -174,6 +180,8 @@ src_prepare() {
                        -e "/^#define SSH_PORTABLE.*/a #define SSH_X509         
      \"-PKIXSSH-${X509_VER}\"" \
                        "${S}"/version.h || die "Failed to sed-in X.509 patch 
version"
                PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+       else
+               eapply "${NON_X509_PATCHES[@]}"
        fi
 
        if use hpn ; then
@@ -314,6 +322,7 @@ src_configure() {
                $(use_with pam)
                $(use_with pie)
                $(use_with selinux)
+               $(use_with security-key security-key-builtin)
                $(usex X509 '' "$(use_with security-key security-key-builtin)")
                $(use_with ssl openssl)
                $(use_with ssl ssl-engine)

Reply via email to