Added security fix for below CVE: CVE-2020-14145 Link: https://security-tracker.debian.org/tracker/CVE-2020-14145 Link: https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d
Signed-off-by: Saloni Jain <saloni.j...@kpit.com> --- .../openssh/openssh/CVE-2020-14145.patch | 87 ++++++++++++++++++++++ meta/recipes-connectivity/openssh/openssh_8.4p1.bb | 3 +- 2 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch new file mode 100644 index 0000000..50bf74d --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch @@ -0,0 +1,87 @@ +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001 +From: "d...@openbsd.org" <d...@openbsd.org> +Date: Fri, 18 Sep 2020 05:23:03 +0000 +Subject: upstream: tweak the client hostkey preference ordering algorithm to + +prefer the default ordering if the user has a key that matches the +best-preference default algorithm. + +feedback and ok markus@ + +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f +CVE: CVE-2020-14145 +Upstream-Status: Backport [https://security-tracker.debian.org/tracker/CVE-2020-14145] +Comment: 1 hunk with comment changes removed. +--- + sshconnect2.c | 39 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 2 deletions(-) + +diff --git a/sshconnect2.c b/sshconnect2.c +index 347e348c..f64aae66 100644 +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) + return 0; + } + ++/* Returns the first item from a comma-separated algorithm list */ ++static char * ++first_alg(const char *algs) ++{ ++ char *ret, *cp; ++ ++ ret = xstrdup(algs); ++ if ((cp = strchr(ret, ',')) != NULL) ++ *cp = '\0'; ++ return ret; ++} ++ + static char * + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) + { +- char *oavail, *avail, *first, *last, *alg, *hostname, *ret; ++ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL; ++ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL; + size_t maxlen; +- struct hostkeys *hostkeys; ++ struct hostkeys *hostkeys = NULL; + int ktype; + u_int i; + +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) + for (i = 0; i < options.num_system_hostfiles; i++) + load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); + ++ /* ++ * If a plain public key exists that matches the type of the best ++ * preference HostkeyAlgorithms, then use the whole list as is. ++ * Note that we ignore whether the best preference algorithm is a ++ * certificate type, as sshconnect.c will downgrade certs to ++ * plain keys if necessary. ++ */ ++ best = first_alg(options.hostkeyalgorithms); ++ if (lookup_key_in_hostkeys_by_type(hostkeys, ++ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) { ++ debug3("%s: have matching best-preference key type %s, " ++ "using HostkeyAlgorithms verbatim", __func__, best); ++ ret = xstrdup(options.hostkeyalgorithms); ++ goto out; ++ } ++ ++ /* ++ * Otherwise, prefer the host key algorithms that match known keys ++ * while keeping the ordering of HostkeyAlgorithms as much as possible. ++ */ + oavail = avail = xstrdup(options.hostkeyalgorithms); + maxlen = strlen(avail) + 1; + first = xmalloc(maxlen); +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) + if (*first != '\0') + debug3("%s: prefer hostkeyalgs: %s", __func__, first); + ++ out: ++ free(best); + free(first); + free(last); + free(hostname); +-- +cgit v1.2.3 + diff --git a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb b/meta/recipes-connectivity/openssh/openssh_8.4p1.bb index 688fc8a..b71e156 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.4p1.bb @@ -24,12 +24,13 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ + file://CVE-2020-14145.patch \ " SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24" # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded -CVE_CHECK_WHITELIST += "CVE-2014-9278" +CVE_CHECK_WHITELIST += "CVE-2014-9278 CVE-2020-15778" PAM_SRC_URI = "file://sshd" -- 2.7.4 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147035): https://lists.openembedded.org/g/openembedded-core/message/147035 Mute This Topic: https://lists.openembedded.org/mt/79981996/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
