Thanks for helping with CVE's! On Wed, Jan 20, 2021 at 6:14 AM saloni <[email protected]> wrote: > > Added security fix for below CVE: > > CVE-2020-14145 > Link: https://security-tracker.debian.org/tracker/CVE-2020-14145 > Link: > https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d > > Signed-off-by: Saloni Jain <[email protected]> > --- > .../openssh/openssh/CVE-2020-14145.patch | 87 > ++++++++++++++++++++++ > meta/recipes-connectivity/openssh/openssh_8.4p1.bb | 3 +- > 2 files changed, 89 insertions(+), 1 deletion(-) > create mode 100644 > meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > > diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > new file mode 100644 > index 0000000..50bf74d > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > @@ -0,0 +1,87 @@ > +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001 > +From: "[email protected]" <[email protected]> > +Date: Fri, 18 Sep 2020 05:23:03 +0000 > +Subject: upstream: tweak the client hostkey preference ordering algorithm to > + > +prefer the default ordering if the user has a key that matches the > +best-preference default algorithm. > + > +feedback and ok markus@ > + > +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f > +CVE: CVE-2020-14145 > +Upstream-Status: Backport > [https://security-tracker.debian.org/tracker/CVE-2020-14145] > +Comment: 1 hunk with comment changes removed.
Needs your Signed-off-by here. See "Patch name convention and commit message" section at: https://wiki.yoctoproject.org/wiki/Security > +--- > + sshconnect2.c | 39 +++++++++++++++++++++++++++++++++++++-- > + 1 file changed, 37 insertions(+), 2 deletions(-) > + > +diff --git a/sshconnect2.c b/sshconnect2.c > +index 347e348c..f64aae66 100644 > +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, > struct ssh *ssh) > + return 0; > + } > + > ++/* Returns the first item from a comma-separated algorithm list */ > ++static char * > ++first_alg(const char *algs) > ++{ > ++ char *ret, *cp; > ++ > ++ ret = xstrdup(algs); > ++ if ((cp = strchr(ret, ',')) != NULL) > ++ *cp = '\0'; > ++ return ret; > ++} > ++ > + static char * > + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) > + { > +- char *oavail, *avail, *first, *last, *alg, *hostname, *ret; > ++ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL; > ++ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL; > + size_t maxlen; > +- struct hostkeys *hostkeys; > ++ struct hostkeys *hostkeys = NULL; > + int ktype; > + u_int i; > + > +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr > *hostaddr, u_short port) > + for (i = 0; i < options.num_system_hostfiles; i++) > + load_hostkeys(hostkeys, hostname, > options.system_hostfiles[i]); > + > ++ /* > ++ * If a plain public key exists that matches the type of the best > ++ * preference HostkeyAlgorithms, then use the whole list as is. > ++ * Note that we ignore whether the best preference algorithm is a > ++ * certificate type, as sshconnect.c will downgrade certs to > ++ * plain keys if necessary. > ++ */ > ++ best = first_alg(options.hostkeyalgorithms); > ++ if (lookup_key_in_hostkeys_by_type(hostkeys, > ++ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) { > ++ debug3("%s: have matching best-preference key type %s, " > ++ "using HostkeyAlgorithms verbatim", __func__, best); > ++ ret = xstrdup(options.hostkeyalgorithms); > ++ goto out; > ++ } > ++ > ++ /* > ++ * Otherwise, prefer the host key algorithms that match known keys > ++ * while keeping the ordering of HostkeyAlgorithms as much as > possible. > ++ */ > + oavail = avail = xstrdup(options.hostkeyalgorithms); > + maxlen = strlen(avail) + 1; > + first = xmalloc(maxlen); > +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, > u_short port) > + if (*first != '\0') > + debug3("%s: prefer hostkeyalgs: %s", __func__, first); > + > ++ out: > ++ free(best); > + free(first); > + free(last); > + free(hostname); > +-- > +cgit v1.2.3 > + > diff --git a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb > b/meta/recipes-connectivity/openssh/openssh_8.4p1.bb > index 688fc8a..b71e156 100644 > --- a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_8.4p1.bb > @@ -24,12 +24,13 @@ SRC_URI = > "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ > file://sshd_check_keys \ > file://add-test-support-for-busybox.patch \ > + file://CVE-2020-14145.patch \ > " > SRC_URI[sha256sum] = > "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24" > > # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat > Enterprise Linux 7 > # and when running in a Kerberos environment. As such it is not relevant to > OpenEmbedded > -CVE_CHECK_WHITELIST += "CVE-2014-9278" > +CVE_CHECK_WHITELIST += "CVE-2014-9278 CVE-2020-15778" Why are you modifying the whitelist here? Steve > PAM_SRC_URI = "file://sshd" > > -- > 2.7.4 > > This message contains information that may be privileged or confidential and > is the property of the KPIT Technologies Ltd. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain copy, disseminate, distribute, or > use this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147036): https://lists.openembedded.org/g/openembedded-core/message/147036 Mute This Topic: https://lists.openembedded.org/mt/79981996/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
