On 12/30/21 19:54, Jacob Kroon via lists.openembedded.org wrote: > On 12/22/21 15:12, Steve Sakoman wrote: >> From: sana kazi <sanakazis...@gmail.com> >> >> Add patch to fix CVE-2021-41617 >> Link: https://bugzilla.suse.com/attachment.cgi?id=854015 >> >> Signed-off-by: Sana Kazi <sana.k...@kpit.com> >> Signed-off-by: Sana Kazi <sanakazis...@gmail.com> >> Signed-off-by: Steve Sakoman <st...@sakoman.com> >> --- >> .../openssh/openssh/CVE-2021-41617.patch | 52 +++++++++++++++++++ >> .../openssh/openssh_8.2p1.bb | 1 + >> 2 files changed, 53 insertions(+) >> create mode 100644 >> meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch >> >> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch >> b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch >> new file mode 100644 >> index 0000000000..bda896f581 >> --- /dev/null >> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch >> @@ -0,0 +1,52 @@ >> +From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001 >> +From: Ali Abdallah <aabdal...@suse.de> >> +Date: Wed, 24 Nov 2021 13:33:39 +0100 >> +Subject: [PATCH] CVE-2021-41617 fix >> + >> +backport of the following two upstream commits >> + >> +f3cbe43e28fe71427d41cfe3a17125b972710455 >> +bf944e3794eff5413f2df1ef37cddf96918c6bde >> + >> +CVE-2021-41617 failed to correctly initialise supplemental groups >> +when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, >> +where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser >> +directive has been set to run the command as a different user. Instead >> +these commands would inherit the groups that sshd(8) was started with. >> +--- >> + auth.c | 8 ++++++++ >> + 1 file changed, 8 insertions(+) >> + >> +CVE: CVE-2021-41617 >> +Upstream-Status: Backport >> [https://bugzilla.suse.com/attachment.cgi?id=854015] >> +Comment: No change in any hunk >> +Signed-off-by: Sana Kazi <sana.k...@kpit.com> >> + >> +diff --git a/auth.c b/auth.c >> +index 163038f..a47b267 100644 >> +--- a/auth.c >> ++++ b/auth.c >> +@@ -52,6 +52,7 @@ >> + #include <limits.h> >> + #include <netdb.h> >> + #include <time.h> >> ++#include <grp.h> >> + >> + #include "xmalloc.h" >> + #include "match.h" >> +@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const >> char *command, >> + } >> + closefrom(STDERR_FILENO + 1); >> + >> ++ if (geteuid() == 0 && >> ++ initgroups(pw->pw_name, pw->pw_gid) == -1) { >> ++ error("%s: initgroups(%s, %u): %s", tag, >> ++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); >> ++ _exit(1); >> ++ } >> ++ >> + /* Don't use permanently_set_uid() here to avoid fatal() */ >> + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) { >> + error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, >> +-- >> +2.26.2 >> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb >> b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb >> index b60d1a6bd4..e903ec487d 100644 >> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb >> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb >> @@ -26,6 +26,7 @@ SRC_URI = >> "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar >> file://add-test-support-for-busybox.patch \ >> file://CVE-2020-14145.patch \ >> file://CVE-2021-28041.patch \ >> + file://CVE-2021-41617.patch \ >> " >> SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" >> SRC_URI[sha256sum] = >> "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" >> >> >> >> >> > > I would have expected this patch to leave a mark in my buildhistory, but > nothing related to openssh(d) shows up. > > Size of /usr/sbin/sshd stays the same, which at least to me is a little > odd.. but I can see that the sha256sum output of sshd changes. > > (It would be nice to have sha256sum hashes of files in buildhistory) > > Am I the only one who thinks this is a little strange ? > > /Jacob >
Let me rephrase, I do see changes related to debug information and the debug package, but no change in the resulting '/usr/sbin/sshd' size that goes in the final image. /Jacob
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160064): https://lists.openembedded.org/g/openembedded-core/message/160064 Mute This Topic: https://lists.openembedded.org/mt/87898179/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
