Hi, Was looking if CVE-2023-28531 was backported to kirkstone already and noticed this patch was already proposed before, but not merged/accepted.
Since it showed up once in the metrics report, was it decided to be ignored in the end (but then I wasn't able to find it defined in CVE_CHECK_IGNORE)? Thanks, Ricardo On Tue, Mar 28, 2023 at 5:42 AM Chen Qi <[email protected]> wrote: > > Backport patch to fix CVE-2023-28531. > > Signed-off-by: Chen Qi <[email protected]> > --- > ...-destination-constraints-for-smartca.patch | 35 +++++++++++++++++++ > .../openssh/openssh_8.9p1.bb | 1 + > 2 files changed, 36 insertions(+) > create mode 100644 > meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > > diff --git > a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > > b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > new file mode 100644 > index 0000000000..b4e7ce7ef6 > --- /dev/null > +++ > b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > @@ -0,0 +1,35 @@ > +From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001 > +From: "[email protected]" <[email protected]> > +Date: Thu, 9 Mar 2023 06:58:26 +0000 > +Subject: [PATCH] upstream: include destination constraints for smartcard keys > + too. > + > +Spotted by Luci Stanescu; ok deraadt@ markus@ > + > +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f > + > +CVE: CVE-2023-28531 > + > +Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed] > + > +Signed-off-by: Chen Qi <[email protected]> > +--- > + authfd.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/authfd.c b/authfd.c > +index 76e48aab..dca8e55b 100644 > +--- a/authfd.c > ++++ b/authfd.c > +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char > *reader_id, const char *pin, > + struct dest_constraint **dest_constraints, size_t ndest_constraints) > + { > + struct sshbuf *msg; > +- int r, constrained = (life || confirm); > ++ int r, constrained = (life || confirm || dest_constraints); > + u_char type; > + > + if (add) { > +-- > +2.37.1 > + > diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > index 6057d055f4..d81072537c 100644 > --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > @@ -26,6 +26,7 @@ SRC_URI = > "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > file://add-test-support-for-busybox.patch \ > file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \ > > file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \ > + > file://0001-upstream-include-destination-constraints-for-smartca.patch \ > " > SRC_URI[sha256sum] = > "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7" > > -- > 2.37.1 > > > > -- Ricardo Salveti
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182689): https://lists.openembedded.org/g/openembedded-core/message/182689 Mute This Topic: https://lists.openembedded.org/mt/97901027/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
