On Mon, Jun 12, 2023 at 4:00 PM Ricardo Salveti <[email protected]> wrote: > > Hi, > > Was looking if CVE-2023-28531 was backported to kirkstone already and > noticed this patch was already proposed before, but not > merged/accepted.
Sigh, it looks like I somehow missed this one and no one followed up on it :-( I've got it in my test queue now. Thanks for letting me know! Steve > Since it showed up once in the metrics report, was it decided to be > ignored in the end (but then I wasn't able to find it defined in > CVE_CHECK_IGNORE)? > > Thanks, > > Ricardo > > On Tue, Mar 28, 2023 at 5:42 AM Chen Qi <[email protected]> wrote: > > > > Backport patch to fix CVE-2023-28531. > > > > Signed-off-by: Chen Qi <[email protected]> > > --- > > ...-destination-constraints-for-smartca.patch | 35 +++++++++++++++++++ > > .../openssh/openssh_8.9p1.bb | 1 + > > 2 files changed, 36 insertions(+) > > create mode 100644 > > meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > > > > diff --git > > a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > > > > b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > > new file mode 100644 > > index 0000000000..b4e7ce7ef6 > > --- /dev/null > > +++ > > b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > > @@ -0,0 +1,35 @@ > > +From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001 > > +From: "[email protected]" <[email protected]> > > +Date: Thu, 9 Mar 2023 06:58:26 +0000 > > +Subject: [PATCH] upstream: include destination constraints for smartcard > > keys > > + too. > > + > > +Spotted by Luci Stanescu; ok deraadt@ markus@ > > + > > +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f > > + > > +CVE: CVE-2023-28531 > > + > > +Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed] > > + > > +Signed-off-by: Chen Qi <[email protected]> > > +--- > > + authfd.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/authfd.c b/authfd.c > > +index 76e48aab..dca8e55b 100644 > > +--- a/authfd.c > > ++++ b/authfd.c > > +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char > > *reader_id, const char *pin, > > + struct dest_constraint **dest_constraints, size_t ndest_constraints) > > + { > > + struct sshbuf *msg; > > +- int r, constrained = (life || confirm); > > ++ int r, constrained = (life || confirm || dest_constraints); > > + u_char type; > > + > > + if (add) { > > +-- > > +2.37.1 > > + > > diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > > b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > > index 6057d055f4..d81072537c 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > > +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > > @@ -26,6 +26,7 @@ SRC_URI = > > "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > > file://add-test-support-for-busybox.patch \ > > file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \ > > > > file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \ > > + > > file://0001-upstream-include-destination-constraints-for-smartca.patch \ > > " > > SRC_URI[sha256sum] = > > "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7" > > > > -- > > 2.37.1 > > > > > > > > > > > -- > Ricardo Salveti
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182691): https://lists.openembedded.org/g/openembedded-core/message/182691 Mute This Topic: https://lists.openembedded.org/mt/97901027/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
