Re: [OE-core][dunfell][PATCH] openssh: Fix CVE-2023-38408

Tue, 22 Aug 2023 09:32:24 -0700 

On Mon, Aug 21, 2023 at 3:56 PM virendra thakur
<[email protected]> wrote:
>
> From: Virendra Thakur <[email protected]>
>
> Add patch to fix CVE-2023-38408
>
> Upstream-Status: Backport 
> [https://launchpadlibrarian.net/680920377/openssh_8.2p1-4ubuntu0.9.debian.tar.xz]

launchpadlibrarian.net is not upstream for openssh!

Please send a v2 that references the actual upstream commits.

Thanks,

Steve

>
> Signed-off-by: Virendra Thakur <[email protected]>
> ---
>  .../openssh/openssh/CVE-2023-38408-1.patch    |  31 ++++
>  .../openssh/openssh/CVE-2023-38408-3.patch    | 161 ++++++++++++++++++
>  .../openssh/openssh_8.2p1.bb                  |   2 +
>  3 files changed, 194 insertions(+)
>  create mode 100644 
> meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-1.patch
>  create mode 100644 
> meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-3.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-1.patch 
> b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-1.patch
> new file mode 100644
> index 0000000000..3d7c7bd357
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-1.patch
> @@ -0,0 +1,31 @@
> +From 892506b13654301f69f9545f48213fc210e5c5cc Mon Sep 17 00:00:00 2001
> +From: "[email protected]" <[email protected]>
> +Date: Wed, 19 Jul 2023 13:55:53 +0000
> +Subject: [PATCH] upstream: terminate process if requested to load a PKCS#11
> + provider
> +
> +that isn't a PKCS#11 provider; from / ok markus@
> +
> +OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
> +CVE: CVE-2023-38408
> +Upstream-Status: Backport 
> [https://launchpadlibrarian.net/680920377/openssh_8.2p1-4ubuntu0.9.debian.tar.xz]
> +Signed-off-by: Virendra Thakur <[email protected]>
> +---
> + ssh-pkcs11.c | 8 +++-----
> + 1 file changed, 3 insertions(+), 5 deletions(-)
> +
> +--- a/ssh-pkcs11.c
> ++++ b/ssh-pkcs11.c
> +@@ -1504,10 +1504,8 @@ pkcs11_register_provider(char *provider_
> +               error("dlopen %s failed: %s", provider_id, dlerror());
> +               goto fail;
> +       }
> +-      if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
> +-              error("dlsym(C_GetFunctionList) failed: %s", dlerror());
> +-              goto fail;
> +-      }
> ++      if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
> ++              fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
> +       p = xcalloc(1, sizeof(*p));
> +       p->name = xstrdup(provider_id);
> +       p->handle = handle;
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-3.patch 
> b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-3.patch
> new file mode 100644
> index 0000000000..6a94b8715c
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-3.patch
> @@ -0,0 +1,161 @@
> +Backport of:
> +
> +From 29ef8a04866ca14688d5b7fed7b8b9deab851f77 Mon Sep 17 00:00:00 2001
> +From: "[email protected]" <[email protected]>
> +Date: Wed, 19 Jul 2023 14:02:27 +0000
> +Subject: [PATCH] upstream: Ensure FIDO/PKCS11 libraries contain expected
> + symbols
> +
> +This checks via nlist(3) that candidate provider libraries contain one
> +of the symbols that we will require prior to dlopen(), which can cause
> +a number of side effects, including execution of constructors.
> +
> +Feedback deraadt; ok markus
> +
> +OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
> +CVE: CVE-2023-38408
> +Upstream-Status: Backport 
> [https://launchpadlibrarian.net/680920377/openssh_8.2p1-4ubuntu0.9.debian.tar.xz]
> +Signed-off-by: Virendra Thakur <[email protected]>
> +---
> + misc.c       | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++-
> + misc.h       |  3 +-
> + ssh-pkcs11.c |  6 +++-
> + ssh-sk.c     |  8 ++++--
> + 4 files changed, 89 insertions(+), 6 deletions(-)
> +
> +--- a/misc.c
> ++++ b/misc.c
> +@@ -28,6 +28,7 @@
> +
> + #include <sys/types.h>
> + #include <sys/ioctl.h>
> ++#include <sys/mman.h>
> + #include <sys/socket.h>
> + #include <sys/stat.h>
> + #include <sys/time.h>
> +@@ -41,6 +42,9 @@
> + #ifdef HAVE_POLL_H
> + #include <poll.h>
> + #endif
> ++#ifdef HAVE_NLIST_H
> ++#include <nlist.h>
> ++#endif
> + #include <signal.h>
> + #include <stdarg.h>
> + #include <stdio.h>
> +@@ -2314,3 +2318,75 @@ ssh_signal(int signum, sshsig_t handler)
> +       }
> +       return osa.sa_handler;
> + }
> ++
> ++/*
> ++ * Returns zero if the library at 'path' contains symbol 's', nonzero
> ++ * otherwise.
> ++ */
> ++int
> ++lib_contains_symbol(const char *path, const char *s)
> ++{
> ++#ifdef HAVE_NLIST_H
> ++      struct nlist nl[2];
> ++      int ret = -1, r;
> ++
> ++      memset(nl, 0, sizeof(nl));
> ++      nl[0].n_name = xstrdup(s);
> ++      nl[1].n_name = NULL;
> ++      if ((r = nlist(path, nl)) == -1) {
> ++              error("nlist failed for %s", path);
> ++              goto out;
> ++      }
> ++      if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) {
> ++              error("library %s does not contain symbol %s", path, s);
> ++              goto out;
> ++      }
> ++      /* success */
> ++      ret = 0;
> ++ out:
> ++      free(nl[0].n_name);
> ++      return ret;
> ++#else /* HAVE_NLIST_H */
> ++      int fd, ret = -1;
> ++      struct stat st;
> ++      void *m = NULL;
> ++      size_t sz = 0;
> ++
> ++      memset(&st, 0, sizeof(st));
> ++      if ((fd = open(path, O_RDONLY)) < 0) {
> ++              error("open %s: %s", path, strerror(errno));
> ++              return -1;
> ++      }
> ++      if (fstat(fd, &st) != 0) {
> ++              error("fstat %s: %s", path, strerror(errno));
> ++              goto out;
> ++      }
> ++      if (!S_ISREG(st.st_mode)) {
> ++              error("%s is not a regular file", path);
> ++              goto out;
> ++      }
> ++      if (st.st_size < 0 ||
> ++          (size_t)st.st_size < strlen(s) ||
> ++          st.st_size >= INT_MAX/2) {
> ++              error("%s bad size %lld", path, (long long)st.st_size);
> ++              goto out;
> ++      }
> ++      sz = (size_t)st.st_size;
> ++      if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED 
> ||
> ++          m == NULL) {
> ++              error("mmap %s: %s", path, strerror(errno));
> ++              goto out;
> ++      }
> ++      if (memmem(m, sz, s, strlen(s)) == NULL) {
> ++              error("%s does not contain expected string %s", path, s);
> ++              goto out;
> ++      }
> ++      /* success */
> ++      ret = 0;
> ++ out:
> ++      if (m != NULL && m != MAP_FAILED)
> ++              munmap(m, sz);
> ++      close(fd);
> ++      return ret;
> ++#endif /* HAVE_NLIST_H */
> ++}
> +--- a/misc.h
> ++++ b/misc.h
> +@@ -86,6 +86,7 @@ const char *atoi_err(const char *, int *
> + int    parse_absolute_time(const char *, uint64_t *);
> + void   format_absolute_time(uint64_t, char *, size_t);
> + int    path_absolute(const char *);
> ++int    lib_contains_symbol(const char *, const char *);
> +
> + void   sock_set_v6only(int);
> +
> +--- a/ssh-pkcs11.c
> ++++ b/ssh-pkcs11.c
> +@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_
> +                   __func__, provider_id);
> +               goto fail;
> +       }
> ++      if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) {
> ++              error("provider %s is not a PKCS11 library", provider_id);
> ++              goto fail;
> ++      }
> +       /* open shared pkcs11-library */
> +       if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {
> +               error("dlopen %s failed: %s", provider_id, dlerror());
> +--- a/ssh-sk.c
> ++++ b/ssh-sk.c
> +@@ -119,10 +119,12 @@ sshsk_open(const char *path)
> + #endif
> +               return ret;
> +       }
> +-      if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
> +-              error("Provider \"%s\" dlopen failed: %s", path, dlerror());
> ++      if (lib_contains_symbol(path, "sk_api_version") != 0) {
> ++              error("provider %s is not an OpenSSH FIDO library", path);
> +               goto fail;
> +       }
> ++      if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL)
> ++              fatal("Provider \"%s\" dlopen failed: %s", path, dlerror());
> +       if ((ret->sk_api_version = dlsym(ret->dlhandle,
> +           "sk_api_version")) == NULL) {
> +               error("Provider \"%s\" dlsym(sk_api_version) failed: %s",
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb 
> b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> index 79dba121ff..98cabbe937 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> @@ -27,6 +27,8 @@ SRC_URI = 
> "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
>             file://CVE-2020-14145.patch \
>             file://CVE-2021-28041.patch \
>             file://CVE-2021-41617.patch \
> +           file://CVE-2023-38408-1.patch \
> +           file://CVE-2023-38408-3.patch \
>             "
>  SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
>  SRC_URI[sha256sum] = 
> "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
> --
> 2.25.1
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#186512): 
https://lists.openembedded.org/g/openembedded-core/message/186512
Mute This Topic: https://lists.openembedded.org/mt/100887090/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to