Hi Matthew, Matthew Bullock <[email protected]> escreveu (terça, 2/07/2024 à(s) 18:00):
> On Tue, 2 Jul 2024 at 17:34, Jose Quaresma via lists.openembedded.org > <[email protected]> wrote: > > > > sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). > > Race condition resulting in potential remote code execution. > > A race condition in sshd(8) could allow remote code execution as root on > non-OpenBSD systems. > > This attack could be prevented by disabling the login grace timeout > (LoginGraceTime=0 in sshd_config) > > though this makes denial-of service against sshd(8) considerably easier. > > For more information, please refer to the release notes [1] and the > > report from the Qualys Security Advisory Team [2] who discovered the bug. > > Wouldn't it be better to use the much cleaner fix from openssh-portable: > > https://github.com/openssh/openssh-portable/commit/b00331402fe5c60d577f3ffcc35e49286cdc6b47 > > I realise that most of the distros seem to have copied the same early > patch but I assume that was to get the fix done prior to public > exposure. As there's a proper fix isn't that better? > > Matthew > On the regression report [1] the suggested way to fix this is this one as you can see below: [1] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt ======================================================================== Patches and mitigation ======================================================================== Because this fix is part of a large commit (81c1099), on top of an even larger defense-in-depth commit (03e3de4, "Start the process of splitting sshd into separate binaries"), it might prove difficult to backport. In that case, the signal handler race condition itself can be fixed by removing or commenting out the async-signal-unsafe code from the sshsigdie() function; for example: ------------------------------------------------------------------------ sshsigdie(const char *file, const char *func, int line, int showfunc, LogLevel level, const char *suffix, const char *fmt, ...) { #if 0 va_list args; va_start(args, fmt); sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, suffix, fmt, args); va_end(args); #endif _exit(1); } ------------------------------------------------------------------------ Jose -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201441): https://lists.openembedded.org/g/openembedded-core/message/201441 Mute This Topic: https://lists.openembedded.org/mt/107003224/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
