On Tue, Jul 2, 2024 at 10:15 AM Jose Quaresma via
lists.openembedded.org
<[email protected]> wrote:
>
> Hi Matthew,
>
> Matthew Bullock <[email protected]> escreveu (terça, 2/07/2024
> à(s) 18:00):
>>
>> On Tue, 2 Jul 2024 at 17:34, Jose Quaresma via lists.openembedded.org
>> <[email protected]> wrote:
>> >
>> > sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive).
>> > Race condition resulting in potential remote code execution.
>> > A race condition in sshd(8) could allow remote code execution as root on
>> > non-OpenBSD systems.
>> > This attack could be prevented by disabling the login grace timeout
>> > (LoginGraceTime=0 in sshd_config)
>> > though this makes denial-of service against sshd(8) considerably easier.
>> > For more information, please refer to the release notes [1] and the
>> > report from the Qualys Security Advisory Team [2] who discovered the bug.
>>
>> Wouldn't it be better to use the much cleaner fix from openssh-portable:
>> https://github.com/openssh/openssh-portable/commit/b00331402fe5c60d577f3ffcc35e49286cdc6b47
>>
>> I realise that most of the distros seem to have copied the same early
>> patch but I assume that was to get the fix done prior to public
>> exposure. As there's a proper fix isn't that better?
>>
>> Matthew
>
>
> On the regression report [1] the suggested way to fix this is this one as you
> can see below:
> [1] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
>
> ========================================================================
>
> Patches and mitigation
>
> ========================================================================
>
> Because this fix is part of a large commit (81c1099), on top of an even
> larger defense-in-depth commit (03e3de4, "Start the process of splitting
> sshd into separate binaries"), it might prove difficult to backport. In
Thanks for this additional explanation. You can disregard my previous
request for a V2 on the scarthgap version since there is no upstream commit!
Steve
> that case, the signal handler race condition itself can be fixed by
> removing or commenting out the async-signal-unsafe code from the
> sshsigdie() function; for example:
>
> ------------------------------------------------------------------------
> sshsigdie(const char *file, const char *func, int line, int showfunc,
> LogLevel level, const char *suffix, const char *fmt, ...)
> {
> #if 0
> va_list args;
>
> va_start(args, fmt);
> sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
> suffix, fmt, args);
> va_end(args);
> #endif
> _exit(1);
> }
> ------------------------------------------------------------------------
>
>
> Jose
>
> --
> Best regards,
>
> José Quaresma
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#201477):
https://lists.openembedded.org/g/openembedded-core/message/201477
Mute This Topic: https://lists.openembedded.org/mt/107003224/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
