Sync from SUSE:ALP:Source:Standard:1.0 openssh revision ceaadb74c2815019965815d8350b5100

2024-07-17 15:07:05 +02:00 · 2024-07-17 15:07:05 +02:00 · 73e8c8bbcb
commit 73e8c8bbcb
parent 00e6e9d3e4
6 changed files with 177 additions and 2 deletions
--- a/0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
+++ b/0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
@ -0,0 +1,55 @@
+From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 30 Apr 2024 02:14:10 +0000
+Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
+ reported
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+by Tõivo Leedjärv; ok deraadt@
+
+OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
+---
+ clientloop.c | 4 ++--
+ serverloop.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index be8bb5fc1f2..8ea2ada4216 100644
+--- a/clientloop.c
+++ b/clientloop.c
+#@@ -1,4 +1,4 @@
+#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
+#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
+# /*
+#  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+#  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
+ 		client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
+ 		    &npfd_active, channel_did_enqueue, &osigset,
+ 		    &conn_in_ready, &conn_out_ready);
+-		if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+		if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
+ 			error_f("osigset sigprocmask: %s", strerror(errno));
+ 
+ 		if (quit_pending)
+diff --git a/serverloop.c b/serverloop.c
+index f3683c2e4a6..94c8943a616 100644
+--- a/serverloop.c
+++ b/serverloop.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
+ 		wait_until_can_do_something(ssh, connection_in, connection_out,
+ 		    &pfd, &npfd_alloc, &npfd_active, &osigset,
+ 		    &conn_in_ready, &conn_out_ready);
+-		if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+		if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
+ 			error_f("osigset sigprocmask: %s", strerror(errno));
+ 
+ 		if (received_sigterm) {
--- a/0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+++ b/0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
@ -0,0 +1,32 @@
+From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 21 Feb 2024 05:57:34 +0000
+Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
+ timing
+
+obfuscation was added. GHPR#463 from montag451
+
+OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
+---
+ clientloop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index eb4902905fb..8ec36af94b3 100644
+--- a/clientloop.c
+++ b/clientloop.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
+ {
+ 	int r;
+ 
+-	if ((ssh->kex->flags & KEX_HAS_PING) == 0)
+	if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
+ 		return 0;
+ 	/* XXX probabilistically send chaff? */
+ 	/*
--- a/0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
+++ b/0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
@ -0,0 +1,38 @@
+From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 1 Jul 2024 04:31:17 +0000
+Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
+ we
+
+can't rely on channel_did_enqueue to tell that there is data to send. This
+flag indicates that the channels code enqueued a packet on _this_ ppoll()
+iteration, not that data was enqueued in _any_ ppoll() iteration in the
+timeslice. ok markus@
+
+OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
+---
+ clientloop.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index 0b6f3c9be02..8ed8b1c3449 100644
+--- a/clientloop.c
+++ b/clientloop.c
+#@@ -1,4 +1,4 @@
+#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
+#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
+# /*
+#  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+#  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
+ 		if (timespeccmp(&now, &chaff_until, >=)) {
+ 			/* Stop if there have been no keystrokes for a while */
+ 			stop_reason = "chaff time expired";
+-		} else if (timespeccmp(&now, &next_interval, >=)) {
+-			/* Otherwise if we were due to send, then send chaff */
+		} else if (timespeccmp(&now, &next_interval, >=) &&
+		    !ssh_packet_have_data_to_write(ssh)) {
+			/* If due to send but have no data, then send chaff */
+ 			if (send_chaff(ssh))
+ 				nchaff++;
+ 		}
--- a/fix-CVE-2024-6387.patch
+++ b/fix-CVE-2024-6387.patch
@ -0,0 +1,19 @@
+Index: openssh-9.6p1/log.c
+===================================================================
+--- openssh-9.6p1.orig/log.c
+++ openssh-9.6p1/log.c
+@@ -451,12 +451,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
+#if 0
+ 	va_list args;
+ 
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
+#endif
+ 	_exit(1);
+ }
+ 
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Fri Jul  5 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add patch from upstream to fix proxy multiplexing mode:
+  * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+- Add patch from upstream to restore correctly sigprocmask
+  * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
+- Add patch from upstream to fix a logic error in
+  ObscureKeystrokeTiming that rendered this feature ineffective,
+  allowing a passive observer to detect which network packets
+  contained real keystrokes (bsc#1227318, CVE-2024-39894):
+  * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
+
+-------------------------------------------------------------------
+Mon Jul  1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add patch to fix a race condition in a signal handler by removing
+  the async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
+  * fix-CVE-2024-6387.patch
+
 -------------------------------------------------------------------
 Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>

@ -10,7 +30,8 @@ Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
    protocol by sending extra messages prior to the commencement of
    encryption, and deleting an equal number of consecutive messages
    immediately after encryption starts. A peer SSH client/server
-    would not be able to detect that messages were deleted.
+    would not be able to detect that messages were deleted
+    (bsc#1217950, CVE-2023-48795).
  * ssh-agent(1): when adding PKCS#11-hosted private keys while
    specifying destination constraints, if the PKCS#11 token returned
    multiple keys then only the first key had the constraints applied.
@ -22,7 +43,8 @@ Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
    user or hostname via %u, %h or similar expansion token, then
    an attacker who could supply arbitrary user/hostnames to ssh(1)
    could potentially perform command injection depending on what
-    quoting was present in the user-supplied ssh_config(5) directive.
+    quoting was present in the user-supplied ssh_config(5) directive
+    (bsc#1218215, CVE-2023-51385).

  = Potentially incompatible changes
  * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
--- a/openssh.spec
+++ b/openssh.spec
@ -122,6 +122,15 @@ Patch103:       openssh-6.6p1-privsep-selinux.patch
 Patch104:       openssh-6.6p1-keycat.patch
 Patch105:       openssh-6.6.1p1-selinux-contexts.patch
 Patch106:       openssh-7.6p1-cleanup-selinux.patch
+# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
+Patch109:       fix-CVE-2024-6387.patch
+# PATCH-FIX-UPSTREAM 
+Patch110:       0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+# PATCH-FIX-UPSTREAM 
+Patch111:       0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
+# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
+Patch112:       0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
+
 BuildRequires:  audit-devel
 BuildRequires:  automake
 BuildRequires:  groff