ALP-pool/openssh
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 openssh revision ceaadb74c2815019965815d8350b5100

Browse Source
This commit is contained in:
Adrian Schröter 2024-07-17 15:07:05 +02:00
parent 00e6e9d3e4
commit 73e8c8bbcb
6 changed files with 177 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch Normal file
View File

@ -0,0 +1,55 @@
From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Tue, 30 Apr 2024 02:14:10 +0000
Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
reported
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
by Tõivo Leedjärv; ok deraadt@
OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
---
clientloop.c | 4 ++--
serverloop.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index be8bb5fc1f2..8ea2ada4216 100644
--- a/clientloop.c
+++ b/clientloop.c
#@@ -1,4 +1,4 @@
#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
# /*
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
&npfd_active, channel_did_enqueue, &osigset,
&conn_in_ready, &conn_out_ready);
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (quit_pending)
diff --git a/serverloop.c b/serverloop.c
index f3683c2e4a6..94c8943a616 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
wait_until_can_do_something(ssh, connection_in, connection_out,
&pfd, &npfd_alloc, &npfd_active, &osigset,
&conn_in_ready, &conn_out_ready);
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (received_sigterm) {

32
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch Normal file
View File

@ -0,0 +1,32 @@
From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 21 Feb 2024 05:57:34 +0000
Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
timing
obfuscation was added. GHPR#463 from montag451
OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
---
clientloop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index eb4902905fb..8ec36af94b3 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
{
int r;
- if ((ssh->kex->flags & KEX_HAS_PING) == 0)
+ if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
return 0;
/* XXX probabilistically send chaff? */
/*

38
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch Normal file
View File

@ -0,0 +1,38 @@
From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 1 Jul 2024 04:31:17 +0000
Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
---
clientloop.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index 0b6f3c9be02..8ed8b1c3449 100644
--- a/clientloop.c
+++ b/clientloop.c
#@@ -1,4 +1,4 @@
#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
# /*
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
if (timespeccmp(&now, &chaff_until, >=)) {
/* Stop if there have been no keystrokes for a while */
stop_reason = "chaff time expired";
- } else if (timespeccmp(&now, &next_interval, >=)) {
- /* Otherwise if we were due to send, then send chaff */
+ } else if (timespeccmp(&now, &next_interval, >=) &&
+ !ssh_packet_have_data_to_write(ssh)) {
+ /* If due to send but have no data, then send chaff */
if (send_chaff(ssh))
nchaff++;
}

19
fix-CVE-2024-6387.patch Normal file
View File

@ -0,0 +1,19 @@
Index: openssh-9.6p1/log.c
===================================================================
--- openssh-9.6p1.orig/log.c
+++ openssh-9.6p1/log.c
@@ -451,12 +451,14 @@ void
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
+#if 0
va_list args;
va_start(args, fmt);
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
suffix, fmt, args);
va_end(args);
+#endif
_exit(1);
}

26
openssh.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Add patch from upstream to fix proxy multiplexing mode:
* 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
- Add patch from upstream to restore correctly sigprocmask
* 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
- Add patch from upstream to fix a logic error in
ObscureKeystrokeTiming that rendered this feature ineffective,
allowing a passive observer to detect which network packets
contained real keystrokes (bsc#1227318, CVE-2024-39894):
* 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
-------------------------------------------------------------------
Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Add patch to fix a race condition in a signal handler by removing
the async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
* fix-CVE-2024-6387.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com> Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
@ -10,7 +30,8 @@ Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
protocol by sending extra messages prior to the commencement of protocol by sending extra messages prior to the commencement of
encryption, and deleting an equal number of consecutive messages encryption, and deleting an equal number of consecutive messages
immediately after encryption starts. A peer SSH client/server immediately after encryption starts. A peer SSH client/server
would not be able to detect that messages were deleted. would not be able to detect that messages were deleted
(bsc#1217950, CVE-2023-48795).
* ssh-agent(1): when adding PKCS#11-hosted private keys while * ssh-agent(1): when adding PKCS#11-hosted private keys while
specifying destination constraints, if the PKCS#11 token returned specifying destination constraints, if the PKCS#11 token returned
multiple keys then only the first key had the constraints applied. multiple keys then only the first key had the constraints applied.
@ -22,7 +43,8 @@ Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
user or hostname via %u, %h or similar expansion token, then user or hostname via %u, %h or similar expansion token, then
an attacker who could supply arbitrary user/hostnames to ssh(1) an attacker who could supply arbitrary user/hostnames to ssh(1)
could potentially perform command injection depending on what could potentially perform command injection depending on what
quoting was present in the user-supplied ssh_config(5) directive. quoting was present in the user-supplied ssh_config(5) directive
(bsc#1218215, CVE-2023-51385).
= Potentially incompatible changes = Potentially incompatible changes
* ssh(1), sshd(8): the RFC4254 connection/channels protocol provides * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides

9
openssh.spec
View File

@ -122,6 +122,15 @@ Patch103: openssh-6.6p1-privsep-selinux.patch
Patch104: openssh-6.6p1-keycat.patch Patch104: openssh-6.6p1-keycat.patch
Patch105: openssh-6.6.1p1-selinux-contexts.patch Patch105: openssh-6.6.1p1-selinux-contexts.patch
Patch106: openssh-7.6p1-cleanup-selinux.patch Patch106: openssh-7.6p1-cleanup-selinux.patch
# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
Patch109: fix-CVE-2024-6387.patch
# PATCH-FIX-UPSTREAM
Patch110: 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
# PATCH-FIX-UPSTREAM
Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
Patch112: 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: automake BuildRequires: automake
BuildRequires: groff BuildRequires: groff