- Add patch to fix a race condition in a signal handler by removing

the async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
  * fix-CVE-2024-6387.patch

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=269
This commit is contained in:
Antonio Larrosa 2024-07-01 11:50:15 +00:00 committed by Git OBS Bridge
parent b4dab4a6f7
commit 0aa4b1876f
3 changed files with 28 additions and 0 deletions

19
fix-CVE-2024-6387.patch Normal file
View File

@ -0,0 +1,19 @@
Index: openssh-9.6p1/log.c
===================================================================
--- openssh-9.6p1.orig/log.c
+++ openssh-9.6p1/log.c
@@ -451,12 +451,14 @@ void
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
+#if 0
va_list args;
va_start(args, fmt);
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
suffix, fmt, args);
va_end(args);
+#endif
_exit(1);
}

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Add patch to fix a race condition in a signal handler by removing
the async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
* fix-CVE-2024-6387.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jun 10 07:10:48 UTC 2024 - Antonio Larrosa <alarrosa@suse.com> Mon Jun 10 07:10:48 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>

View File

@ -128,6 +128,8 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch Patch108: openssh-9.6p1-crypto-policies-man.patch
# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387
Patch109: fix-CVE-2024-6387.patch
%if 0%{with allow_root_password_login_by_default} %if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch Patch1000: openssh-7.7p1-allow_root_password_login.patch
%endif %endif