diff --git a/openssh-7.2p2-secure_unix_sockets_forwarding.patch b/openssh-7.2p2-secure_unix_sockets_forwarding.patch index ea7dad2..f24b928 100644 --- a/openssh-7.2p2-secure_unix_sockets_forwarding.patch +++ b/openssh-7.2p2-secure_unix_sockets_forwarding.patch @@ -1,17 +1,35 @@ # HG changeset patch -# Parent 4e1fd41aaa9cafe8f7b07868ac38ed4dbdf594aa +# Parent 49d9204835f069a6b628e7bf4ed53baf81f8bf91 Do not allow unix socket when running without privilege separation to prevent privilege escalation through a socket created with root: ownership. CVE-2016-10010 bsc#1016368 +bsc#1051559 -backported upstream commit b737e4d7433577403a31cff6614f6a1b0b5e22f4 +backported upstream commits +b737e4d7433577403a31cff6614f6a1b0b5e22f4 +51045869fa084cdd016fdd721ea760417c0a3bf3 diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c --- a/openssh-7.2p2/serverloop.c +++ b/openssh-7.2p2/serverloop.c -@@ -990,17 +990,17 @@ server_request_direct_streamlocal(void) +@@ -979,28 +979,32 @@ server_request_direct_tcpip(void) + } + + static Channel * + server_request_direct_streamlocal(void) + { + Channel *c = NULL; + char *target, *originator; + u_short originator_port; ++ struct passwd *pw = the_authctxt->pw; ++ ++ if (pw == NULL || !the_authctxt->valid) ++ fatal("server_input_global_request: no/invalid user"); + + target = packet_get_string(NULL); + originator = packet_get_string(NULL); originator_port = packet_get_int(); packet_check_eom(); @@ -21,7 +39,7 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c /* XXX fine grained permissions */ if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && - !no_port_forwarding_flag) { -+ !no_port_forwarding_flag && use_privsep) { ++ !no_port_forwarding_flag && (pw->pw_uid == 0 || use_privsep)) { c = channel_connect_to_path(target, "direct-streamlocal@openssh.com", "direct-streamlocal"); } else { @@ -30,7 +48,41 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c originator, originator_port, target); } -@@ -1274,17 +1274,17 @@ server_input_global_request(int type, u_ +@@ -1212,29 +1216,29 @@ server_input_hostkeys_prove(struct sshbu + + static int + server_input_global_request(int type, u_int32_t seq, void *ctxt) + { + char *rtype; + int want_reply; + int r, success = 0, allocated_listen_port = 0; + struct sshbuf *resp = NULL; ++ struct passwd *pw = the_authctxt->pw; ++ ++ if (pw == NULL || !the_authctxt->valid) ++ fatal("server_input_global_request: no/invalid user"); + + rtype = packet_get_string(NULL); + want_reply = packet_get_char(); + debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply); + + /* -R style forwarding */ + if (strcmp(rtype, "tcpip-forward") == 0) { +- struct passwd *pw; + struct Forward fwd; + +- pw = the_authctxt->pw; +- if (pw == NULL || !the_authctxt->valid) +- fatal("server_input_global_request: no/invalid user"); + memset(&fwd, 0, sizeof(fwd)); + fwd.listen_host = packet_get_string(NULL); + fwd.listen_port = (u_short)packet_get_int(); + debug("server_input_global_request: tcpip-forward listen %s port %d", + fwd.listen_host, fwd.listen_port); + + /* check permissions */ + if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || +@@ -1274,19 +1278,20 @@ server_input_global_request(int type, u_ memset(&fwd, 0, sizeof(fwd)); fwd.listen_path = packet_get_string(NULL); @@ -40,12 +92,16 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c /* check permissions */ if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 - || no_port_forwarding_flag) { -+ || no_port_forwarding_flag || !use_privsep) { ++ || no_port_forwarding_flag || (pw->pw_uid != 0 && !use_privsep)) { success = 0; - packet_send_debug("Server has disabled port forwarding."); +- packet_send_debug("Server has disabled port forwarding."); ++ packet_send_debug("Server has disabled " ++ "streamlocal forwarding."); } else { /* Start listening on the socket */ success = channel_setup_remote_fwd_listener( &fwd, NULL, &options.fwd_opts); } free(fwd.listen_path); + } else if (strcmp(rtype, "cancel-streamlocal-forward@openssh.com") == 0) { + struct Forward fwd; diff --git a/openssh-7.2p2-tcpwrappers.patch b/openssh-7.2p2-tcpwrappers.patch index c9518d9..9ffa2b9 100644 --- a/openssh-7.2p2-tcpwrappers.patch +++ b/openssh-7.2p2-tcpwrappers.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 1ba8782c9cf18b104779c751839f3a2575c87954 +# Parent 9e5f1fd5b5e2c3d8416cb2e2e539f43d8f1f173b Forward port TCP wrappers support (libwrap) from OpenSSH 6.6p1. Make it run-time switchable through the new UseTCPWrappers option for sshd. @@ -79,7 +79,7 @@ diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac if test "x$withval" != "xno" ; then if test "x$withval" != "xyes" ; then -@@ -5135,16 +5191,17 @@ echo " sshd superuser user PATH +@@ -5159,16 +5215,17 @@ echo " sshd superuser user PATH fi echo " Manpage format: $MANTYPE" echo " PAM support: $PAM_MSG" @@ -94,9 +94,9 @@ diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac echo " Solaris process contract support: $SPC_MSG" echo " Solaris project support: $SP_MSG" echo " Solaris privilege support: $SPP_MSG" + echo " systemd support: $SYSTEMD_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" - echo " BSD Auth support: $BSD_AUTH_MSG" diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c --- a/openssh-7.2p2/servconf.c +++ b/openssh-7.2p2/servconf.c @@ -281,7 +281,7 @@ diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8 diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c --- a/openssh-7.2p2/sshd.c +++ b/openssh-7.2p2/sshd.c -@@ -128,16 +128,23 @@ +@@ -132,16 +132,23 @@ #include "ssherr.h" #include "fips.h" @@ -305,7 +305,7 @@ diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3) -@@ -2285,16 +2292,37 @@ main(int ac, char **av) +@@ -2298,16 +2305,37 @@ main(int ac, char **av) * the socket goes away. */ remote_ip = get_remote_ipaddr(); diff --git a/openssh.changes b/openssh.changes index 1156fe8..80f975b 100644 --- a/openssh.changes +++ b/openssh.changes @@ -16,7 +16,9 @@ Fri Dec 1 13:18:24 UTC 2017 - pcerny@suse.com to 7.2p2. TCP wrappers support will be dripped with the next version upgrade. [openssh-7.2p2-tcpwrappers.patch] -- fix regression of (bsc#823710) +- fix regression in UNIX domain socket forwarding introduced + by the fix for CVE-2016-10010 (bsc#1051559) +- fix bug in auditing code (bsc#823710) [openssh-7.2p2-audit_fixes.patch] - new switch for printing diagnostic messages in sftp client's batch mode (bsc#1023275) diff --git a/openssh.spec b/openssh.spec index 9d92786..e4d9364 100644 --- a/openssh.spec +++ b/openssh.spec @@ -86,6 +86,7 @@ BuildRequires: openldap2-devel BuildRequires: pam-devel %if %{uses_systemd} BuildRequires: pkgconfig(systemd) +BuildRequires: systemd-devel %{?systemd_requires} %endif BuildRequires: tcpd-devel @@ -164,7 +165,8 @@ Patch48: openssh-7.2p2-s390_hw_crypto_syscalls.patch Patch49: openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch Patch50: openssh-7.2p2-sftp_print_diagnostic_messages.patch Patch51: openssh-7.2p2-stricter_readonly_sftp.patch -Patch52: openssh-7.2p2-tcpwrappers.patch +Patch52: openssh-7.2p2-systemd-notify.patch +Patch53: openssh-7.2p2-tcpwrappers.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Conflicts: nonfreessh Recommends: audit @@ -268,6 +270,7 @@ FIPS140 CAVS tests related parts of the OpenSSH package %patch50 -p2 %patch51 -p2 %patch52 -p2 +%patch53 -p2 cp %{SOURCE3} %{SOURCE4} %{SOURCE11} . %build @@ -300,6 +303,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS %endif %if %{uses_systemd} --with-pid-dir=/run \ + --with-systemd \ %endif --with-ssl-engine \ --with-pam \