diff --git a/0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch b/0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch new file mode 100644 index 0000000..25a13fe --- /dev/null +++ b/0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch @@ -0,0 +1,55 @@ +From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 30 Apr 2024 02:14:10 +0000 +Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll() + reported +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +by Tõivo Leedjärv; ok deraadt@ + +OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686 +--- + clientloop.c | 4 ++-- + serverloop.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/clientloop.c b/clientloop.c +index be8bb5fc1f2..8ea2ada4216 100644 +--- a/clientloop.c ++++ b/clientloop.c +#@@ -1,4 +1,4 @@ +#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */ +#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */ +# /* +# * Author: Tatu Ylonen +# * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, + client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc, + &npfd_active, channel_did_enqueue, &osigset, + &conn_in_ready, &conn_out_ready); +- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1) ++ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1) + error_f("osigset sigprocmask: %s", strerror(errno)); + + if (quit_pending) +diff --git a/serverloop.c b/serverloop.c +index f3683c2e4a6..94c8943a616 100644 +--- a/serverloop.c ++++ b/serverloop.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */ ++/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt) + wait_until_can_do_something(ssh, connection_in, connection_out, + &pfd, &npfd_alloc, &npfd_active, &osigset, + &conn_in_ready, &conn_out_ready); +- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1) ++ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1) + error_f("osigset sigprocmask: %s", strerror(errno)); + + if (received_sigterm) { diff --git a/0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch b/0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch new file mode 100644 index 0000000..feffd9c --- /dev/null +++ b/0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch @@ -0,0 +1,32 @@ +From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 21 Feb 2024 05:57:34 +0000 +Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke + timing + +obfuscation was added. GHPR#463 from montag451 + +OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677 +--- + clientloop.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/clientloop.c b/clientloop.c +index eb4902905fb..8ec36af94b3 100644 +--- a/clientloop.c ++++ b/clientloop.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */ ++/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh) + { + int r; + +- if ((ssh->kex->flags & KEX_HAS_PING) == 0) ++ if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0) + return 0; + /* XXX probabilistically send chaff? */ + /* diff --git a/0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch b/0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch new file mode 100644 index 0000000..6229cba --- /dev/null +++ b/0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch @@ -0,0 +1,38 @@ +From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Mon, 1 Jul 2024 04:31:17 +0000 +Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets, + we + +can't rely on channel_did_enqueue to tell that there is data to send. This +flag indicates that the channels code enqueued a packet on _this_ ppoll() +iteration, not that data was enqueued in _any_ ppoll() iteration in the +timeslice. ok markus@ + +OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136 +--- + clientloop.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/clientloop.c b/clientloop.c +index 0b6f3c9be02..8ed8b1c3449 100644 +--- a/clientloop.c ++++ b/clientloop.c +#@@ -1,4 +1,4 @@ +#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */ +#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */ +# /* +# * Author: Tatu Ylonen +# * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout, + if (timespeccmp(&now, &chaff_until, >=)) { + /* Stop if there have been no keystrokes for a while */ + stop_reason = "chaff time expired"; +- } else if (timespeccmp(&now, &next_interval, >=)) { +- /* Otherwise if we were due to send, then send chaff */ ++ } else if (timespeccmp(&now, &next_interval, >=) && ++ !ssh_packet_have_data_to_write(ssh)) { ++ /* If due to send but have no data, then send chaff */ + if (send_chaff(ssh)) + nchaff++; + } diff --git a/openssh.changes b/openssh.changes index 41fc8ff..db6ea98 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa + +- Add patch from upstream to fix proxy multiplexing mode: + * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch +- Add patch from upstream to restore correctly sigprocmask + * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch +- Add patch from upstream to fix a logic error in + ObscureKeystrokeTiming that rendered this feature ineffective, + allowing a passive observer to detect which network packets + contained real keystrokes (bsc#1227318, CVE-2024-39894): + * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch + +------------------------------------------------------------------- +Wed Jul 3 16:53:53 UTC 2024 - Antonio Larrosa + +- Add obsoletes for openssh-server-config-rootlogin since that + package existed for a brief period of time during SLE 15 SP6/ + Leap 15.6 development but even if it was removed from the + repositories before GM, some users might have it in their + systems from having tried a beta/RC release (boo#1227350). + ------------------------------------------------------------------- Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa @@ -131,7 +153,8 @@ Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what - quoting was present in the user-supplied ssh_config(5) directive. + quoting was present in the user-supplied ssh_config(5) directive + (bsc#1218215, CVE-2023-51385). = Potentially incompatible changes * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides diff --git a/openssh.spec b/openssh.spec index b1171c8..e1f899b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -128,8 +128,14 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch -# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387 +# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387 Patch109: fix-CVE-2024-6387.patch +# PATCH-FIX-UPSTREAM +Patch110: 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch +# PATCH-FIX-UPSTREAM +Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch +# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894 +Patch112: 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch %if 0%{with allow_root_password_login_by_default} Patch1000: openssh-7.7p1-allow_root_password_login.patch %endif @@ -204,6 +210,12 @@ Requires(pre): grep Requires(post): %fillup_prereq Requires(post): permissions Provides: openssh:%{_sbindir}/sshd +%if 0%{with allow_root_password_login_by_default} +# For a brief period of time this package existed in SLE/Leap. +# It was removed before GM but some people might have it from +# a beta distribution version (boo#1227350) +Obsoletes: openssh-server-config-rootlogin <= %{version} +%endif %sysusers_requires %description server