Ana Guerrero 2024-07-08 17:06:54 +00:00 committed by Git OBS Bridge
commit d5d292d413
5 changed files with 162 additions and 2 deletions

View File

@ -0,0 +1,55 @@
From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Tue, 30 Apr 2024 02:14:10 +0000
Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
reported
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
by Tõivo Leedjärv; ok deraadt@
OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
---
clientloop.c | 4 ++--
serverloop.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index be8bb5fc1f2..8ea2ada4216 100644
--- a/clientloop.c
+++ b/clientloop.c
#@@ -1,4 +1,4 @@
#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
# /*
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
&npfd_active, channel_did_enqueue, &osigset,
&conn_in_ready, &conn_out_ready);
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (quit_pending)
diff --git a/serverloop.c b/serverloop.c
index f3683c2e4a6..94c8943a616 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
wait_until_can_do_something(ssh, connection_in, connection_out,
&pfd, &npfd_alloc, &npfd_active, &osigset,
&conn_in_ready, &conn_out_ready);
- if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
+ if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (received_sigterm) {

View File

@ -0,0 +1,32 @@
From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 21 Feb 2024 05:57:34 +0000
Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
timing
obfuscation was added. GHPR#463 from montag451
OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
---
clientloop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index eb4902905fb..8ec36af94b3 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
{
int r;
- if ((ssh->kex->flags & KEX_HAS_PING) == 0)
+ if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
return 0;
/* XXX probabilistically send chaff? */
/*

View File

@ -0,0 +1,38 @@
From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 1 Jul 2024 04:31:17 +0000
Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
---
clientloop.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index 0b6f3c9be02..8ed8b1c3449 100644
--- a/clientloop.c
+++ b/clientloop.c
#@@ -1,4 +1,4 @@
#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
# /*
# * Author: Tatu Ylonen <ylo@cs.hut.fi>
# * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
if (timespeccmp(&now, &chaff_until, >=)) {
/* Stop if there have been no keystrokes for a while */
stop_reason = "chaff time expired";
- } else if (timespeccmp(&now, &next_interval, >=)) {
- /* Otherwise if we were due to send, then send chaff */
+ } else if (timespeccmp(&now, &next_interval, >=) &&
+ !ssh_packet_have_data_to_write(ssh)) {
+ /* If due to send but have no data, then send chaff */
if (send_chaff(ssh))
nchaff++;
}

View File

@ -1,3 +1,25 @@
-------------------------------------------------------------------
Fri Jul 5 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Add patch from upstream to fix proxy multiplexing mode:
* 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
- Add patch from upstream to restore correctly sigprocmask
* 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
- Add patch from upstream to fix a logic error in
ObscureKeystrokeTiming that rendered this feature ineffective,
allowing a passive observer to detect which network packets
contained real keystrokes (bsc#1227318, CVE-2024-39894):
* 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
-------------------------------------------------------------------
Wed Jul 3 16:53:53 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Add obsoletes for openssh-server-config-rootlogin since that
package existed for a brief period of time during SLE 15 SP6/
Leap 15.6 development but even if it was removed from the
repositories before GM, some users might have it in their
systems from having tried a beta/RC release (boo#1227350).
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com> Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
@ -131,7 +153,8 @@ Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
user or hostname via %u, %h or similar expansion token, then user or hostname via %u, %h or similar expansion token, then
an attacker who could supply arbitrary user/hostnames to ssh(1) an attacker who could supply arbitrary user/hostnames to ssh(1)
could potentially perform command injection depending on what could potentially perform command injection depending on what
quoting was present in the user-supplied ssh_config(5) directive. quoting was present in the user-supplied ssh_config(5) directive
(bsc#1218215, CVE-2023-51385).
= Potentially incompatible changes = Potentially incompatible changes
* ssh(1), sshd(8): the RFC4254 connection/channels protocol provides * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides

View File

@ -128,8 +128,14 @@ Patch106: openssh-7.6p1-cleanup-selinux.patch
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch Patch108: openssh-9.6p1-crypto-policies-man.patch
# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387 # PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
Patch109: fix-CVE-2024-6387.patch Patch109: fix-CVE-2024-6387.patch
# PATCH-FIX-UPSTREAM
Patch110: 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
# PATCH-FIX-UPSTREAM
Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
Patch112: 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
%if 0%{with allow_root_password_login_by_default} %if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch Patch1000: openssh-7.7p1-allow_root_password_login.patch
%endif %endif
@ -204,6 +210,12 @@ Requires(pre): grep
Requires(post): %fillup_prereq Requires(post): %fillup_prereq
Requires(post): permissions Requires(post): permissions
Provides: openssh:%{_sbindir}/sshd Provides: openssh:%{_sbindir}/sshd
%if 0%{with allow_root_password_login_by_default}
# For a brief period of time this package existed in SLE/Leap.
# It was removed before GM but some people might have it from
# a beta distribution version (boo#1227350)
Obsoletes: openssh-server-config-rootlogin <= %{version}
%endif
%sysusers_requires %sysusers_requires
%description server %description server