Antonio Larrosa
da2c6cc517
* No changes for askpass, see main package changelog for details. - Fix a dbus connection leaked in the logind patch that was missing a sd_bus_unref call (found by Matthias Gerstner): * logind_set_tty.patch - Add a patch that fixes a small memory leak when parsing the subsystem configuration option: * fix-memleak-in-process_server_config_line_depth.patch - Update to openssh 9.8p1: = Security * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387). A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon. Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation. OpenBSD is not vulnerable. OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=272
203 lines
7.1 KiB
Diff
203 lines
7.1 KiB
Diff
Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib.
|
|
Index: openssh-8.9p1/dh.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/dh.c
|
|
+++ openssh-8.9p1/dh.c
|
|
@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file
|
|
|
|
static const char * get_moduli_filename(void)
|
|
{
|
|
- return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
|
|
+ struct stat st;
|
|
+
|
|
+ if (moduli_filename)
|
|
+ return moduli_filename;
|
|
+
|
|
+ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 &&
|
|
+ stat(_PATH_DH_MODULI, &st) == -1) {
|
|
+ return _PATH_VENDOR_DH_MODULI;
|
|
+ }
|
|
+
|
|
+ return _PATH_DH_MODULI;
|
|
}
|
|
|
|
static int
|
|
Index: openssh-8.9p1/pathnames.h
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/pathnames.h
|
|
+++ openssh-8.9p1/pathnames.h
|
|
@@ -18,6 +18,8 @@
|
|
#define SSHDIR ETCDIR "/ssh"
|
|
#endif
|
|
|
|
+#define VENDORDIR "/usr/etc/ssh"
|
|
+
|
|
#ifndef _PATH_SSH_PIDDIR
|
|
#define _PATH_SSH_PIDDIR "/var/run"
|
|
#endif
|
|
@@ -35,13 +37,17 @@
|
|
* should be world-readable.
|
|
*/
|
|
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
|
|
+#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config"
|
|
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
|
|
+#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config"
|
|
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
|
|
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
|
|
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
|
|
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
|
|
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
|
|
#define _PATH_DH_MODULI SSHDIR "/moduli"
|
|
+#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli"
|
|
+
|
|
|
|
#ifndef _PATH_SSH_PROGRAM
|
|
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
|
Index: openssh-8.9p1/ssh.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh.c
|
|
+++ openssh-8.9p1/ssh.c
|
|
@@ -549,6 +549,7 @@ static void
|
|
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
|
|
int *want_final_pass)
|
|
{
|
|
+ struct stat st;
|
|
char buf[PATH_MAX];
|
|
int r;
|
|
|
|
@@ -567,10 +568,23 @@ process_config_files(const char *host_na
|
|
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
|
|
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
|
|
|
|
- /* Read systemwide configuration file after user config. */
|
|
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
|
- host, host_name, &options,
|
|
- final_pass ? SSHCONF_FINAL : 0, want_final_pass);
|
|
+ /* If only the vendor configuration file exists, use that.
|
|
+ * Else use the standard configuration file.
|
|
+ */
|
|
+ if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 &&
|
|
+ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) {
|
|
+ /* Read vendor distributed configuration file. */
|
|
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE,
|
|
+ pw, host, host_name, &options,
|
|
+ final_pass ? SSHCONF_FINAL : 0,
|
|
+ want_final_pass);
|
|
+ } else {
|
|
+ /* Read systemwide configuration file after user config. */
|
|
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
|
|
+ host, host_name, &options,
|
|
+ final_pass ? SSHCONF_FINAL : 0,
|
|
+ want_final_pass);
|
|
+ }
|
|
}
|
|
}
|
|
|
|
Index: openssh-8.9p1/ssh_config.5
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh_config.5
|
|
+++ openssh-8.9p1/ssh_config.5
|
|
@@ -54,6 +54,9 @@ user's configuration file
|
|
.It
|
|
system-wide configuration file
|
|
.Pq Pa /etc/ssh/ssh_config
|
|
+.It
|
|
+vendor configuration file
|
|
+.Pq Pa /usr/etc/ssh/ssh_config
|
|
.El
|
|
.Pp
|
|
Unless noted otherwise, for each parameter, the first obtained value
|
|
@@ -2220,6 +2223,11 @@ This file provides defaults for those
|
|
values that are not specified in the user's configuration file, and
|
|
for those users who do not have a configuration file.
|
|
This file must be world-readable.
|
|
+.It Pa /usr/etc/ssh/ssh_config
|
|
+Vendor specific configuraiton file.
|
|
+This file provides the vendor defaults and is used as fallback if the
|
|
+.Ic /etc/ssh/ssh_config
|
|
+configuration file does not exist.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ssh 1
|
|
Index: openssh-8.9p1/sshd.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/sshd.c
|
|
+++ openssh-8.9p1/sshd.c
|
|
@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av)
|
|
extern char *optarg;
|
|
extern int optind;
|
|
int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0;
|
|
- char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
|
+ char *config_file_name = NULL;
|
|
+ struct stat st;
|
|
int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
|
|
int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
|
|
int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
|
|
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
|
|
/* Fetch our configuration */
|
|
if ((cfg = sshbuf_new()) == NULL)
|
|
fatal("sshbuf_new config failed");
|
|
+ if (config_file_name == NULL) {
|
|
+ /* If only the vendor configuration file exists, use that.
|
|
+ * Else use the standard configuration file.
|
|
+ */
|
|
+ if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 &&
|
|
+ stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) {
|
|
+ /* fill with global distributor settings */
|
|
+ config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE;
|
|
+ } else {
|
|
+ /* load global admin settings */
|
|
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
|
|
+ }
|
|
+ load_server_config(config_file_name, cfg);
|
|
- if (strcasecmp(config_file_name, "none") != 0)
|
|
+ } else if (strcasecmp(config_file_name, "none") != 0)
|
|
+ /* load config specified on commandline */
|
|
load_server_config(config_file_name, cfg);
|
|
|
|
parse_server_config(&options, config_file_name, cfg,
|
|
Index: openssh-8.9p1/sshd_config.5
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/sshd_config.5
|
|
+++ openssh-8.9p1/sshd_config.5
|
|
@@ -44,7 +44,9 @@
|
|
.Xr sshd 8
|
|
reads configuration data from
|
|
.Pa /etc/ssh/sshd_config
|
|
-(or the file specified with
|
|
+(
|
|
+.Pa /usr/etc/ssh/sshd_config
|
|
+if the file does not exist or the file specified with
|
|
.Fl f
|
|
on the command line).
|
|
The file contains keyword-argument pairs, one per line.
|
|
Index: openssh-8.9p1/ssh-keysign.c
|
|
===================================================================
|
|
--- openssh-8.9p1.orig/ssh-keysign.c
|
|
+++ openssh-8.9p1/ssh-keysign.c
|
|
@@ -186,6 +186,7 @@ main(int argc, char **argv)
|
|
u_char *signature, *data, rver;
|
|
char *host, *fp, *pkalg;
|
|
size_t slen, dlen;
|
|
+ struct stat st;
|
|
|
|
if (pledge("stdio rpath getpw dns id", NULL) != 0)
|
|
fatal("%s: pledge: %s", __progname, strerror(errno));
|
|
@@ -219,8 +220,14 @@ main(int argc, char **argv)
|
|
|
|
/* verify that ssh-keysign is enabled by the admin */
|
|
initialize_options(&options);
|
|
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
|
- &options, 0, NULL);
|
|
+
|
|
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
|
|
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
|
|
+ &options, 0, NULL);
|
|
+ else
|
|
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "",
|
|
+ &options, 0, NULL);
|
|
+
|
|
(void)fill_default_options(&options);
|
|
if (options.enable_ssh_keysign != 1)
|
|
fatal("ssh-keysign not enabled in %s",
|