From patchwork Fri Dec 29 16:07:45 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 37071
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D571BC47073
	for <webhook@archiver.kernel.org>; Fri, 29 Dec 2023 16:07:58 +0000 (UTC)
Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com
 [209.85.210.176])
 by mx.groups.io with SMTP id smtpd.web11.151594.1703866078353954651
 for <openembedded-core@lists.openembedded.org>;
 Fri, 29 Dec 2023 08:07:58 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=orSJHjIu;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.176,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f176.google.com with SMTP id
 d2e1a72fcca58-6d9bec20980so1485430b3a.2
        for <openembedded-core@lists.openembedded.org>;
 Fri, 29 Dec 2023 08:07:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1703866077;
 x=1704470877; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=WECzF0wDiIpZmJgbrk5lc1QwvyZ6Qb4xitrM1ZbLgTE=;
        b=orSJHjIu5M9EkP6kVtcvR81cYjhv2SWFYrumWBKNwRarRd/0FdJCM1m1O8Eaz92bUv
         oeA1/qKTFJbqKFUy68lgcBveCzWEc34IlPay3+NmoiZnOCWrT4ZuYt19/3ni4zZwqBvt
         9MhTTN5X0XuX13eU3c7DhmOcCzNHCiA+i0FMb8+1xFIoXgaQNPtQ2fMUExm648PX+OZ9
         GTiBU8obQsrIxkQGaD11iSG9+mjZr1b+wK7DcAr1+54+LaLy37Xos2p0KUXGV4HwCI8S
         QIHEbtihrBgdUaumIPky/M3t3mK1N4q9ZICiD2hj3AY6/yW06JImZ4qn3QRKUmEdh7HZ
         hv+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1703866077; x=1704470877;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WECzF0wDiIpZmJgbrk5lc1QwvyZ6Qb4xitrM1ZbLgTE=;
        b=R2JZRHSO6H4ed4QRDMWLqST8rh4aXAd8ZBbxZwTvchfcCIvofJpEzmmi9YEIp/2pNg
         qevJVrIc/3xwPs6GJpitxbznS4DZDnS3wdhFC+WI9PrIe1L3dG5NSri4u+PZfqPhI5tF
         J6/0txOgiFomC7kkiMbO/aDA7+VHa3GDN6k0c2O18r1Y89qworro8v/8cetve/e1tJix
         /LP7CM7S8omXCtUNtsTxoVX/H7UMsKgygrRYQc4jJAZ0XQ5McUXYyGkPFJpno4/4mWTq
         ysTWs+bymKEsgW54QZaDcxPBjZs5ItstZUXRvoCy4D4uXmVz/mpoHlfpejVOnXoQm0TC
         6J6Q==
X-Gm-Message-State: AOJu0YwTusBuz7TcllNKQ9h3NOoz/uUrwYDI2UHLNRQAIfk+Id/Ah6jw
	dpuyZNjWqOv/Wce6SaCFJKQoD1L7QNPrPeWoFyq5rVKweu1FMQ==
X-Google-Smtp-Source: 
 AGHT+IHis4Dx6iwlzWyRqXeKfzlfUAAaLU/4OWHZRs9qcmpNCrMOLGmZbHuDTgvKrVn2/HY3BdfzLA==
X-Received: by 2002:a05:6a00:3d53:b0:6da:1713:2012 with SMTP id
 lp19-20020a056a003d5300b006da17132012mr1956087pfb.27.1703866076933;
        Fri, 29 Dec 2023 08:07:56 -0800 (PST)
Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net.
 [72.234.108.41])
        by smtp.gmail.com with ESMTPSA id
 u25-20020aa78499000000b006d9b2682c91sm10028691pfn.113.2023.12.29.08.07.56
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 29 Dec 2023 08:07:56 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 1/4] openssh: fix CVE-2023-51384
Date: Fri, 29 Dec 2023 06:07:45 -1000
Message-Id: 
 <7a745dd1aa13fbf110cc4d86ddbc86617975d6ad.1703865952.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1703865952.git.steve@sakoman.com>
References: <cover.1703865952.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 29 Dec 2023 16:07:58 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/193060

From: Archana Polampalli <archana.polampalli@windriver.com>

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be
incompletely applied. When destination constraints are specified during
addition of PKCS#11-hosted private keys, these constraints are only applied
to the first key, even if a PKCS#11 token returns multiple keys.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-51384

Upstream patches:
https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssh/openssh/CVE-2023-51384.patch      | 171 ++++++++++++++++++
 .../openssh/openssh_8.9p1.bb                  |   1 +
 2 files changed, 172 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch
new file mode 100644
index 0000000000..ead3256915
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch
@@ -0,0 +1,171 @@
+From 881d9c6af9da4257c69c327c4e2f1508b2fa754b Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:46:12 +0000
+Subject: [PATCH] upstream: apply destination constraints to all p11 keys
+
+Previously applied only to the first key returned from each token.
+
+ok markus@
+
+OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
+
+CVE: CVE-2023-51384
+
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ ssh-agent.c | 102 +++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 98 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 19eeaae..4dbb4f3 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -249,6 +249,90 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs)
+	free(dcs);
+ }
+
++static void
++dup_dest_constraint_hop(const struct dest_constraint_hop *dch,
++    struct dest_constraint_hop *out)
++{
++	u_int i;
++	int r;
++
++	out->user = dch->user == NULL ? NULL : xstrdup(dch->user);
++	out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname);
++	out->is_ca = dch->is_ca;
++	out->nkeys = dch->nkeys;
++	out->keys = out->nkeys == 0 ? NULL :
++	    xcalloc(out->nkeys, sizeof(*out->keys));
++	out->key_is_ca = out->nkeys == 0 ? NULL :
++	    xcalloc(out->nkeys, sizeof(*out->key_is_ca));
++	for (i = 0; i < dch->nkeys; i++) {
++		if (dch->keys[i] != NULL &&
++		    (r = sshkey_from_private(dch->keys[i],
++		    &(out->keys[i]))) != 0)
++			fatal_fr(r, "copy key");
++		out->key_is_ca[i] = dch->key_is_ca[i];
++	}
++}
++
++static struct dest_constraint *
++dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs)
++{
++	size_t i;
++	struct dest_constraint *ret;
++
++	if (ndcs == 0)
++		return NULL;
++	ret = xcalloc(ndcs, sizeof(*ret));
++	for (i = 0; i < ndcs; i++) {
++		dup_dest_constraint_hop(&dcs[i].from, &ret[i].from);
++		dup_dest_constraint_hop(&dcs[i].to, &ret[i].to);
++	}
++	return ret;
++}
++
++#ifdef DEBUG_CONSTRAINTS
++static void
++dump_dest_constraint_hop(const struct dest_constraint_hop *dch)
++{
++	u_int i;
++	char *fp;
++
++	debug_f("user %s hostname %s is_ca %d nkeys %u",
++	    dch->user == NULL ? "(null)" : dch->user,
++	    dch->hostname == NULL ? "(null)" : dch->hostname,
++	    dch->is_ca, dch->nkeys);
++	for (i = 0; i < dch->nkeys; i++) {
++		fp = NULL;
++		if (dch->keys[i] != NULL &&
++		    (fp = sshkey_fingerprint(dch->keys[i],
++		    SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
++			fatal_f("fingerprint failed");
++		debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys,
++		    dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]),
++		    dch->keys[i] == NULL ? "" : " ",
++		    dch->keys[i] == NULL ? "none" : fp,
++		    dch->key_is_ca[i]);
++		free(fp);
++	}
++}
++#endif /* DEBUG_CONSTRAINTS */
++
++static void
++dump_dest_constraints(const char *context,
++    const struct dest_constraint *dcs, size_t ndcs)
++{
++#ifdef DEBUG_CONSTRAINTS
++	size_t i;
++
++	debug_f("%s: %zu constraints", context, ndcs);
++	for (i = 0; i < ndcs; i++) {
++		debug_f("constraint %zu / %zu: from: ", i, ndcs);
++		dump_dest_constraint_hop(&dcs[i].from);
++		debug_f("constraint %zu / %zu: to: ", i, ndcs);
++		dump_dest_constraint_hop(&dcs[i].to);
++	}
++	debug_f("done for %s", context);
++#endif /* DEBUG_CONSTRAINTS */
++}
+ static void
+ free_identity(Identity *id)
+ {
+@@ -520,13 +604,22 @@ process_request_identities(SocketEntry *e)
+	Identity *id;
+	struct sshbuf *msg, *keys;
+	int r;
+-	u_int nentries = 0;
++	u_int i = 0, nentries = 0;
++	char *fp;
+
+	debug2_f("entering");
+
+	if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL)
+		fatal_f("sshbuf_new failed");
+	TAILQ_FOREACH(id, &idtab->idlist, next) {
++		if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT,
++		    SSH_FP_DEFAULT)) == NULL)
++			fatal_f("fingerprint failed");
++		debug_f("key %u / %u: %s %s", i++, idtab->nentries,
++		    sshkey_ssh_name(id->key), fp);
++		dump_dest_constraints(__func__,
++		    id->dest_constraints, id->ndest_constraints);
++		free(fp);
+		/* identity not visible, don't include in response */
+		if (identity_permitted(id, e, NULL, NULL, NULL) != 0)
+			continue;
+@@ -1235,6 +1328,7 @@ process_add_identity(SocketEntry *e)
+		sshbuf_reset(e->request);
+		goto out;
+	}
++	dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
+
+	if (sk_provider != NULL) {
+		if (!sshkey_is_sk(k)) {
+@@ -1414,6 +1508,7 @@ process_add_smartcard_key(SocketEntry *e)
+		error_f("failed to parse constraints");
+		goto send;
+	}
++	dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
+	if (e->nsession_ids != 0 && !remote_add_provider) {
+		verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
+		    "providers is disabled", provider);
+@@ -1449,10 +1544,9 @@ process_add_smartcard_key(SocketEntry *e)
+			}
+			id->death = death;
+			id->confirm = confirm;
+-			id->dest_constraints = dest_constraints;
++			id->dest_constraints = dup_dest_constraints(
++			    dest_constraints, ndest_constraints);
+			id->ndest_constraints = ndest_constraints;
+-			dest_constraints = NULL; /* transferred */
+-			ndest_constraints = 0;
+			TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
+			idtab->nentries++;
+			success = 1;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 7ad9bced1b..3860899540 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://CVE-2023-38408-0004.patch \
            file://fix-authorized-principals-command.patch \
            file://CVE-2023-48795.patch \
+           file://CVE-2023-51384.patch \
            "
 SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
 

From patchwork Fri Dec 29 16:07:46 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 37073
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B7C05C47074
	for <webhook@archiver.kernel.org>; Fri, 29 Dec 2023 16:08:08 +0000 (UTC)
Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com
 [209.85.210.172])
 by mx.groups.io with SMTP id smtpd.web11.151595.1703866079685948860
 for <openembedded-core@lists.openembedded.org>;
 Fri, 29 Dec 2023 08:07:59 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=Y2LzEu3F;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.172,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f172.google.com with SMTP id
 d2e1a72fcca58-6d9bbf71bc8so1430389b3a.1
        for <openembedded-core@lists.openembedded.org>;
 Fri, 29 Dec 2023 08:07:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1703866079;
 x=1704470879; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=eWUlHFMacaKVsYIFfIMK6XqQUNJKQAbWIDxf7eI/1Ys=;
        b=Y2LzEu3F6QJpkNnu/Cu0GtOGdBtxoaU95oCSqqQRCj19YhbJNgDfGd2YzzsIvQXVhA
         jtMNH7Ngwq3fGR16c/z5VT8z9yj7fPgwMbrIFMh3dnjWOdIOf6ar07zc8ak5UIonWH8Q
         qepn3Ji5KHeSfxNajqhuEZsDklW7UewgcY4kTldgQIHTSqoSdrK59YZY4fH2apApx0OU
         JJykhs8qst+NiX5xUMhBHRk8dDTCh0BctTWGtYBWM+Sh6Tiel2vGEpIidSk5NsuMLMmh
         NdvC17MWfkvtwSFEUaB+qv3evUvXhUC/Cc8DcxyLGokx+BZ544qn2L6RlfZZDtOymYQA
         5KuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1703866079; x=1704470879;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=eWUlHFMacaKVsYIFfIMK6XqQUNJKQAbWIDxf7eI/1Ys=;
        b=KU/smrV3YXLFktGb1EFDS7fyOOYN5VGX+MwW43/gPSRQ9+cwk1nbCqxFn+IXc7yqQ7
         F5Bcft1/nLSfztgAK6MfiG0FNjFxa1RkMJGyUrj58oJNFF0BMOybjZiZDfS4B+H+u2m0
         xwr0PccLcgZB/G0R0mN0Jfwm17qldA5RLqmupanHRNy8rVDhOkR0pxfoZ5ts3zP7EnMB
         ZNPwOAZmsYsnCxLdzSvtHYJb7cqu7D7yrSO+/caEnPbi5jY80dki2EqY2vpvM17bqusu
         0VvHTXymp+rqYu8chv+Tkwj7/PDxgdRuaGZoN/On4doNavUlGX3Glv61AdybiSp5b3fi
         oeIg==
X-Gm-Message-State: AOJu0Yy1sQK/xymbDhKrS1VVWU8X0Zk8Oj57IMk7+s04Zq6/kSgNoC1Y
	vtvql1keoayy3WcvSeJcJQXHa9v9zY3SAZthK9rk9sxdFPutgw==
X-Google-Smtp-Source: 
 AGHT+IGdVhUKmj+98EPLHheybiDmMUbTVpLb3a5NKrfWgnn6XKXPWbGa12nfQu0CXwZVtbvqAtRtQQ==
X-Received: by 2002:a05:6a20:914f:b0:195:5257:5040 with SMTP id
 x15-20020a056a20914f00b0019552575040mr3964709pzc.30.1703866078662;
        Fri, 29 Dec 2023 08:07:58 -0800 (PST)
Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net.
 [72.234.108.41])
        by smtp.gmail.com with ESMTPSA id
 u25-20020aa78499000000b006d9b2682c91sm10028691pfn.113.2023.12.29.08.07.57
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 29 Dec 2023 08:07:58 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 2/4] openssh: fix CVE-2023-51385
Date: Fri, 29 Dec 2023 06:07:46 -1000
Message-Id: 
 <617640bd045f07b0870dc9f3bc838b3a9fbc3de7.1703865952.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1703865952.git.steve@sakoman.com>
References: <cover.1703865952.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 29 Dec 2023 16:08:08 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/193061

From: Archana Polampalli <archana.polampalli@windriver.com>

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or
host name has shell metacharacters, and this name is referenced by an expansion
token in certain situations. For example, an untrusted Git repository can have a
submodule with shell metacharacters in a user name or host name.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-51385

Upstream patches:
https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssh/openssh/CVE-2023-51385.patch      | 97 +++++++++++++++++++
 .../openssh/openssh_8.9p1.bb                  |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
new file mode 100644
index 0000000000..b8e6813857
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
@@ -0,0 +1,97 @@
+From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:47:44 +0000
+Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
+ This makes ssh(1) refuse user or host names provided on the commandline that
+ contain most shell metacharacters.
+
+Some programs that invoke ssh(1) using untrusted data do not filter
+metacharacters in arguments they supply. This could create
+interactions with user-specified ProxyCommand and other directives
+that allow shell injection attacks to occur.
+
+It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+but getting this stuff right can be tricky, so this should prevent
+most obvious ways of creating risky situations. It however is not
+and cannot be perfect: ssh(1) has no practical way of interpreting
+what shell quoting rules are in use and how they interact with the
+user's specified ProxyCommand.
+
+To allow configurations that use strange user or hostnames to
+continue to work, this strictness is applied only to names coming
+from the commandline. Names specified using User or Hostname
+directives in ssh_config(5) are not affected.
+
+feedback/ok millert@ markus@ dtucker@ deraadt@
+
+OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+
+CVE: CVE-2023-51385
+
+Upstream-Status: Backport
+[https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ ssh.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/ssh.c b/ssh.c
+index 8ff9788..82ed15f 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -611,6 +611,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
+	free(cinfo);
+ }
+
++static int
++valid_hostname(const char *s)
++{
++	size_t i;
++
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
++		    isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++			return 0;
++	}
++	return 1;
++}
++
++static int
++valid_ruser(const char *s)
++{
++	size_t i;
++
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++			return 0;
++		/* Disallow '-' after whitespace */
++		if (isspace((u_char)s[i]) && s[i + 1] == '-')
++			return 0;
++		/* Disallow \ in last position */
++		if (s[i] == '\\' && s[i + 1] == '\0')
++			return 0;
++	}
++	return 1;
++}
++
+ /*
+  * Main program for the ssh client.
+  */
+@@ -1097,6 +1132,10 @@ main(int ac, char **av)
+	if (!host)
+		usage();
+
++	if (!valid_hostname(host))
++		fatal("hostname contains invalid characters");
++	if (options.user != NULL && !valid_ruser(options.user))
++		fatal("remote username contains invalid characters");
+	host_arg = xstrdup(host);
+
+	/* Initialize the command to execute on remote host. */
+--
+2.40.0
diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 3860899540..bc8e2d81b8 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://fix-authorized-principals-command.patch \
            file://CVE-2023-48795.patch \
            file://CVE-2023-51384.patch \
+           file://CVE-2023-51385.patch \
            "
 SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
 

From patchwork Fri Dec 29 16:07:47 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 37072
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C47EBC47077
	for <webhook@archiver.kernel.org>; Fri, 29 Dec 2023 16:08:08 +0000 (UTC)
Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com
 [209.85.210.182])
 by mx.groups.io with SMTP id smtpd.web11.151597.1703866081292832321
 for <openembedded-core@lists.openembedded.org>;
 Fri, 29 Dec 2023 08:08:01 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=uTnojMec;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.182,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f182.google.com with SMTP id
 d2e1a72fcca58-6d9bd63ec7fso1591882b3a.2
        for <openembedded-core@lists.openembedded.org>;
 Fri, 29 Dec 2023 08:08:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1703866080;
 x=1704470880; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=CWppa8OMqRd2hFqwC8KDrm8XWDfxNHqjXBgkW69GbfQ=;
        b=uTnojMechnqq09UwHALyZ7BgY4zr5kGTkAl+o2lyXmGfes4a/Vm2nz6RMsMsYBT9b6
         YJYIdqTQhJXxUdACb3Lll6FMK6Cpi9QVqZttBwhyzAF6TwHcVr/u/qhWocu2c3VDk+Ie
         a+C9/2bkP9MdtMVkuL6lF+yCHrEq4UicBwE7/Xwd96gWVOisaMk0iqw482RmUuzL/N6D
         FMFJTFMBosQSIDQO8LPLeJTklzm9DD82qgDaPTjNbNJPq28xBtoi7RU1GkyrwaCgAf7L
         K4APQdeQYDcYfXYl0Zlcs4wWO4eYCmGIi7766jRVu8K4KU+vVaP6MvWJmjxpq0VD1wT8
         jufw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1703866080; x=1704470880;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=CWppa8OMqRd2hFqwC8KDrm8XWDfxNHqjXBgkW69GbfQ=;
        b=EbF2+YfEBayKMB7zjB4q9CbNWsLznoFmUlR7Yi99y8XVNUIZfIcMHStKbJMOtLlO2Y
         yp5iV/Ln73xkMQsA6i944likVZmelXT8jJO0m7AY7YayR+io/Z5QjU85LNYxnKkIj1kA
         FsVLhdPyBWDwJtjeXkpFr2MeTjDQzj0SryrBfHy5t36bzEsOwqfPeCljMgahE/fd4SG0
         zxhv/FHrwCvbs5Emq5Awte87tycakDaYnaWPAYZoK5gHVBSBobhrb54vnk/9WG3sb/k+
         xX3LWsKSk79cE/MujG8TYP4x5/wFleNxJZJDqNLzoSxYOOZ1YFSj5p0LnJuxcz2/Hmnq
         +uFQ==
X-Gm-Message-State: AOJu0YxjpUdDQs/8AUlegYn3opqzMTiau+A985doAoNy82vys8QfyMLW
	ABTC5LDyWRssW0xMk1NIGWONCY8gSOsEX9RXhPTZHuKzpu8OyQ==
X-Google-Smtp-Source: 
 AGHT+IEvOrO+foaTsC0LBzUp9qkSJjqT+RG8+TSOHc0NXYdYUenxhD6u1fuvaiU5tnSu9IHu/AYoQw==
X-Received: by 2002:aa7:91c1:0:b0:6d9:975e:b375 with SMTP id
 z1-20020aa791c1000000b006d9975eb375mr4563050pfa.48.1703866080430;
        Fri, 29 Dec 2023 08:08:00 -0800 (PST)
Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net.
 [72.234.108.41])
        by smtp.gmail.com with ESMTPSA id
 u25-20020aa78499000000b006d9b2682c91sm10028691pfn.113.2023.12.29.08.07.59
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 29 Dec 2023 08:08:00 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 3/4] elfutils: Disable stringop-overflow warning
 for build host
Date: Fri, 29 Dec 2023 06:07:47 -1000
Message-Id: 
 <94d1640d374c9a8827957cba8dbc1c1f978701b5.1703865952.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1703865952.git.steve@sakoman.com>
References: <cover.1703865952.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 29 Dec 2023 16:08:08 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/193062

From: Khem Raj <raj.khem@gmail.com>

Some distributions shipping gcc12 end up with stringop-overflow warnings
e.g.
/usr/include/bits/unistd.h:74:10: error: ‘__pread_alias’ specified size between 9223372036854775813 and 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Werror=stringop-overflow=]
   74 |   return __glibc_fortify (pread, __nbytes, sizeof (char),
      |          ^~~~~~~~~~~~~~~

Until fixed, lets not treat this warning as hard error

MJ: this is needed e.g. on ubuntu 24.04 after gcc was upgraded
    from 13.2.0-8ubuntu1 to 13.2.0-9ubuntu1 which includes
    switch _FORTIFY_SOURCE to 3:
    https://changelogs.ubuntu.com/changelogs/pool/main/g/gcc-13/gcc-13_13.2.0-9ubuntu1/changelog

elfutils config.log then shows:

configure:6762: checking whether to add -D_FORTIFY_SOURCE=2 to CFLAGS
configure:6779: gcc  -c -D_FORTIFY_SOURCE=2 -isystem/work/x86_64-linux/elfutils-native/0.186-r0/recipe-sysroot-native/usr/include -O2 -pipe -Werror -isystem/work/x86_64-linux/elfutils-native/0.186-r0/recipe-sysroot-native/usr/include conftest.c >&5
<command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
<built-in>: note: this is the location of the previous definition
cc1: all warnings being treated as errors
configure:6786: result: no

and -D_FORTIFY_SOURCE=2 missing in CFLAGS later causes the above error
in do_compile

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/elfutils/elfutils_0.186.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.186.bb b/meta/recipes-devtools/elfutils/elfutils_0.186.bb
index 46ee40cce6..d742a2e14e 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.186.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.186.bb
@@ -35,6 +35,8 @@ PTEST_ENABLED:libc-musl = "0"
 
 EXTRA_OECONF = "--program-prefix=eu-"
 
+BUILD_CFLAGS += "-Wno-error=stringop-overflow"
+
 DEPENDS_BZIP2 = "bzip2-replacement-native"
 DEPENDS_BZIP2:class-target = "bzip2"
 

From patchwork Fri Dec 29 16:07:48 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 37074
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B758CC47073
	for <webhook@archiver.kernel.org>; Fri, 29 Dec 2023 16:08:08 +0000 (UTC)
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
 by mx.groups.io with SMTP id smtpd.web11.151600.1703866084619641317
 for <openembedded-core@lists.openembedded.org>;
 Fri, 29 Dec 2023 08:08:04 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=frIy0Vcj;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.178,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-6da47688fd9so217816b3a.0
        for <openembedded-core@lists.openembedded.org>;
 Fri, 29 Dec 2023 08:08:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1703866084;
 x=1704470884; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=dbplpjoEyW/6NBoX1+dUbMNoyGrx07A4RvepQdafs6Y=;
        b=frIy0VcjONGobL/DSKrP6Pbsswm82JKZwx5CVu7uULKCTfUGPI/aoTrwAdd/TvLN2O
         LmA9IzGIorlqay3jx32gbZxLW5phpSUUAFomyl91dut1sk9wx43sT+3agZce+HhiodyZ
         yTe9rAb4K+8jzVMqpR5Kwn1h4qA4Ax4PFnsDG71aQ0FC4noJZRUKH4jOtOP59xuus9e+
         hVgKFXmqNINXFUUx6bHsPd3Tx2nOGuHdM5SHIRXMnYx4EibIiRz/aJ94Kay7vY29pONQ
         K0E5cR/oMiPXlV8VeVIO8GQ2hyj8VP9Looqz28VBVPfGGRrLzxjaqLAiByF3IoHvxh2u
         bRzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1703866084; x=1704470884;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=dbplpjoEyW/6NBoX1+dUbMNoyGrx07A4RvepQdafs6Y=;
        b=oa9Qm33kcvqiEtLkn4CHFNOiTnkO2k4jeJ0bCGhg1drQHh8eTfOOAoD9qfwFeazXuM
         KHFCSOtnT9D4z6366OtvwOoAVxud1CUImnZOiccT4QISMqfVeoD4oqAutN3rHybd9qKZ
         0d1iwlGbTJQY6YSTl9XOjcpyegSGFXoULm+SrnZO2Pj/Ni2CiDNiLaE+UoYZs6d2TA4U
         RKs/6RYMeVba0Z7cEemLUqMFeLKk4nK1WutVf34iO8Hl5arXEe+BV5Z0jeBTCdu72CIG
         u8tkkclSHcif88v/J5GbPmn7ahr12SBABZdLTHVHyk0Iw65NGb3IJc3Fus4iiyVgIXhi
         wU+w==
X-Gm-Message-State: AOJu0YzYJRpuYdr+rb14HTJOk+pJ623LZzMi5r2xVjlM7d1uMR8k3gnV
	RuzIYrSCdjHRcSg9BqPNtvkl51uY2CgqFdgk/aIKHBd70xiKCQ==
X-Google-Smtp-Source: 
 AGHT+IHJ5rVL5c/dZ8N3yqf5NOIepWBWouOSDdtjiy1a0kvh1soHSNpwlSsS8+GauLgx4YU4/jQxdw==
X-Received: by 2002:a05:6a00:148b:b0:6d9:b319:294e with SMTP id
 v11-20020a056a00148b00b006d9b319294emr4333012pfu.44.1703866083700;
        Fri, 29 Dec 2023 08:08:03 -0800 (PST)
Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net.
 [72.234.108.41])
        by smtp.gmail.com with ESMTPSA id
 u25-20020aa78499000000b006d9b2682c91sm10028691pfn.113.2023.12.29.08.08.02
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 29 Dec 2023 08:08:03 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 4/4] testimage: drop target_dumper, host_dumper,
 and monitor_dumper
Date: Fri, 29 Dec 2023 06:07:48 -1000
Message-Id: 
 <960e7e3dffa22c2142cb672c68cd9a8f0e3998a3.1703865952.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1703865952.git.steve@sakoman.com>
References: <cover.1703865952.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 29 Dec 2023 16:08:08 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/193063

The target_dumper code is basically broken. It has been reading binary files
over the text base serial communication and runs at every command failure which
makes no sense. Each run might overwrite files from the previous run and the
output appears corrupted due to confusion from the binary data.

It isn't possible to cherry-pick "testimage: Drop target_dumper and most of monitor_dumper"
from master, so just make target_dumper, host_dumper, and monitor_dumper empty
functions.

For further details see:

https://lists.openembedded.org/g/openembedded-architecture/message/1888

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/testimage.bbclass | 24 ------------------------
 1 file changed, 24 deletions(-)

diff --git a/meta/classes/testimage.bbclass b/meta/classes/testimage.bbclass
index 6864eeed2f..0241f29dfb 100644
--- a/meta/classes/testimage.bbclass
+++ b/meta/classes/testimage.bbclass
@@ -101,36 +101,12 @@ TESTIMAGE_DUMP_DIR ?= "${LOG_DIR}/runtime-hostdump/"
 TESTIMAGE_UPDATE_VARS ?= "DL_DIR WORKDIR DEPLOY_DIR"
 
 testimage_dump_target () {
-    top -bn1
-    ps
-    free
-    df
-    # The next command will export the default gateway IP
-    export DEFAULT_GATEWAY=$(ip route | awk '/default/ { print $3}')
-    ping -c3 $DEFAULT_GATEWAY
-    dmesg
-    netstat -an
-    ip address
-    # Next command will dump logs from /var/log/
-    find /var/log/ -type f -name !wtmp* 2>/dev/null -exec echo "====================" \; -exec echo {} \; -exec echo "====================" \; -exec cat {} \; -exec echo "" \;
 }
 
 testimage_dump_host () {
-    top -bn1
-    iostat -x -z -N -d -p ALL 20 2
-    ps -ef
-    free
-    df
-    memstat
-    dmesg
-    ip -s link
-    netstat -an
 }
 
 testimage_dump_monitor () {
-    query-status
-    query-block
-    dump-guest-memory {"paging":false,"protocol":"file:%s.img"}
 }
 
 python do_testimage() {