| Message ID | 20230822015557.1791146-1-virendrak@kpit.com |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | [dunfell] openssh: Fix CVE-2023-38408 | expand |
On Mon, Aug 21, 2023 at 3:56 PM virendra thakur <thakur.virendra1810@gmail.com> wrote: > > From: Virendra Thakur <virendrak@kpit.com> > > Add patch to fix CVE-2023-38408 > > Upstream-Status: Backport [https://launchpadlibrarian.net/680920377/openssh_8.2p1-4ubuntu0.9.debian.tar.xz] launchpadlibrarian.net is not upstream for openssh! Please send a v2 that references the actual upstream commits. Thanks, Steve > > Signed-off-by: Virendra Thakur <virendrak@kpit.com> > --- > .../openssh/openssh/CVE-2023-38408-1.patch | 31 ++++ > .../openssh/openssh/CVE-2023-38408-3.patch | 161 ++++++++++++++++++ > .../openssh/openssh_8.2p1.bb | 2 + > 3 files changed, 194 insertions(+) > create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-1.patch > create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-3.patch > > diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-1.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-1.patch > new file mode 100644 > index 0000000000..3d7c7bd357 > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-1.patch > @@ -0,0 +1,31 @@ > +From 892506b13654301f69f9545f48213fc210e5c5cc Mon Sep 17 00:00:00 2001 > +From: "djm@openbsd.org" <djm@openbsd.org> > +Date: Wed, 19 Jul 2023 13:55:53 +0000 > +Subject: [PATCH] upstream: terminate process if requested to load a PKCS#11 > + provider > + > +that isn't a PKCS#11 provider; from / ok markus@ > + > +OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c > +CVE: CVE-2023-38408 > +Upstream-Status: Backport [https://launchpadlibrarian.net/680920377/openssh_8.2p1-4ubuntu0.9.debian.tar.xz] > +Signed-off-by: Virendra Thakur <virendrak@kpit.com> > +--- > + ssh-pkcs11.c | 8 +++----- > + 1 file changed, 3 insertions(+), 5 deletions(-) > + > +--- a/ssh-pkcs11.c > ++++ b/ssh-pkcs11.c > +@@ -1504,10 +1504,8 @@ pkcs11_register_provider(char *provider_ > + error("dlopen %s failed: %s", provider_id, dlerror()); > + goto fail; > + } > +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { > +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); > +- goto fail; > +- } > ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) > ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); > + p = xcalloc(1, sizeof(*p)); > + p->name = xstrdup(provider_id); > + p->handle = handle; > diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-3.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-3.patch > new file mode 100644 > index 0000000000..6a94b8715c > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-3.patch > @@ -0,0 +1,161 @@ > +Backport of: > + > +From 29ef8a04866ca14688d5b7fed7b8b9deab851f77 Mon Sep 17 00:00:00 2001 > +From: "djm@openbsd.org" <djm@openbsd.org> > +Date: Wed, 19 Jul 2023 14:02:27 +0000 > +Subject: [PATCH] upstream: Ensure FIDO/PKCS11 libraries contain expected > + symbols > + > +This checks via nlist(3) that candidate provider libraries contain one > +of the symbols that we will require prior to dlopen(), which can cause > +a number of side effects, including execution of constructors. > + > +Feedback deraadt; ok markus > + > +OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe > +CVE: CVE-2023-38408 > +Upstream-Status: Backport [https://launchpadlibrarian.net/680920377/openssh_8.2p1-4ubuntu0.9.debian.tar.xz] > +Signed-off-by: Virendra Thakur <virendrak@kpit.com> > +--- > + misc.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++- > + misc.h | 3 +- > + ssh-pkcs11.c | 6 +++- > + ssh-sk.c | 8 ++++-- > + 4 files changed, 89 insertions(+), 6 deletions(-) > + > +--- a/misc.c > ++++ b/misc.c > +@@ -28,6 +28,7 @@ > + > + #include <sys/types.h> > + #include <sys/ioctl.h> > ++#include <sys/mman.h> > + #include <sys/socket.h> > + #include <sys/stat.h> > + #include <sys/time.h> > +@@ -41,6 +42,9 @@ > + #ifdef HAVE_POLL_H > + #include <poll.h> > + #endif > ++#ifdef HAVE_NLIST_H > ++#include <nlist.h> > ++#endif > + #include <signal.h> > + #include <stdarg.h> > + #include <stdio.h> > +@@ -2314,3 +2318,75 @@ ssh_signal(int signum, sshsig_t handler) > + } > + return osa.sa_handler; > + } > ++ > ++/* > ++ * Returns zero if the library at 'path' contains symbol 's', nonzero > ++ * otherwise. > ++ */ > ++int > ++lib_contains_symbol(const char *path, const char *s) > ++{ > ++#ifdef HAVE_NLIST_H > ++ struct nlist nl[2]; > ++ int ret = -1, r; > ++ > ++ memset(nl, 0, sizeof(nl)); > ++ nl[0].n_name = xstrdup(s); > ++ nl[1].n_name = NULL; > ++ if ((r = nlist(path, nl)) == -1) { > ++ error("nlist failed for %s", path); > ++ goto out; > ++ } > ++ if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) { > ++ error("library %s does not contain symbol %s", path, s); > ++ goto out; > ++ } > ++ /* success */ > ++ ret = 0; > ++ out: > ++ free(nl[0].n_name); > ++ return ret; > ++#else /* HAVE_NLIST_H */ > ++ int fd, ret = -1; > ++ struct stat st; > ++ void *m = NULL; > ++ size_t sz = 0; > ++ > ++ memset(&st, 0, sizeof(st)); > ++ if ((fd = open(path, O_RDONLY)) < 0) { > ++ error("open %s: %s", path, strerror(errno)); > ++ return -1; > ++ } > ++ if (fstat(fd, &st) != 0) { > ++ error("fstat %s: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ if (!S_ISREG(st.st_mode)) { > ++ error("%s is not a regular file", path); > ++ goto out; > ++ } > ++ if (st.st_size < 0 || > ++ (size_t)st.st_size < strlen(s) || > ++ st.st_size >= INT_MAX/2) { > ++ error("%s bad size %lld", path, (long long)st.st_size); > ++ goto out; > ++ } > ++ sz = (size_t)st.st_size; > ++ if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED || > ++ m == NULL) { > ++ error("mmap %s: %s", path, strerror(errno)); > ++ goto out; > ++ } > ++ if (memmem(m, sz, s, strlen(s)) == NULL) { > ++ error("%s does not contain expected string %s", path, s); > ++ goto out; > ++ } > ++ /* success */ > ++ ret = 0; > ++ out: > ++ if (m != NULL && m != MAP_FAILED) > ++ munmap(m, sz); > ++ close(fd); > ++ return ret; > ++#endif /* HAVE_NLIST_H */ > ++} > +--- a/misc.h > ++++ b/misc.h > +@@ -86,6 +86,7 @@ const char *atoi_err(const char *, int * > + int parse_absolute_time(const char *, uint64_t *); > + void format_absolute_time(uint64_t, char *, size_t); > + int path_absolute(const char *); > ++int lib_contains_symbol(const char *, const char *); > + > + void sock_set_v6only(int); > + > +--- a/ssh-pkcs11.c > ++++ b/ssh-pkcs11.c > +@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_ > + __func__, provider_id); > + goto fail; > + } > ++ if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) { > ++ error("provider %s is not a PKCS11 library", provider_id); > ++ goto fail; > ++ } > + /* open shared pkcs11-library */ > + if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) { > + error("dlopen %s failed: %s", provider_id, dlerror()); > +--- a/ssh-sk.c > ++++ b/ssh-sk.c > +@@ -119,10 +119,12 @@ sshsk_open(const char *path) > + #endif > + return ret; > + } > +- if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { > +- error("Provider \"%s\" dlopen failed: %s", path, dlerror()); > ++ if (lib_contains_symbol(path, "sk_api_version") != 0) { > ++ error("provider %s is not an OpenSSH FIDO library", path); > + goto fail; > + } > ++ if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) > ++ fatal("Provider \"%s\" dlopen failed: %s", path, dlerror()); > + if ((ret->sk_api_version = dlsym(ret->dlhandle, > + "sk_api_version")) == NULL) { > + error("Provider \"%s\" dlsym(sk_api_version) failed: %s", > diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb > index 79dba121ff..98cabbe937 100644 > --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb > @@ -27,6 +27,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > file://CVE-2020-14145.patch \ > file://CVE-2021-28041.patch \ > file://CVE-2021-41617.patch \ > + file://CVE-2023-38408-1.patch \ > + file://CVE-2023-38408-3.patch \ > " > SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" > SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#186488): https://lists.openembedded.org/g/openembedded-core/message/186488 > Mute This Topic: https://lists.openembedded.org/mt/100887090/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-1.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-1.patch new file mode 100644 index 0000000000..3d7c7bd357 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-1.patch @@ -0,0 +1,31 @@ +From 892506b13654301f69f9545f48213fc210e5c5cc Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 13:55:53 +0000 +Subject: [PATCH] upstream: terminate process if requested to load a PKCS#11 + provider + +that isn't a PKCS#11 provider; from / ok markus@ + +OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c +CVE: CVE-2023-38408 +Upstream-Status: Backport [https://launchpadlibrarian.net/680920377/openssh_8.2p1-4ubuntu0.9.debian.tar.xz] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + ssh-pkcs11.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1504,10 +1504,8 @@ pkcs11_register_provider(char *provider_ + error("dlopen %s failed: %s", provider_id, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + p = xcalloc(1, sizeof(*p)); + p->name = xstrdup(provider_id); + p->handle = handle; diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-3.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-3.patch new file mode 100644 index 0000000000..6a94b8715c --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-3.patch @@ -0,0 +1,161 @@ +Backport of: + +From 29ef8a04866ca14688d5b7fed7b8b9deab851f77 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 14:02:27 +0000 +Subject: [PATCH] upstream: Ensure FIDO/PKCS11 libraries contain expected + symbols + +This checks via nlist(3) that candidate provider libraries contain one +of the symbols that we will require prior to dlopen(), which can cause +a number of side effects, including execution of constructors. + +Feedback deraadt; ok markus + +OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe +CVE: CVE-2023-38408 +Upstream-Status: Backport [https://launchpadlibrarian.net/680920377/openssh_8.2p1-4ubuntu0.9.debian.tar.xz] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + misc.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++- + misc.h | 3 +- + ssh-pkcs11.c | 6 +++- + ssh-sk.c | 8 ++++-- + 4 files changed, 89 insertions(+), 6 deletions(-) + +--- a/misc.c ++++ b/misc.c +@@ -28,6 +28,7 @@ + + #include <sys/types.h> + #include <sys/ioctl.h> ++#include <sys/mman.h> + #include <sys/socket.h> + #include <sys/stat.h> + #include <sys/time.h> +@@ -41,6 +42,9 @@ + #ifdef HAVE_POLL_H + #include <poll.h> + #endif ++#ifdef HAVE_NLIST_H ++#include <nlist.h> ++#endif + #include <signal.h> + #include <stdarg.h> + #include <stdio.h> +@@ -2314,3 +2318,75 @@ ssh_signal(int signum, sshsig_t handler) + } + return osa.sa_handler; + } ++ ++/* ++ * Returns zero if the library at 'path' contains symbol 's', nonzero ++ * otherwise. ++ */ ++int ++lib_contains_symbol(const char *path, const char *s) ++{ ++#ifdef HAVE_NLIST_H ++ struct nlist nl[2]; ++ int ret = -1, r; ++ ++ memset(nl, 0, sizeof(nl)); ++ nl[0].n_name = xstrdup(s); ++ nl[1].n_name = NULL; ++ if ((r = nlist(path, nl)) == -1) { ++ error("nlist failed for %s", path); ++ goto out; ++ } ++ if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) { ++ error("library %s does not contain symbol %s", path, s); ++ goto out; ++ } ++ /* success */ ++ ret = 0; ++ out: ++ free(nl[0].n_name); ++ return ret; ++#else /* HAVE_NLIST_H */ ++ int fd, ret = -1; ++ struct stat st; ++ void *m = NULL; ++ size_t sz = 0; ++ ++ memset(&st, 0, sizeof(st)); ++ if ((fd = open(path, O_RDONLY)) < 0) { ++ error("open %s: %s", path, strerror(errno)); ++ return -1; ++ } ++ if (fstat(fd, &st) != 0) { ++ error("fstat %s: %s", path, strerror(errno)); ++ goto out; ++ } ++ if (!S_ISREG(st.st_mode)) { ++ error("%s is not a regular file", path); ++ goto out; ++ } ++ if (st.st_size < 0 || ++ (size_t)st.st_size < strlen(s) || ++ st.st_size >= INT_MAX/2) { ++ error("%s bad size %lld", path, (long long)st.st_size); ++ goto out; ++ } ++ sz = (size_t)st.st_size; ++ if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED || ++ m == NULL) { ++ error("mmap %s: %s", path, strerror(errno)); ++ goto out; ++ } ++ if (memmem(m, sz, s, strlen(s)) == NULL) { ++ error("%s does not contain expected string %s", path, s); ++ goto out; ++ } ++ /* success */ ++ ret = 0; ++ out: ++ if (m != NULL && m != MAP_FAILED) ++ munmap(m, sz); ++ close(fd); ++ return ret; ++#endif /* HAVE_NLIST_H */ ++} +--- a/misc.h ++++ b/misc.h +@@ -86,6 +86,7 @@ const char *atoi_err(const char *, int * + int parse_absolute_time(const char *, uint64_t *); + void format_absolute_time(uint64_t, char *, size_t); + int path_absolute(const char *); ++int lib_contains_symbol(const char *, const char *); + + void sock_set_v6only(int); + +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_ + __func__, provider_id); + goto fail; + } ++ if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) { ++ error("provider %s is not a PKCS11 library", provider_id); ++ goto fail; ++ } + /* open shared pkcs11-library */ + if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) { + error("dlopen %s failed: %s", provider_id, dlerror()); +--- a/ssh-sk.c ++++ b/ssh-sk.c +@@ -119,10 +119,12 @@ sshsk_open(const char *path) + #endif + return ret; + } +- if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { +- error("Provider \"%s\" dlopen failed: %s", path, dlerror()); ++ if (lib_contains_symbol(path, "sk_api_version") != 0) { ++ error("provider %s is not an OpenSSH FIDO library", path); + goto fail; + } ++ if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) ++ fatal("Provider \"%s\" dlopen failed: %s", path, dlerror()); + if ((ret->sk_api_version = dlsym(ret->dlhandle, + "sk_api_version")) == NULL) { + error("Provider \"%s\" dlsym(sk_api_version) failed: %s", diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index 79dba121ff..98cabbe937 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb @@ -27,6 +27,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2020-14145.patch \ file://CVE-2021-28041.patch \ file://CVE-2021-41617.patch \ + file://CVE-2023-38408-1.patch \ + file://CVE-2023-38408-3.patch \ " SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"