| Message ID | 1353996801-28402-1-git-send-email-li.wang@windriver.com |
|---|---|
| State | New |
| Headers | show |
diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch new file mode 100644 index 0000000..8489edc --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch @@ -0,0 +1,27 @@ +openssh-CVE-2011-4327 + +A security flaw was found in the way ssh-keysign, +a ssh helper program for host based authentication, +attempted to retrieve enough entropy information on configurations that +lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would +be executed to retrieve the entropy from the system environment). +A local attacker could use this flaw to obtain unauthorized access to host keys +via ptrace(2) process trace attached to the 'ssh-rand-helper' program. + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 +http://www.openssh.com/txt/portable-keysign-rand-helper.adv + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- a/ssh-keysign.c ++++ b/ssh-keysign.c +@@ -170,6 +170,10 @@ + key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); + key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); + key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); ++ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 || ++ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 || ++ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0) ++ fatal("fcntl failed"); + + original_real_uid = getuid(); /* XXX readconf.c needs this */ + if ((pw = getpwuid(original_real_uid)) == NULL) diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb index 31202d4..df77040 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb @@ -7,7 +7,7 @@ SECTION = "console/network" LICENSE = "BSD" LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507" -PR = "r3" +PR = "r4" DEPENDS = "zlib openssl" DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" @@ -23,6 +23,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. file://sshd_config \ file://ssh_config \ file://init \ + file://openssh-CVE-2011-4327.patch \ ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" PAM_SRC_URI = "file://sshd"
On 11/26/2012 10:13 PM, Li Wang wrote: > A security flaw was found in the way ssh-keysign, > a ssh helper program for host based authentication, > attempted to retrieve enough entropy information on configurations that > lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would > be executed to retrieve the entropy from the system environment). > A local attacker could use this flaw to obtain unauthorized access to host keys > via ptrace(2) process trace attached to the 'ssh-rand-helper' program. > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 > http://www.openssh.com/txt/portable-keysign-rand-helper.adv > > [YOCTO #3493] > > Signed-off-by: Li Wang <li.wang@windriver.com> > --- > .../openssh-6.0p1/openssh-CVE-2011-4327.patch | 27 ++++++++++++++++++++++ > meta/recipes-connectivity/openssh/openssh_6.0p1.bb | 3 ++- > 2 files changed, 29 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch > > diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch > new file mode 100644 > index 0000000..8489edc > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch This has already been merged, but can you please send a patch to add the Upstream-Status Thanks Sau! > @@ -0,0 +1,27 @@ > +openssh-CVE-2011-4327 > + > +A security flaw was found in the way ssh-keysign, > +a ssh helper program for host based authentication, > +attempted to retrieve enough entropy information on configurations that > +lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would > +be executed to retrieve the entropy from the system environment). > +A local attacker could use this flaw to obtain unauthorized access to host keys > +via ptrace(2) process trace attached to the 'ssh-rand-helper' program. > + > +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 > +http://www.openssh.com/txt/portable-keysign-rand-helper.adv > + > +Signed-off-by: Li Wang <li.wang@windriver.com> > +--- a/ssh-keysign.c > ++++ b/ssh-keysign.c > +@@ -170,6 +170,10 @@ > + key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); > + key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); > + key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); > ++ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 || > ++ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 || > ++ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0) > ++ fatal("fcntl failed"); > + > + original_real_uid = getuid(); /* XXX readconf.c needs this */ > + if ((pw = getpwuid(original_real_uid)) == NULL) > diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb > index 31202d4..df77040 100644 > --- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb > @@ -7,7 +7,7 @@ SECTION = "console/network" > LICENSE = "BSD" > LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507" > > -PR = "r3" > +PR = "r4" > > DEPENDS = "zlib openssl" > DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" > @@ -23,6 +23,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. > file://sshd_config \ > file://ssh_config \ > file://init \ > + file://openssh-CVE-2011-4327.patch \ > ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" > > PAM_SRC_URI = "file://sshd" >
On 11/26/2012 10:13 PM, Li Wang wrote: > A security flaw was found in the way ssh-keysign, > a ssh helper program for host based authentication, > attempted to retrieve enough entropy information on configurations that > lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would > be executed to retrieve the entropy from the system environment). > A local attacker could use this flaw to obtain unauthorized access to host keys > via ptrace(2) process trace attached to the 'ssh-rand-helper' program. > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 > http://www.openssh.com/txt/portable-keysign-rand-helper.adv > > [YOCTO #3493] > > Signed-off-by: Li Wang <li.wang@windriver.com> Hi Li, The second link you referenced above explains that the vulnerability exists in versions prior to openssh 5.8p2, and yet your patch was submitted against openssh 6.0p1. So it seems that this would not apply. Or am I misunderstanding the nature of the bug? Thanks, Scott
On 30 November 2012 22:41, Scott Garman <scott.a.garman@intel.com> wrote: > The second link you referenced above explains that the vulnerability exists > in versions prior to openssh 5.8p2, and yet your patch was submitted against > openssh 6.0p1. So it seems that this would not apply. Or am I > misunderstanding the nature of the bug? Prior to 5.8p2 *and* not Linux: 2. Affected configurations Portable OpenSSH prior to version 5.8p2 only on platforms that are configured to use ssh-rand-helper for entropy collection. ssh-rand-helper is enabled at configure time when it is detected that OpenSSL does not have a built-in source of randomness, and only used at runtime if this condition remains. Platforms that support /dev/random or otherwise configure OpenSSL with a random number provider are not vulnerable. In particular, *BSD, OS X, Cygwin and Linux are not affected. Ross
This is my neglect. The function has already been removed from OpenSSH prior to version 5.8p2: ChangeLog: 20110505 - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac] [entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms. So, please revert the patch. Thanks, LiWang. Burton, Ross wrote: > On 30 November 2012 22:41, Scott Garman <scott.a.garman@intel.com> wrote: > >> The second link you referenced above explains that the vulnerability exists >> in versions prior to openssh 5.8p2, and yet your patch was submitted against >> openssh 6.0p1. So it seems that this would not apply. Or am I >> misunderstanding the nature of the bug? >> > > Prior to 5.8p2 *and* not Linux: > > 2. Affected configurations > > Portable OpenSSH prior to version 5.8p2 only on platforms > that are configured to use ssh-rand-helper for entropy > collection. > > ssh-rand-helper is enabled at configure time when it is > detected that OpenSSL does not have a built-in source of > randomness, and only used at runtime if this condition > remains. Platforms that support /dev/random or otherwise > configure OpenSSL with a random number provider are not > vulnerable. > > In particular, *BSD, OS X, Cygwin and Linux are not > affected. > > Ross >
A security flaw was found in the way ssh-keysign, a ssh helper program for host based authentication, attempted to retrieve enough entropy information on configurations that lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would be executed to retrieve the entropy from the system environment). A local attacker could use this flaw to obtain unauthorized access to host keys via ptrace(2) process trace attached to the 'ssh-rand-helper' program. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327 http://www.openssh.com/txt/portable-keysign-rand-helper.adv [YOCTO #3493] Signed-off-by: Li Wang <li.wang@windriver.com> --- .../openssh-6.0p1/openssh-CVE-2011-4327.patch | 27 ++++++++++++++++++++++ meta/recipes-connectivity/openssh/openssh_6.0p1.bb | 3 ++- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch