From patchwork Fri Dec 17 06:55:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sana Kazi X-Patchwork-Id: 1652 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02D64C433EF for ; Fri, 17 Dec 2021 06:55:48 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web12.3465.1639724147417943339 for ; Thu, 16 Dec 2021 22:55:47 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=GG4pyUnr; spf=pass (domain: gmail.com, ip: 209.85.214.179, mailfrom: sanakazisk19@gmail.com) Received: by mail-pl1-f179.google.com with SMTP id n16so318393plc.2 for ; Thu, 16 Dec 2021 22:55:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id; bh=NRohQHBtvEl9oI3OKMb79CDV+qTysDG2Kf+d7c+/7I0=; b=GG4pyUnrQi8v8PJGiHh0QDHMHItYzq4r+3JxkG3r3QloXOZeA5e0KbZQZpnG7bZwHQ 68Tk/jzGRMvKkOZujIGFWMv44d+koIDnTfGcCEsPD1erzTpmhxS8zR11XN2fPlpGOKVg 80to5obeEa49AG0Da5okt0yKnRG8t7YC7ukAkQFc+cPRQE0M+c2L4IPZfBuEWVf/gG80 ejs/3X4gE68KvlVXtInaiEVq4fi9pxfKkrllULVDBQsA59U7IezhaolalldCxAxO7Z2m /coHhfo3IQFeL8lokKyKekbzsbrdUYv8P5bCYnTago7zzDz5HGv5ihoa5fBp1d6z4AeS sWsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=NRohQHBtvEl9oI3OKMb79CDV+qTysDG2Kf+d7c+/7I0=; b=wgXJ41SAyPGQ/oJtEtfoo/MaspGOLNT1V/84FhLg6D+wgZ0fGaWY0z0NSFYgpCslil n64GBfQE7Za5ybMkX+Q0m+7+8CsJ6uJ2xGkUm9CdlybZWx1S2qwu+3Joo75/g980lJbx XxlCr5A677/0aWKjvGkOtbuDuCQaroRUD7CvVYuDIPtT+5eTWr8lTRv1VOGO2yFxk8Qy njm4osJVcaBaIitNROak8v+TpfW9vSp6paFRMdElmqRA6VwWhTU01zNuAzfkCdgyTi81 VyDVqDRmrL7QPa6+A4iq7avGHkXZuPyexxXWankp5Ls6O2RgHgKvHinBsajB3StREzb1 wYgQ== X-Gm-Message-State: AOAM533PMaJHEAjCj8KWtvOQPjLIIURq6395t1PXTdZgytSL3Ayjv5wz xnUIPmuOV+xkQPmfJbffJGrRFrFqeY0wPg== X-Google-Smtp-Source: ABdhPJyZm5RntSNK+RI856zmYE2GwY4SgKgkp+4M+XGTqry7lS76+31+aOx7a+NVtNLK0h1xXOVUlQ== X-Received: by 2002:a17:903:1246:b0:148:a658:8d32 with SMTP id u6-20020a170903124600b00148a6588d32mr1924169plh.117.1639724146518; Thu, 16 Dec 2021 22:55:46 -0800 (PST) Received: from localhost.localdomain ([2401:4900:502b:4528:10a5:44f4:647b:9622]) by smtp.gmail.com with ESMTPSA id b15sm8935461pfl.118.2021.12.16.22.55.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Dec 2021 22:55:46 -0800 (PST) From: Sana Kazi To: openembedded-core@lists.openembedded.org Cc: Sana Kazi Subject: [poky][dunfell][PATCH 1/2] openssh: Fix CVE-2021-41617 Date: Fri, 17 Dec 2021 12:25:30 +0530 Message-Id: <20211217065530.6944-1-sanakazisk19@gmail.com> X-Mailer: git-send-email 2.17.1 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Dec 2021 06:55:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/159817 Add patch to fix CVE-2021-41617 Link: https://bugzilla.suse.com/attachment.cgi?id=854015 Signed-off-by: Sana Kazi Signed-off-by: Sana Kazi --- .../openssh/openssh/CVE-2021-41617.patch | 52 +++++++++++++++++++ .../openssh/openssh_8.2p1.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch new file mode 100644 index 0000000000..bda896f581 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch @@ -0,0 +1,52 @@ +From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001 +From: Ali Abdallah +Date: Wed, 24 Nov 2021 13:33:39 +0100 +Subject: [PATCH] CVE-2021-41617 fix + +backport of the following two upstream commits + +f3cbe43e28fe71427d41cfe3a17125b972710455 +bf944e3794eff5413f2df1ef37cddf96918c6bde + +CVE-2021-41617 failed to correctly initialise supplemental groups +when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, +where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser +directive has been set to run the command as a different user. Instead +these commands would inherit the groups that sshd(8) was started with. +--- + auth.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +CVE: CVE-2021-41617 +Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015] +Comment: No change in any hunk +Signed-off-by: Sana Kazi + +diff --git a/auth.c b/auth.c +index 163038f..a47b267 100644 +--- a/auth.c ++++ b/auth.c +@@ -52,6 +52,7 @@ + #include + #include + #include ++#include + + #include "xmalloc.h" + #include "match.h" +@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command, + } + closefrom(STDERR_FILENO + 1); + ++ if (geteuid() == 0 && ++ initgroups(pw->pw_name, pw->pw_gid) == -1) { ++ error("%s: initgroups(%s, %u): %s", tag, ++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); ++ _exit(1); ++ } ++ + /* Don't use permanently_set_uid() here to avoid fatal() */ + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) { + error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, +-- +2.26.2 diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index b60d1a6bd4..e903ec487d 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://add-test-support-for-busybox.patch \ file://CVE-2020-14145.patch \ file://CVE-2021-28041.patch \ + file://CVE-2021-41617.patch \ " SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" From patchwork Fri Dec 17 06:56:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sana Kazi X-Patchwork-Id: 1653 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA059C433F5 for ; Fri, 17 Dec 2021 06:56:42 +0000 (UTC) Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by mx.groups.io with SMTP id smtpd.web10.3385.1639724202444292872 for ; Thu, 16 Dec 2021 22:56:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=khqT8akw; spf=pass (domain: gmail.com, ip: 209.85.215.169, mailfrom: sanakazisk19@gmail.com) Received: by mail-pg1-f169.google.com with SMTP id f125so1307896pgc.0 for ; Thu, 16 Dec 2021 22:56:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id; bh=mVB2j9A5NHnxh4D/UmafWqNUf48s+CyW/Tji0dQONDw=; b=khqT8akw3WIgCrpv1q6x5FVu/oPgB7QLBoOecyDG0qUGLvr+zu2iJCSnq1yQxWZxct 7nFxmvlFwylZDxEbvK0RBc/9MjDA0g+a4dqa4uW8JrvTpAy+nHhx3b7JdOx2JH0eDmP8 bKVDdIYsNdySadgZYzVyRbYJsHrykEr7O4acIpNb0kcLOogfTfnqJR4Vsu+S5HAB8htk myHUIx/Z3L5i214kPYtm0yQk0ugD6Ay6QJAiO5nQBes42MK1KAoxTzFjkzDSrkl9p+kQ 4IyflQdgiLC83rFoY0ArxJoBHV6+3KrJRae76OnAHtXagUN5PZHabZQh/oQoC88ZL34R a+Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=mVB2j9A5NHnxh4D/UmafWqNUf48s+CyW/Tji0dQONDw=; b=0kWTuQP1Q63cvtU2BzSxxpxXf5jAMfWcr+Nw0TlqK7qaS+jdD4iGkzGYT3uZnKsG3j segiAoQ69vXAllzP/sGiPdwCGkogBEeGFhDapxl7xS2r7U/gIjZfArnC3b/mGyESgw40 eYCw9SCz0NHD/KBz6c8QcMVZs45+vqCVh5PdM1pka7Imxdx97+DmKD4Rtod3WuQoNCYW EgnDpyMx30RDWIFKdUjaQW3QvzISFmusBr1Pmme905oVK/ZQthl1QVzsVhOFkp/Awe/L 5e6RVjTKwKSIqVepdQrWVpl4qPfrOExeT+i3JlPHPT5+540OW4HPfDAbNRE18f3gQcXY FbcQ== X-Gm-Message-State: AOAM531jbl15NDBqYqPhGUOA7qk23OMdo6tG1BX/gnnEgDBsX5Yb3SPp 8ZMUTDLWQYxvHblbGeCzhwWc4fWxiH9oMA== X-Google-Smtp-Source: ABdhPJzEj4DqY7Yc6SG+a7892J6pfNDAVIuHSj6YSBuxxMhS5abFvaYauApxhw7gSnZ5gtPHJRc4yA== X-Received: by 2002:a05:6a00:1308:b0:4a2:75cd:883a with SMTP id j8-20020a056a00130800b004a275cd883amr1671514pfu.84.1639724201688; Thu, 16 Dec 2021 22:56:41 -0800 (PST) Received: from localhost.localdomain ([2401:4900:502b:4528:10a5:44f4:647b:9622]) by smtp.gmail.com with ESMTPSA id u6sm8534651pfg.157.2021.12.16.22.56.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Dec 2021 22:56:41 -0800 (PST) From: Sana Kazi To: openembedded-core@lists.openembedded.org Cc: Sana Kazi Subject: [poky][dunfell][PATCH 2/2] openssh: Whitelist CVE-2016-20012 Date: Fri, 17 Dec 2021 12:26:29 +0530 Message-Id: <20211217065629.7178-1-sanakazisk19@gmail.com> X-Mailer: git-send-email 2.17.1 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 17 Dec 2021 06:56:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/159818 Whitelist CVE-2016-20012 as the upstream OpenSSH developers see this as an important security feature and do not intend to 'fix' it. Link: https://security-tracker.debian.org/tracker/CVE-2016-20012 https://ubuntu.com/security/CVE-2016-20012 Signed-off-by: Sana Kazi Signed-off-by: Sana Kazi --- meta/recipes-connectivity/openssh/openssh_8.2p1.bb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index e903ec487d..ddc9ed0b32 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb @@ -51,6 +51,15 @@ CVE_CHECK_WHITELIST += "CVE-2020-15778" # https://www.securityfocus.com/bid/30794 CVE_CHECK_WHITELIST += "CVE-2008-3844" +# openssh-ssh1 is provided for compatibility with old devices that +# cannot be upgraded to modern protocols. Thus they may not provide security +# support for this package because doing so would prevent access to equipment. +# The upstream OpenSSH developers see this as an important +# security feature and do not intend to 'fix' it. +# https://security-tracker.debian.org/tracker/CVE-2016-20012 +# https://ubuntu.com/security/CVE-2016-20012 +CVE_CHECK_WHITELIST += "CVE-2016-20012" + PAM_SRC_URI = "file://sshd" inherit manpages useradd update-rc.d update-alternatives systemd