From 12440c960eb7cc4ca49370aa56eccae018c206fb Mon Sep 17 00:00:00 2001
From: lingsheng <860373352@qq.com>
Date: Thu, 4 Jul 2024 03:00:43 +0000
Subject: [PATCH] fix CVE-2024-6126

(cherry picked from commit db7bd85b2204926940e843df767e0f0f62b1750c)
---
 backport-CVE-2024-6126.patch | 156 +++++++++++++++++++++++++++++++++++
 cockpit.spec                 |  13 ++-
 2 files changed, 167 insertions(+), 2 deletions(-)
 create mode 100644 backport-CVE-2024-6126.patch

diff --git a/backport-CVE-2024-6126.patch b/backport-CVE-2024-6126.patch
new file mode 100644
index 0000000..14fe5a4
--- /dev/null
+++ b/backport-CVE-2024-6126.patch
@@ -0,0 +1,156 @@
+From 08965365ac311f906a520cbf65427742d5f84ba4 Mon Sep 17 00:00:00 2001
+From: Martin Pitt <mpitt@redhat.com>
+Date: Mon, 10 Jun 2024 10:49:56 +0200
+Subject: [PATCH] pam-ssh-add: Fix insecure killing of session ssh-agent
+ [CVE-2024-6126]
+
+Some distributions like Debian 12, or possibly some administrators
+enable pam_env's deprecated `user_readenv` option [1]. The user session
+can change the `$SSH_AGENT_PID`, so that it can pass an arbitrary pid to
+`pam_sm_close_session()`. This is a local authenticated DoS.
+
+Avoid this by storing the agent pid in a global variable. The
+cockpit-session process stays around for the entire session time, so we
+don't need to put the pid into the PAM data.
+
+It can also happen that the user session's ssh-agent gets killed, and
+some other process later on recycles the PID. Temporarily drop
+privileges to the target user so that we at least don't kill anyone
+else's process.
+
+Add an integration test which checks that changing the env variable
+works, pointing it to a different process doesn't kill that, and
+ssh-agent (the original pid) is still cleaned up correctly. However, as
+pam_so.env in Fedora crashes hard, skip the test there.
+
+Many thanks to Paolo Perego <paolo.perego@suse.com> for discovering,
+and Luna Dragon <luna.dragon@suse.com> for reporting this issue!
+
+[1] https://man7.org/linux/man-pages/man8/pam_env.8.html
+
+CVE-2024-6126
+https://bugzilla.redhat.com/show_bug.cgi?id=2290859
+---
+ src/pam-ssh-add/pam-ssh-add.c | 46 ++++++++++++++++++++++++++++-------
+ test/verify/check-session     | 33 +++++++++++++++++++++++++
+ 2 files changed, 70 insertions(+), 9 deletions(-)
+
+diff --git a/src/pam-ssh-add/pam-ssh-add.c b/src/pam-ssh-add/pam-ssh-add.c
+index a9159d71004..839b797d215 100644
+--- a/src/pam-ssh-add/pam-ssh-add.c
++++ b/src/pam-ssh-add/pam-ssh-add.c
+@@ -54,6 +54,9 @@ const char *pam_ssh_agent_arg = NULL;
+ const char *pam_ssh_add_program = PATH_SSH_ADD;
+ const char *pam_ssh_add_arg = NULL;
+ 
++static unsigned long ssh_agent_pid;
++static uid_t ssh_agent_uid;
++
+ /* Environment */
+ #define ENVIRON_SIZE 5
+ #define PATH "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+@@ -866,6 +869,25 @@ start_agent (pam_handle_t *pamh,
+           error ("couldn't set agent environment: %s",
+                  pam_strerror (pamh, res));
+         }
++
++      /* parse and store the agent pid for later cleanup */
++      if (strncmp (auth_pid, "SSH_AGENT_PID=", 14) == 0)
++        {
++          unsigned long pid = strtoul (auth_pid + 14, NULL, 10);
++          if (pid > 0 && pid != ULONG_MAX)
++            {
++              ssh_agent_pid = pid;
++              ssh_agent_uid = auth_pwd->pw_uid;
++            }
++          else
++            {
++              error ("invalid SSH_AGENT_PID value: %s", auth_pid);
++            }
++        }
++      else
++        {
++          error ("unexpected agent pid format: %s", auth_pid);
++        }
+     }
+ 
+   free (auth_socket);
+@@ -952,19 +974,25 @@ pam_sm_close_session (pam_handle_t *pamh,
+                       int argc,
+                       const char *argv[])
+ {
+-  const char *s_pid;
+-  int pid = 0;
+   parse_args (argc, argv);
+ 
+   /* Kill the ssh agent we started */
+-  s_pid = pam_getenv (pamh, "SSH_AGENT_PID");
+-  if (s_pid)
+-    pid = atoi (s_pid);
+-
+-  if (pid > 0)
++  if (ssh_agent_pid > 0)
+     {
+-      debug ("Closing %d", pid);
+-      kill (pid, SIGTERM);
++      debug ("Closing %lu", ssh_agent_pid);
++      /* kill as user to guard against crashing ssh-agent and PID reuse */
++      if (setresuid (ssh_agent_uid, ssh_agent_uid,  -1) < 0)
++        {
++          error ("could not drop privileges for killing ssh agent: %m");
++          return PAM_SESSION_ERR;
++        }
++      if (kill (ssh_agent_pid, SIGTERM) < 0 && errno != ESRCH)
++        message ("could not kill ssh agent %lu: %m", ssh_agent_pid);
++      if (setresuid (0, 0, -1) < 0)
++        {
++          error ("could not restore privileges after killing ssh agent: %m");
++          return PAM_SESSION_ERR;
++        }
+     }
+   return PAM_SUCCESS;
+ }
+diff --git a/test/verify/check-session b/test/verify/check-session
+index 56a0fc08c04..21812f32507 100755
+--- a/test/verify/check-session
++++ b/test/verify/check-session
+@@ -86,6 +86,39 @@ class TestSession(testlib.MachineCase):
+         b.logout()
+         wait_session(should_exist=False)
+ 
++        # try to pwn $SSH_AGENT_PID via pam_env's user_readenv=1 (CVE-2024-6126)
++
++        if m.image in ["fedora-39", "fedora-40", "centos-10", "rhel-10-0"]:
++            # pam_env user_readenv crashes in Fedora/RHEL 10, skip the test
++            # https://bugzilla.redhat.com/show_bug.cgi?id=2293045
++            return
++        if m.ostree_image:
++            # not using cockpit's PAM config
++            return
++
++        # this is enabled by default in tools/cockpit.debian.pam, as well as
++        # Debian/Ubuntu's /etc/pam.d/sshd; but not in Fedora/RHEL
++        if "debian" not in m.image and "ubuntu" not in m.image:
++            self.write_file("/etc/pam.d/cockpit", "session required pam_env.so user_readenv=1\n", append=True)
++        victim_pid = m.spawn("sleep infinity", "sleep.log")
++        self.addCleanup(m.execute, f"kill {victim_pid} || true")
++        self.write_file("/home/admin/.pam_environment", f"SSH_AGENT_PID={victim_pid}\n", owner="admin")
++
++        b.login_and_go()
++        wait_session(should_exist=True)
++        # starts ssh-agent in session
++        m.execute("pgrep -u admin ssh-agent")
++        # but the session has the modified SSH_AGENT_PID
++        bridge = m.execute("pgrep -u admin cockpit-bridge").strip()
++        agent = m.execute(f"grep --null-data SSH_AGENT_PID /proc/{bridge}/environ | xargs -0 | sed 's/.*=//'").strip()
++        self.assertEqual(agent, str(victim_pid))
++
++        # logging out still kills the actual ssh-agent, not the victim pid
++        b.logout()
++        wait_session(should_exist=False)
++        m.execute("while pgrep -u admin ssh-agent; do sleep 1; done", timeout=10)
++        m.execute(f"test -e /proc/{victim_pid}")
++
+ 
+ if __name__ == '__main__':
+     testlib.test_main()
diff --git a/cockpit.spec b/cockpit.spec
index 50d7a97..04f571a 100644
--- a/cockpit.spec
+++ b/cockpit.spec
@@ -10,11 +10,14 @@
 
 Name:           cockpit
 Version:        309
-Release:        1
+Release:        2
 Summary:        A easy-to-use, integrated, glanceable, and open web-based interface for Linux servers
 License:        LGPLv2+
 URL:            https://cockpit-project.org/
 Source0:        https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz
+
+Patch6000:      backport-CVE-2024-6126.patch
+
 %define build_basic 1
 %define build_optional 1
 
@@ -58,7 +61,7 @@ Recommends:     polkit NetworkManager-team setroubleshoot-server >= 3.3.3 sscg >
 Recommends:     udisks2-lvm2 >= 2.6 udisks2-iscsi >= 2.6 device-mapper-multipath clevis-luks virt-install
 
 %prep
-%setup -q -n cockpit-%{version}
+%autosetup -n cockpit-%{version} -p1
 
 %build
 %configure \
@@ -320,6 +323,12 @@ fi
 %doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz,cockpit-tls.8.gz}
 
 %changelog
+* Thu Jul 04 2024 lingsheng <lingsheng1@h-partners.com> - 309-2
+- Type:CVE
+- ID:CVE-2024-6126
+- SUG:restart
+- DESC:fix CVE-2024-6126
+
 * Tue Jan 23 2024 zhouwenpei <zhouwenpei1@h-partners.com> - 309-1
 - Type:NA
 - ID:NA