!74 fix CVE-2021-41617

From: @renmingshuai Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng
2021-10-09 11:36:31 +00:00 · 2021-10-09 11:36:31 +00:00 · 11347d6ff5
commit 11347d6ff5
parent d80e1469d0 96428762fd
3 changed files with 73 additions and 1 deletions
--- a/backport-CVE-2021-41617-1.patch
+++ b/backport-CVE-2021-41617-1.patch
@ -0,0 +1,34 @@
+From f3cbe43e28fe71427d41cfe3a17125b972710455 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 26 Sep 2021 14:01:03 +0000
+Subject: upstream: need initgroups() before setresgid(); reported by anton@,
+
+ok deraadt@
+
+OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
+
+---
+ auth.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/auth.c b/auth.c
+index c73444a..e510a05 100644
+--- a/auth.c
+++ b/auth.c
+@@ -852,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
+ 		}
+ 		closefrom(STDERR_FILENO + 1);
+ 
+		if (geteuid() == 0 &&
+		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
+			error("%s: initgroups(%s, %u): %s", tag,
+			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+			_exit(1);
+		}
+
+ 		/* Don't use permanently_set_uid() here to avoid fatal() */
+ 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+-- 
+1.8.3.1
+
--- a/backport-CVE-2021-41617-2.patch
+++ b/backport-CVE-2021-41617-2.patch
@ -0,0 +1,28 @@
+From f3cbe43e28fe71427d41cfe3a17125b972710455 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 26 Sep 2021 14:01:03 +0000
+Subject: upstream: need initgroups() before setresgid(); reported by anton@,
+
+ok deraadt@
+
+OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
+
+---
+ auth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/auth.c b/auth.c
+index e510a05..46b56cf 100644
+--- a/auth.c
+++ b/auth.c
+@@ -39,6 +39,7 @@
+ # include <paths.h>
+ #endif
+ #include <pwd.h>
+#include <grp.h>
+ #ifdef HAVE_LOGIN_H
+ #include <login.h>
+ #endif
+-- 
+1.8.3.1
+
--- a/openssh.spec
+++ b/openssh.spec
@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}

 %global sshd_uid    74
-%global openssh_release 14
+%global openssh_release 15

 Name:           openssh
 Version:        8.2p1
@ -95,6 +95,8 @@ Patch62:        add-strict-scp-check-for-CVE-2020-15778.patch
 Patch63:        backport-move-closefrom-to-before-first-malloc.patch
 Patch64:	backport-upstream-Remove-debug-message-from-sigchld-handler.patch
 Patch65:	backport-upstream-Refactor-private-key-parsing.-Eliminates-a-.patch
+Patch66:	backport-CVE-2021-41617-1.patch
+Patch67:	backport-CVE-2021-41617-2.patch

 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -262,6 +264,8 @@ popd
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
+%patch66 -p1
+%patch67 -p1

 autoreconf
 pushd pam_ssh_agent_auth-0.10.3
@ -476,6 +480,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*

 %changelog
+* Fri Oct 8 2021 renmingshuai<renmingshuai@hauwei.com> - 8.2P1-15
+- Type:cves
+- CVE:CVE-2021-41617
+- SUG:NA
+- DESC:fix CVE-2021-41617
+
 * Sat Sep 18 2021 kircher<kircherlike@outlook.com> - 8.2P1-14
 - Type:bugfix
 - CVE:NA