!186 Fix CVE-2023-25136

From: @renmingshuai Reviewed-by: @kircher Signed-off-by: @kircher
2023-02-07 01:16:05 +00:00 · 2023-02-07 01:16:05 +00:00 · 6dee73d1a6
commit 6dee73d1a6
parent 32736e9a66 98d2ece958
2 changed files with 72 additions and 1 deletions
--- a/backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
+++ b/backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
@ -0,0 +1,63 @@
 From 12da7823336434a403f25c7cc0c2c6aed0737a35 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Thu, 2 Feb 2023 12:10:05 +0000
 Subject: [PATCH] upstream: fix double-free caused by compat_kex_proposal();
 bz3522
 by dtucker@, ok me
 OpenBSD-Commit-ID: 2bfc37cd2d41f67dad64c17a64cf2cd3806a5c80
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=12da7823336434a403f25c7cc0c2c6aed0737a35
 Conflict:NA 
 ---
 compat.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)
 diff --git a/compat.c b/compat.c
 index 46dfe3a9..478a9403 100644
 --- a/compat.c
 +++ b/compat.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */
 +/* $OpenBSD: compat.c,v 1.121 2023/02/02 12:10:05 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
 char *
 compat_kex_proposal(struct ssh *ssh, char *p)
 {
 -	char *cp = NULL;
 +	char *cp = NULL, *cp2 = NULL;
 	if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
 		return xstrdup(p);
 	debug2_f("original KEX proposal: %s", p);
 	if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
 -		if ((p = match_filter_denylist(p,
 +		if ((cp = match_filter_denylist(p,
 		    "curve25519-sha256@libssh.org")) == NULL)
 			fatal("match_filter_denylist failed");
 	if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
 -		cp = p;
 -		if ((p = match_filter_denylist(p,
 +		if ((cp2 = match_filter_denylist(cp ? cp : p,
 		    "diffie-hellman-group-exchange-sha256,"
 		    "diffie-hellman-group-exchange-sha1")) == NULL)
 			fatal("match_filter_denylist failed");
 		free(cp);
 +		cp = cp2;
 	}
 -	debug2_f("compat KEX proposal: %s", p);
 -	if (*p == '\0')
 +	if (cp == NULL || *cp == '\0')
 		fatal("No supported key exchange algorithms found");
 -	return p;
 +	debug2_f("compat KEX proposal: %s", cp);
 +	return cp;
 }
 -- 
 2.23.0
--- a/openssh.spec
+++ b/openssh.spec
@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 %global sshd_uid    74
-%global openssh_release 1
+%global openssh_release 2
 Name:           openssh
 Version:        9.1p1
@ -90,6 +90,7 @@ Patch65:        openssh-Add-sw64-architecture.patch
 Patch74:        add-strict-scp-check-for-CVE-2020-15778.patch
 Patch77:        skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
 Patch78:        skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch
 Patch79:        backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -228,6 +229,7 @@ popd
 %patch74 -p1
 %patch77 -p1
 %patch78 -p1
 %patch79 -p1
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -426,6 +428,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 %changelog
 * Mon Feb 06 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-2
 - Type:CVE
 - CVE:CVE-2023-25136
 - SUG:NA
 - DESC:fix CVE-2023-25136
 * Mon Jan 30 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-1
 - Type:bugfix
 - CVE:NA