fix CVE-2020-14145
This commit is contained in:
chxssg
parent
c990886e61
commit
8c65c058d1
92
CVE-2020-14145.patch
Normal file
92
CVE-2020-14145.patch
Normal file
@ -0,0 +1,92 @@
|
|||||||
|
From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
|
||||||
|
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||||
|
Date: Fri, 18 Sep 2020 05:23:03 +0000
|
||||||
|
Subject: upstream: tweak the client hostkey preference ordering algorithm to
|
||||||
|
|
||||||
|
prefer the default ordering if the user has a key that matches the
|
||||||
|
best-preference default algorithm.
|
||||||
|
|
||||||
|
feedback and ok markus@
|
||||||
|
|
||||||
|
OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
|
||||||
|
---
|
||||||
|
sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
|
||||||
|
1 file changed, 38 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||||
|
index 347e348c..f64aae66 100644
|
||||||
|
--- a/sshconnect2.c
|
||||||
|
+++ b/sshconnect2.c
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
|
||||||
|
+/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
|
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||||
|
@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Returns the first item from a comma-separated algorithm list */
|
||||||
|
+static char *
|
||||||
|
+first_alg(const char *algs)
|
||||||
|
+{
|
||||||
|
+ char *ret, *cp;
|
||||||
|
+
|
||||||
|
+ ret = xstrdup(algs);
|
||||||
|
+ if ((cp = strchr(ret, ',')) != NULL)
|
||||||
|
+ *cp = '\0';
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static char *
|
||||||
|
order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
|
{
|
||||||
|
- char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
|
||||||
|
+ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
|
||||||
|
+ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
|
||||||
|
size_t maxlen;
|
||||||
|
- struct hostkeys *hostkeys;
|
||||||
|
+ struct hostkeys *hostkeys = NULL;
|
||||||
|
int ktype;
|
||||||
|
u_int i;
|
||||||
|
|
||||||
|
@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
|
for (i = 0; i < options.num_system_hostfiles; i++)
|
||||||
|
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * If a plain public key exists that matches the type of the best
|
||||||
|
+ * preference HostkeyAlgorithms, then use the whole list as is.
|
||||||
|
+ * Note that we ignore whether the best preference algorithm is a
|
||||||
|
+ * certificate type, as sshconnect.c will downgrade certs to
|
||||||
|
+ * plain keys if necessary.
|
||||||
|
+ */
|
||||||
|
+ best = first_alg(options.hostkeyalgorithms);
|
||||||
|
+ if (lookup_key_in_hostkeys_by_type(hostkeys,
|
||||||
|
+ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
|
||||||
|
+ debug3("%s: have matching best-preference key type %s, "
|
||||||
|
+ "using HostkeyAlgorithms verbatim", __func__, best);
|
||||||
|
+ ret = xstrdup(options.hostkeyalgorithms);
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Otherwise, prefer the host key algorithms that match known keys
|
||||||
|
+ * while keeping the ordering of HostkeyAlgorithms as much as possible.
|
||||||
|
+ */
|
||||||
|
oavail = avail = xstrdup(options.hostkeyalgorithms);
|
||||||
|
maxlen = strlen(avail) + 1;
|
||||||
|
first = xmalloc(maxlen);
|
||||||
|
@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
|
if (*first != '\0')
|
||||||
|
debug3("%s: prefer hostkeyalgs: %s", __func__, first);
|
||||||
|
|
||||||
|
+ out:
|
||||||
|
+ free(best);
|
||||||
|
free(first);
|
||||||
|
free(last);
|
||||||
|
free(hostname);
|
||||||
|
--
|
||||||
|
cgit v1.2.3
|
||||||
|
|
||||||
10
openssh.spec
10
openssh.spec
@ -6,7 +6,7 @@
|
|||||||
%{?no_gtk2:%global gtk2 0}
|
%{?no_gtk2:%global gtk2 0}
|
||||||
|
|
||||||
%global sshd_uid 74
|
%global sshd_uid 74
|
||||||
%global openssh_release 8
|
%global openssh_release 9
|
||||||
|
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: 8.2p1
|
Version: 8.2p1
|
||||||
@ -90,6 +90,7 @@ Patch57: CVE-2020-12062-1.patch
|
|||||||
Patch58: CVE-2020-12062-2.patch
|
Patch58: CVE-2020-12062-2.patch
|
||||||
Patch59: upstream-expose-vasnmprintf.patch
|
Patch59: upstream-expose-vasnmprintf.patch
|
||||||
Patch60: CVE-2018-15919.patch
|
Patch60: CVE-2018-15919.patch
|
||||||
|
Patch61: CVE-2020-14145.patch
|
||||||
|
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
|
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
|
||||||
@ -252,6 +253,7 @@ popd
|
|||||||
%patch58 -p1
|
%patch58 -p1
|
||||||
%patch59 -p1
|
%patch59 -p1
|
||||||
%patch60 -p1
|
%patch60 -p1
|
||||||
|
%patch61 -p1
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
pushd pam_ssh_agent_auth-0.10.3
|
pushd pam_ssh_agent_auth-0.10.3
|
||||||
@ -467,6 +469,12 @@ getent passwd sshd >/dev/null || \
|
|||||||
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 4 2021 chxssg<chxssg@qq.com> - 8.2P1-9
|
||||||
|
- Type:cves
|
||||||
|
- CVE:CVE-2020-14145
|
||||||
|
- SUG:NA
|
||||||
|
- DESC:fix CVE-2020-14145
|
||||||
|
|
||||||
* Wed Nov 18 2020 gaihuiying<gaihuiying1@huawei.com> - 8.2P1-8
|
* Wed Nov 18 2020 gaihuiying<gaihuiying1@huawei.com> - 8.2P1-8
|
||||||
- Type:bugfix
|
- Type:bugfix
|
||||||
- CVE:NA
|
- CVE:NA
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user