fix CVE-2023-25136

2023-02-06 20:39:08 +08:00 · 2023-02-06 20:39:08 +08:00 · 98d2ece958
commit 98d2ece958
parent fd7afa4f0a
2 changed files with 72 additions and 1 deletions
--- a/backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
+++ b/backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
@ -0,0 +1,63 @@
+From 12da7823336434a403f25c7cc0c2c6aed0737a35 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 2 Feb 2023 12:10:05 +0000
+Subject: [PATCH] upstream: fix double-free caused by compat_kex_proposal();
+ bz3522
+
+by dtucker@, ok me
+
+OpenBSD-Commit-ID: 2bfc37cd2d41f67dad64c17a64cf2cd3806a5c80
+
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=12da7823336434a403f25c7cc0c2c6aed0737a35
+Conflict:NA 
+---
+ compat.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/compat.c b/compat.c
+index 46dfe3a9..478a9403 100644
+--- a/compat.c
+++ b/compat.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */
+/* $OpenBSD: compat.c,v 1.121 2023/02/02 12:10:05 djm Exp $ */
+ /*
+  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
+  *
+@@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
+ char *
+ compat_kex_proposal(struct ssh *ssh, char *p)
+ {
+-	char *cp = NULL;
+	char *cp = NULL, *cp2 = NULL;
+ 
+ 	if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
+ 		return xstrdup(p);
+ 	debug2_f("original KEX proposal: %s", p);
+ 	if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
+-		if ((p = match_filter_denylist(p,
+		if ((cp = match_filter_denylist(p,
+ 		    "curve25519-sha256@libssh.org")) == NULL)
+ 			fatal("match_filter_denylist failed");
+ 	if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
+-		cp = p;
+-		if ((p = match_filter_denylist(p,
+		if ((cp2 = match_filter_denylist(cp ? cp : p,
+ 		    "diffie-hellman-group-exchange-sha256,"
+ 		    "diffie-hellman-group-exchange-sha1")) == NULL)
+ 			fatal("match_filter_denylist failed");
+ 		free(cp);
+		cp = cp2;
+ 	}
+-	debug2_f("compat KEX proposal: %s", p);
+-	if (*p == '\0')
+	if (cp == NULL || *cp == '\0')
+ 		fatal("No supported key exchange algorithms found");
+-	return p;
+	debug2_f("compat KEX proposal: %s", cp);
+	return cp;
+ }
+ 
+-- 
+2.23.0
+
--- a/openssh.spec
+++ b/openssh.spec
@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}

 %global sshd_uid    74
-%global openssh_release 1
+%global openssh_release 2

 Name:           openssh
 Version:        9.1p1
@ -90,6 +90,7 @@ Patch65:        openssh-Add-sw64-architecture.patch
 Patch74:        add-strict-scp-check-for-CVE-2020-15778.patch
 Patch77:        skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
 Patch78:        skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch
+Patch79:        backport-upstream-CVE-2023-25136-fix-double-free-caused.patch

 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -228,6 +229,7 @@ popd
 %patch74 -p1
 %patch77 -p1
 %patch78 -p1
+%patch79 -p1

 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -426,6 +428,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*

 %changelog
+* Mon Feb 06 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-2
+- Type:CVE
+- CVE:CVE-2023-25136
+- SUG:NA
+- DESC:fix CVE-2023-25136
+
 * Mon Jan 30 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-1
 - Type:bugfix
 - CVE:NA