!36 fix CVE-2020-14145
From: @chxssg Reviewed-by: @seuzw Signed-off-by: @seuzw
This commit is contained in:
openeuler-ci-bot
Gitee
commit
b773e1502a
92
CVE-2020-14145.patch
Normal file
92
CVE-2020-14145.patch
Normal file
@ -0,0 +1,92 @@
|
||||
From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Fri, 18 Sep 2020 05:23:03 +0000
|
||||
Subject: upstream: tweak the client hostkey preference ordering algorithm to
|
||||
|
||||
prefer the default ordering if the user has a key that matches the
|
||||
best-preference default algorithm.
|
||||
|
||||
feedback and ok markus@
|
||||
|
||||
OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
|
||||
---
|
||||
sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 38 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index 347e348c..f64aae66 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
|
||||
+/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||
@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* Returns the first item from a comma-separated algorithm list */
|
||||
+static char *
|
||||
+first_alg(const char *algs)
|
||||
+{
|
||||
+ char *ret, *cp;
|
||||
+
|
||||
+ ret = xstrdup(algs);
|
||||
+ if ((cp = strchr(ret, ',')) != NULL)
|
||||
+ *cp = '\0';
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static char *
|
||||
order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
{
|
||||
- char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
|
||||
+ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
|
||||
+ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
|
||||
size_t maxlen;
|
||||
- struct hostkeys *hostkeys;
|
||||
+ struct hostkeys *hostkeys = NULL;
|
||||
int ktype;
|
||||
u_int i;
|
||||
|
||||
@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
for (i = 0; i < options.num_system_hostfiles; i++)
|
||||
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
|
||||
|
||||
+ /*
|
||||
+ * If a plain public key exists that matches the type of the best
|
||||
+ * preference HostkeyAlgorithms, then use the whole list as is.
|
||||
+ * Note that we ignore whether the best preference algorithm is a
|
||||
+ * certificate type, as sshconnect.c will downgrade certs to
|
||||
+ * plain keys if necessary.
|
||||
+ */
|
||||
+ best = first_alg(options.hostkeyalgorithms);
|
||||
+ if (lookup_key_in_hostkeys_by_type(hostkeys,
|
||||
+ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
|
||||
+ debug3("%s: have matching best-preference key type %s, "
|
||||
+ "using HostkeyAlgorithms verbatim", __func__, best);
|
||||
+ ret = xstrdup(options.hostkeyalgorithms);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Otherwise, prefer the host key algorithms that match known keys
|
||||
+ * while keeping the ordering of HostkeyAlgorithms as much as possible.
|
||||
+ */
|
||||
oavail = avail = xstrdup(options.hostkeyalgorithms);
|
||||
maxlen = strlen(avail) + 1;
|
||||
first = xmalloc(maxlen);
|
||||
@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
if (*first != '\0')
|
||||
debug3("%s: prefer hostkeyalgs: %s", __func__, first);
|
||||
|
||||
+ out:
|
||||
+ free(best);
|
||||
free(first);
|
||||
free(last);
|
||||
free(hostname);
|
||||
--
|
||||
cgit v1.2.3
|
||||
|
||||
10
openssh.spec
10
openssh.spec
@ -6,7 +6,7 @@
|
||||
%{?no_gtk2:%global gtk2 0}
|
||||
|
||||
%global sshd_uid 74
|
||||
%global openssh_release 8
|
||||
%global openssh_release 9
|
||||
|
||||
Name: openssh
|
||||
Version: 8.2p1
|
||||
@ -90,6 +90,7 @@ Patch57: CVE-2020-12062-1.patch
|
||||
Patch58: CVE-2020-12062-2.patch
|
||||
Patch59: upstream-expose-vasnmprintf.patch
|
||||
Patch60: CVE-2018-15919.patch
|
||||
Patch61: CVE-2020-14145.patch
|
||||
|
||||
Requires: /sbin/nologin
|
||||
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
|
||||
@ -252,6 +253,7 @@ popd
|
||||
%patch58 -p1
|
||||
%patch59 -p1
|
||||
%patch60 -p1
|
||||
%patch61 -p1
|
||||
|
||||
autoreconf
|
||||
pushd pam_ssh_agent_auth-0.10.3
|
||||
@ -467,6 +469,12 @@ getent passwd sshd >/dev/null || \
|
||||
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
||||
|
||||
%changelog
|
||||
* Mon Jan 4 2021 chxssg<chxssg@qq.com> - 8.2P1-9
|
||||
- Type:cves
|
||||
- CVE:CVE-2020-14145
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2020-14145
|
||||
|
||||
* Wed Nov 18 2020 gaihuiying<gaihuiying1@huawei.com> - 8.2P1-8
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user