fix CVE-2023-51384
This commit is contained in:
renmingshuai
parent
70f8bd2a41
commit
d78325b584
@ -0,0 +1,174 @@
|
||||
From 881d9c6af9da4257c69c327c4e2f1508b2fa754b Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Mon, 18 Dec 2023 14:46:12 +0000
|
||||
Subject: [PATCH] upstream: apply destination constraints to all p11 keys
|
||||
|
||||
Previously applied only to the first key returned from each token.
|
||||
|
||||
ok markus@
|
||||
|
||||
OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
|
||||
|
||||
Reference:https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
|
||||
---
|
||||
ssh-agent.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 100 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ssh-agent.c b/ssh-agent.c
|
||||
index f52861163..1d4c321eb 100644
|
||||
--- a/ssh-agent.c
|
||||
+++ b/ssh-agent.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: ssh-agent.c,v 1.297 2023/03/09 21:06:24 jcs Exp $ */
|
||||
+/* $OpenBSD: ssh-agent.c,v 1.301 2023/12/18 14:46:12 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -247,6 +247,91 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs)
|
||||
free(dcs);
|
||||
}
|
||||
|
||||
+static void
|
||||
+dup_dest_constraint_hop(const struct dest_constraint_hop *dch,
|
||||
+ struct dest_constraint_hop *out)
|
||||
+{
|
||||
+ u_int i;
|
||||
+ int r;
|
||||
+
|
||||
+ out->user = dch->user == NULL ? NULL : xstrdup(dch->user);
|
||||
+ out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname);
|
||||
+ out->is_ca = dch->is_ca;
|
||||
+ out->nkeys = dch->nkeys;
|
||||
+ out->keys = out->nkeys == 0 ? NULL :
|
||||
+ xcalloc(out->nkeys, sizeof(*out->keys));
|
||||
+ out->key_is_ca = out->nkeys == 0 ? NULL :
|
||||
+ xcalloc(out->nkeys, sizeof(*out->key_is_ca));
|
||||
+ for (i = 0; i < dch->nkeys; i++) {
|
||||
+ if (dch->keys[i] != NULL &&
|
||||
+ (r = sshkey_from_private(dch->keys[i],
|
||||
+ &(out->keys[i]))) != 0)
|
||||
+ fatal_fr(r, "copy key");
|
||||
+ out->key_is_ca[i] = dch->key_is_ca[i];
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static struct dest_constraint *
|
||||
+dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs)
|
||||
+{
|
||||
+ size_t i;
|
||||
+ struct dest_constraint *ret;
|
||||
+
|
||||
+ if (ndcs == 0)
|
||||
+ return NULL;
|
||||
+ ret = xcalloc(ndcs, sizeof(*ret));
|
||||
+ for (i = 0; i < ndcs; i++) {
|
||||
+ dup_dest_constraint_hop(&dcs[i].from, &ret[i].from);
|
||||
+ dup_dest_constraint_hop(&dcs[i].to, &ret[i].to);
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+#ifdef DEBUG_CONSTRAINTS
|
||||
+static void
|
||||
+dump_dest_constraint_hop(const struct dest_constraint_hop *dch)
|
||||
+{
|
||||
+ u_int i;
|
||||
+ char *fp;
|
||||
+
|
||||
+ debug_f("user %s hostname %s is_ca %d nkeys %u",
|
||||
+ dch->user == NULL ? "(null)" : dch->user,
|
||||
+ dch->hostname == NULL ? "(null)" : dch->hostname,
|
||||
+ dch->is_ca, dch->nkeys);
|
||||
+ for (i = 0; i < dch->nkeys; i++) {
|
||||
+ fp = NULL;
|
||||
+ if (dch->keys[i] != NULL &&
|
||||
+ (fp = sshkey_fingerprint(dch->keys[i],
|
||||
+ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
|
||||
+ fatal_f("fingerprint failed");
|
||||
+ debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys,
|
||||
+ dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]),
|
||||
+ dch->keys[i] == NULL ? "" : " ",
|
||||
+ dch->keys[i] == NULL ? "none" : fp,
|
||||
+ dch->key_is_ca[i]);
|
||||
+ free(fp);
|
||||
+ }
|
||||
+}
|
||||
+#endif /* DEBUG_CONSTRAINTS */
|
||||
+
|
||||
+static void
|
||||
+dump_dest_constraints(const char *context,
|
||||
+ const struct dest_constraint *dcs, size_t ndcs)
|
||||
+{
|
||||
+#ifdef DEBUG_CONSTRAINTS
|
||||
+ size_t i;
|
||||
+
|
||||
+ debug_f("%s: %zu constraints", context, ndcs);
|
||||
+ for (i = 0; i < ndcs; i++) {
|
||||
+ debug_f("constraint %zu / %zu: from: ", i, ndcs);
|
||||
+ dump_dest_constraint_hop(&dcs[i].from);
|
||||
+ debug_f("constraint %zu / %zu: to: ", i, ndcs);
|
||||
+ dump_dest_constraint_hop(&dcs[i].to);
|
||||
+ }
|
||||
+ debug_f("done for %s", context);
|
||||
+#endif /* DEBUG_CONSTRAINTS */
|
||||
+}
|
||||
+
|
||||
static void
|
||||
free_identity(Identity *id)
|
||||
{
|
||||
@@ -518,13 +603,22 @@ process_request_identities(SocketEntry *e)
|
||||
Identity *id;
|
||||
struct sshbuf *msg, *keys;
|
||||
int r;
|
||||
- u_int nentries = 0;
|
||||
+ u_int i = 0, nentries = 0;
|
||||
+ char *fp;
|
||||
|
||||
debug2_f("entering");
|
||||
|
||||
if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL)
|
||||
fatal_f("sshbuf_new failed");
|
||||
TAILQ_FOREACH(id, &idtab->idlist, next) {
|
||||
+ if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT,
|
||||
+ SSH_FP_DEFAULT)) == NULL)
|
||||
+ fatal_f("fingerprint failed");
|
||||
+ debug_f("key %u / %u: %s %s", i++, idtab->nentries,
|
||||
+ sshkey_ssh_name(id->key), fp);
|
||||
+ dump_dest_constraints(__func__,
|
||||
+ id->dest_constraints, id->ndest_constraints);
|
||||
+ free(fp);
|
||||
/* identity not visible, don't include in response */
|
||||
if (identity_permitted(id, e, NULL, NULL, NULL) != 0)
|
||||
continue;
|
||||
@@ -1224,6 +1318,7 @@ process_add_identity(SocketEntry *e)
|
||||
sshbuf_reset(e->request);
|
||||
goto out;
|
||||
}
|
||||
+ dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
|
||||
|
||||
if (sk_provider != NULL) {
|
||||
if (!sshkey_is_sk(k)) {
|
||||
@@ -1403,6 +1498,7 @@ process_add_smartcard_key(SocketEntry *e)
|
||||
error_f("failed to parse constraints");
|
||||
goto send;
|
||||
}
|
||||
+ dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
|
||||
if (e->nsession_ids != 0 && !remote_add_provider) {
|
||||
verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
|
||||
"providers is disabled", provider);
|
||||
@@ -1438,10 +1534,9 @@ process_add_smartcard_key(SocketEntry *e)
|
||||
}
|
||||
id->death = death;
|
||||
id->confirm = confirm;
|
||||
- id->dest_constraints = dest_constraints;
|
||||
+ id->dest_constraints = dup_dest_constraints(
|
||||
+ dest_constraints, ndest_constraints);
|
||||
id->ndest_constraints = ndest_constraints;
|
||||
- dest_constraints = NULL; /* transferred */
|
||||
- ndest_constraints = 0;
|
||||
TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
|
||||
idtab->nentries++;
|
||||
success = 1;
|
||||
--
|
||||
2.33.0
|
||||
|
||||
10
openssh.spec
10
openssh.spec
@ -6,7 +6,7 @@
|
||||
%{?no_gtk2:%global gtk2 0}
|
||||
|
||||
%global sshd_uid 74
|
||||
%global openssh_release 4
|
||||
%global openssh_release 5
|
||||
|
||||
Name: openssh
|
||||
Version: 9.3p2
|
||||
@ -100,6 +100,7 @@ Patch77: set-ssh-config.patch
|
||||
Patch78: backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch
|
||||
Patch79: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
|
||||
Patch80: backport-fix-CVE-2024-6387.patch
|
||||
Patch81: backport-CVE-2023-51384-upstream-apply-destination-constraints-to-all-p11-ke.patch
|
||||
|
||||
Requires: /sbin/nologin
|
||||
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
|
||||
@ -249,6 +250,7 @@ popd
|
||||
%patch78 -p1
|
||||
%patch79 -p1
|
||||
%patch80 -p1
|
||||
%patch81 -p1
|
||||
|
||||
autoreconf
|
||||
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
|
||||
@ -465,6 +467,12 @@ getent passwd sshd >/dev/null || \
|
||||
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
||||
|
||||
%changelog
|
||||
* Fri Jul 12 2024 renmingshuai <renmingshuai@huawei.com> - 9.3p2-5
|
||||
- Type:CVE
|
||||
- CVE:CVE-2023-51384
|
||||
- SUG:NA
|
||||
- DESC:Fix CVE-2023-51384
|
||||
|
||||
* Tue Jul 2 2024 renmingshuai <renmingshuai@huawei.com> - 9.3p2-4
|
||||
- Type:CVE
|
||||
- CVE:CVE-2024-6387
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user