From 40f1d8dfe6c0829a2887f9602193c0b05762d323 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Mon, 8 Jul 2024 17:33:50 +0000 Subject: [PATCH] CVE-2024-6409: Possible remote code execution in privsep child due to a race condition in signal handling --- SOURCES/openssh-8.7p1-CVE-2024-6409.patch | 26 +++++++++++++++++++++++ SPECS/openssh.spec | 11 ++++++++-- 2 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 SOURCES/openssh-8.7p1-CVE-2024-6409.patch diff --git a/SOURCES/openssh-8.7p1-CVE-2024-6409.patch b/SOURCES/openssh-8.7p1-CVE-2024-6409.patch new file mode 100644 index 0000000..91bac70 --- /dev/null +++ b/SOURCES/openssh-8.7p1-CVE-2024-6409.patch @@ -0,0 +1,26 @@ +From d86a071731239b564ed4b93071402199f69fd67a Mon Sep 17 00:00:00 2001 +From: Andrew Lukoshko +Date: Tue, 2 Jul 2024 22:05:51 +0000 +Subject: [PATCH] CVE-2024-6409: Possible remote code execution in privsep + child due to a race condition in signal handling + +--- + sshd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sshd.c b/sshd.c +index ec595d0..2a25e2c 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -384,7 +384,7 @@ grace_alarm_handler(int sig) + + /* Log error and exit. */ + if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0) +- cleanup_exit(255); /* don't log in privsep child */ ++ _exit(1); /* don't log in privsep child */ + else { + sigdie("Timeout before authentication for %s port %d", + ssh_remote_ipaddr(the_active_state), +-- +2.43.5 + diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 9c467db..e918daf 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -54,7 +54,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}.1 +Release: %{openssh_rel}%{?dist}.1.alma.1 URL: http://www.openssh.com/portable.html #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -289,6 +289,8 @@ Patch1018: openssh-9.6p1-CVE-2023-48795.patch #upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a Patch1019: openssh-9.6p1-CVE-2023-51385.patch Patch1020: openssh-9.8p1-upstream-cve-2024-6387.patch +# https://www.openwall.com/lists/oss-security/2024/07/08/2 +Patch1021: openssh-8.7p1-CVE-2024-6409.patch License: BSD Requires: /sbin/nologin @@ -363,7 +365,7 @@ Requires: openssh = %{version}-%{release} %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1 +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1.alma.1 License: BSD %description @@ -513,6 +515,7 @@ popd %patch1018 -p1 -b .cve-2023-48795 %patch1019 -p1 -b .cve-2023-51385 %patch1020 -p1 -b .cve-2024-6387 +%patch1021 -p1 -b .cve-2024-6409 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -800,6 +803,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Mon Jul 08 2024 Andrew Lukoshko - 8.7p1-38.1.alma.1 +- Possible remote code execution in privsep child due to a race condition + Resolves: CVE-2024-6409 + * Fri Jun 28 2024 Dmitry Belyavskiy - 8.7p1-38.1 - Possible remote code execution due to a race condition (CVE-2024-6387) Resolves: RHEL-45347