From aa500db6e4606d3e8be75c8af55353c94e37080e Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 3 Jul 2024 14:22:23 +0000 Subject: [PATCH 1/5] import UBI openssh-8.7p1-38.el9_4.1 --- .../openssh-9.8p1-upstream-cve-2024-6387.patch | 18 ++++++++++++++++++ SPECS/openssh.spec | 10 ++++++++-- 2 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch diff --git a/SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch b/SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch new file mode 100644 index 0000000..754d279 --- /dev/null +++ b/SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch @@ -0,0 +1,18 @@ +diff -up openssh-8.7p1/log.c.xxx openssh-8.7p1/log.c +--- openssh-8.7p1/log.c.xxx 2024-06-28 11:02:43.949912398 +0200 ++++ openssh-8.7p1/log.c 2024-06-28 11:02:58.652297885 +0200 +@@ -455,12 +455,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#if 0 + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 8a7a38e..9c467db 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -54,7 +54,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist} +Release: %{openssh_rel}%{?dist}.1 URL: http://www.openssh.com/portable.html #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -288,6 +288,7 @@ Patch1017: openssh-9.4p2-limit-delay.patch Patch1018: openssh-9.6p1-CVE-2023-48795.patch #upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a Patch1019: openssh-9.6p1-CVE-2023-51385.patch +Patch1020: openssh-9.8p1-upstream-cve-2024-6387.patch License: BSD Requires: /sbin/nologin @@ -362,7 +363,7 @@ Requires: openssh = %{version}-%{release} %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist} +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1 License: BSD %description @@ -511,6 +512,7 @@ popd %patch1017 -p1 -b .limitdelay %patch1018 -p1 -b .cve-2023-48795 %patch1019 -p1 -b .cve-2023-51385 +%patch1020 -p1 -b .cve-2024-6387 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -798,6 +800,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Fri Jun 28 2024 Dmitry Belyavskiy - 8.7p1-38.1 +- Possible remote code execution due to a race condition (CVE-2024-6387) + Resolves: RHEL-45347 + * Fri Jan 05 2024 Dmitry Belyavskiy - 8.7p1-38 - Fix Terrapin attack Resolves: CVE-2023-48795 From 5399a9c9ff7c261bad2676f7f9c5e727e39d954a Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 10 Jul 2024 14:14:58 +0000 Subject: [PATCH 2/5] import UBI openssh-8.7p1-38.el9_4.4 --- SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch | 12 ++++++++++++ SPECS/openssh.spec | 14 ++++++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch b/SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch index 754d279..fffd50a 100644 --- a/SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch +++ b/SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch @@ -16,3 +16,15 @@ diff -up openssh-8.7p1/log.c.xxx openssh-8.7p1/log.c _exit(1); } +diff -up openssh-8.7p1/sshd.c.xxx openssh-8.7p1/sshd.c +--- openssh-8.7p1/sshd.c.xxx 2024-07-01 10:33:04.332907749 +0200 ++++ openssh-8.7p1/sshd.c 2024-07-01 10:33:47.843998038 +0200 +@@ -384,7 +384,7 @@ grace_alarm_handler(int sig) + + /* Log error and exit. */ + if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0) +- cleanup_exit(255); /* don't log in privsep child */ ++ _exit(255); /* don't log in privsep child */ + else { + sigdie("Timeout before authentication for %s port %d", + ssh_remote_ipaddr(the_active_state), diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 9c467db..b678330 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -54,7 +54,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}.1 +Release: %{openssh_rel}%{?dist}.4 URL: http://www.openssh.com/portable.html #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -363,7 +363,7 @@ Requires: openssh = %{version}-%{release} %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1 +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.4 License: BSD %description @@ -800,6 +800,16 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Wed Jul 03 2024 Dmitry Belyavskiy - 8.7p1-38.4 +- rebuilt + +* Wed Jul 03 2024 Dmitry Belyavskiy - 8.7p1-38.3 +- rebuilt + +* Mon Jul 01 2024 Dmitry Belyavskiy - 8.7p1-38.2 +- Possible remote code execution due to a race condition (CVE-2024-6409) + Resolves: RHEL-45740 + * Fri Jun 28 2024 Dmitry Belyavskiy - 8.7p1-38.1 - Possible remote code execution due to a race condition (CVE-2024-6387) Resolves: RHEL-45347 From 90272187e9f5d4e71c3caaa246fa77de7673102c Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 12 Nov 2024 10:39:29 +0000 Subject: [PATCH 3/5] import UBI openssh-8.7p1-43.el9 --- SOURCES/openssh-7.7p1-fips.patch | 2 +- SOURCES/openssh-8.0p1-openssl-kdf.patch | 101 ++++++++++++-------- SOURCES/openssh-8.7p1-audit-hostname.patch | 106 +++++++++++++++++++++ SOURCES/openssh-8.7p1-sigpipe.patch | 21 ++++ SOURCES/sshd-keygen | 12 ++- SOURCES/sshd.sysconfig | 3 + SPECS/openssh.spec | 44 ++++++--- 7 files changed, 229 insertions(+), 60 deletions(-) create mode 100644 SOURCES/openssh-8.7p1-audit-hostname.patch create mode 100644 SOURCES/openssh-8.7p1-sigpipe.patch diff --git a/SOURCES/openssh-7.7p1-fips.patch b/SOURCES/openssh-7.7p1-fips.patch index 05b2907..704de05 100644 --- a/SOURCES/openssh-7.7p1-fips.patch +++ b/SOURCES/openssh-7.7p1-fips.patch @@ -81,7 +81,7 @@ diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c #include +#include #include - # ifdef HAVE_EVP_KDF_CTX_NEW_ID + # ifdef HAVE_EVP_KDF_CTX_NEW # include @@ -203,7 +203,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; diff --git a/SOURCES/openssh-8.0p1-openssl-kdf.patch b/SOURCES/openssh-8.0p1-openssl-kdf.patch index 5d76a4f..e190472 100644 --- a/SOURCES/openssh-8.0p1-openssl-kdf.patch +++ b/SOURCES/openssh-8.0p1-openssl-kdf.patch @@ -12,7 +12,7 @@ index 2a455e4e..e01c3d43 100644 HMAC_CTX_init \ RSA_generate_key_ex \ RSA_get_default_method \ -+ EVP_KDF_CTX_new_id \ ++ EVP_KDF_CTX_new \ ]) # OpenSSL_add_all_algorithms may be a macro. @@ -20,33 +20,35 @@ diff --git a/kex.c b/kex.c index b6f041f4..1fbce2bb 100644 --- a/kex.c +++ b/kex.c -@@ -38,6 +38,9 @@ +@@ -38,6 +38,11 @@ #ifdef WITH_OPENSSL #include #include -+# ifdef HAVE_EVP_KDF_CTX_NEW_ID ++# ifdef HAVE_EVP_KDF_CTX_NEW +# include ++# include ++# include +# endif #endif #include "ssh.h" -@@ -942,6 +945,95 @@ kex_choose_conf(struct ssh *ssh) +@@ -942,6 +945,112 @@ kex_choose_conf(struct ssh *ssh) return r; } -+#ifdef HAVE_EVP_KDF_CTX_NEW_ID -+static const EVP_MD * ++#ifdef HAVE_EVP_KDF_CTX_NEW ++static const char * +digest_to_md(int digest_type) +{ + switch (digest_type) { + case SSH_DIGEST_SHA1: -+ return EVP_sha1(); ++ return SN_sha1; + case SSH_DIGEST_SHA256: -+ return EVP_sha256(); ++ return SN_sha256; + case SSH_DIGEST_SHA384: -+ return EVP_sha384(); ++ return SN_sha384; + case SSH_DIGEST_SHA512: -+ return EVP_sha512(); ++ return SN_sha512; + } + return NULL; +} @@ -56,52 +58,67 @@ index b6f041f4..1fbce2bb 100644 + const struct sshbuf *shared_secret, u_char **keyp) +{ + struct kex *kex = ssh->kex; -+ EVP_KDF_CTX *ctx = NULL; + u_char *key = NULL; + int r, key_len; + -+ if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0) -+ return SSH_ERR_INVALID_ARGUMENT; ++ EVP_KDF *kdf = EVP_KDF_fetch(NULL, "SSHKDF", NULL); ++ EVP_KDF_CTX *ctx = NULL; ++ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new(); ++ OSSL_PARAM *params = NULL; ++ const char *md = digest_to_md(kex->hash_alg); ++ char keytype = (char)id; ++ ++ if (!kdf) { ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ctx = EVP_KDF_CTX_new(kdf); ++ EVP_KDF_free(kdf); ++ if (!ctx) { ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (md == NULL) { ++ r = SSH_ERR_INVALID_ARGUMENT; ++ goto out; ++ } ++ ++ if (param_bld == NULL) { ++ EVP_KDF_CTX_free(ctx); ++ return -1; ++ } ++ if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0) { ++ r = SSH_ERR_INVALID_ARGUMENT; ++ goto out; ++ } ++ + key_len = ROUNDUP(need, key_len); + if ((key = calloc(1, key_len)) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + goto out; + } + -+ ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF); -+ if (!ctx) { ++ r = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST, ++ md, strlen(md)) && /* SN */ ++ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY, ++ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret)) && ++ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_SSHKDF_XCGHASH, ++ hash, hashlen) && ++ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_SSHKDF_SESSION_ID, ++ sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id)) && ++ OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE, ++ &keytype, 1); ++ if (r != 1) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } + -+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, digest_to_md(kex->hash_alg)); -+ if (r != 1) { ++ params = OSSL_PARAM_BLD_to_param(param_bld); ++ if (params == NULL) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } -+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, -+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret)); -+ if (r != 1) { -+ r = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, hash, hashlen); -+ if (r != 1) { -+ r = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, id); -+ if (r != 1) { -+ r = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, -+ sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id)); -+ if (r != 1) { -+ r = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ r = EVP_KDF_derive(ctx, key, key_len); ++ r = EVP_KDF_derive(ctx, key, key_len, params); + if (r != 1) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; @@ -115,6 +132,8 @@ index b6f041f4..1fbce2bb 100644 + r = 0; + +out: ++ OSSL_PARAM_BLD_free(param_bld); ++ OSSL_PARAM_free(params); + free (key); + EVP_KDF_CTX_free(ctx); + if (r < 0) { @@ -130,7 +149,7 @@ index b6f041f4..1fbce2bb 100644 ssh_digest_free(hashctx); return r; } -+#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID */ ++#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW */ #define NKEYS 6 int diff --git a/SOURCES/openssh-8.7p1-audit-hostname.patch b/SOURCES/openssh-8.7p1-audit-hostname.patch new file mode 100644 index 0000000..e450c00 --- /dev/null +++ b/SOURCES/openssh-8.7p1-audit-hostname.patch @@ -0,0 +1,106 @@ +diff --color -ruNp a/audit-linux.c b/audit-linux.c +--- a/audit-linux.c 2024-05-09 12:38:08.843017319 +0200 ++++ b/audit-linux.c 2024-05-09 12:47:05.162267634 +0200 +@@ -52,7 +52,7 @@ extern u_int utmp_len; + const char *audit_username(void); + + static void +-linux_audit_user_logxxx(int uid, const char *username, ++linux_audit_user_logxxx(int uid, const char *username, const char *hostname, + const char *ip, const char *ttyn, int success, int event) + { + int audit_fd, rc, saved_errno; +@@ -66,7 +66,7 @@ linux_audit_user_logxxx(int uid, const c + } + rc = audit_log_acct_message(audit_fd, event, + NULL, "login", username ? username : "(unknown)", +- username == NULL ? uid : -1, NULL, ip, ttyn, success); ++ username == NULL ? uid : -1, hostname, ip, ttyn, success); + saved_errno = errno; + close(audit_fd); + +@@ -181,9 +181,11 @@ audit_run_command(struct ssh *ssh, const + { + if (!user_login_count++) + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ++ options.use_dns ? remote_hostname(ssh) : NULL, + ssh_remote_ipaddr(ssh), + "ssh", 1, AUDIT_USER_LOGIN); + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ++ options.use_dns ? remote_hostname(ssh) : NULL, + ssh_remote_ipaddr(ssh), + "ssh", 1, AUDIT_USER_START); + return 0; +@@ -193,10 +195,12 @@ void + audit_end_command(struct ssh *ssh, int handle, const char *command) + { + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ++ options.use_dns ? remote_hostname(ssh) : NULL, + ssh_remote_ipaddr(ssh), + "ssh", 1, AUDIT_USER_END); + if (user_login_count && !--user_login_count) + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ++ options.use_dns ? remote_hostname(ssh) : NULL, + ssh_remote_ipaddr(ssh), + "ssh", 1, AUDIT_USER_LOGOUT); + } +@@ -211,19 +215,27 @@ void + audit_session_open(struct logininfo *li) + { + if (!user_login_count++) +- linux_audit_user_logxxx(li->uid, NULL, li->hostname, ++ linux_audit_user_logxxx(li->uid, NULL, ++ options.use_dns ? li->hostname : NULL, ++ options.use_dns ? NULL : li->hostname, + li->line, 1, AUDIT_USER_LOGIN); +- linux_audit_user_logxxx(li->uid, NULL, li->hostname, ++ linux_audit_user_logxxx(li->uid, NULL, ++ options.use_dns ? li->hostname : NULL, ++ options.use_dns ? NULL : li->hostname, + li->line, 1, AUDIT_USER_START); + } + + void + audit_session_close(struct logininfo *li) + { +- linux_audit_user_logxxx(li->uid, NULL, li->hostname, ++ linux_audit_user_logxxx(li->uid, NULL, ++ options.use_dns ? li->hostname : NULL, ++ options.use_dns ? NULL : li->hostname, + li->line, 1, AUDIT_USER_END); + if (user_login_count && !--user_login_count) +- linux_audit_user_logxxx(li->uid, NULL, li->hostname, ++ linux_audit_user_logxxx(li->uid, NULL, ++ options.use_dns ? li->hostname : NULL, ++ options.use_dns ? NULL : li->hostname, + li->line, 1, AUDIT_USER_LOGOUT); + } + +@@ -236,6 +248,7 @@ audit_event(struct ssh *ssh, ssh_audit_e + linux_audit_user_auth(-1, audit_username(), + ssh_remote_ipaddr(ssh), "ssh", 0, event); + linux_audit_user_logxxx(-1, audit_username(), ++ options.use_dns ? remote_hostname(ssh) : NULL, + ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN); + break; + case SSH_AUTH_FAIL_PASSWD: +@@ -254,9 +267,11 @@ audit_event(struct ssh *ssh, ssh_audit_e + if (user_login_count) { + while (user_login_count--) + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ++ options.use_dns ? remote_hostname(ssh) : NULL, + ssh_remote_ipaddr(ssh), + "ssh", 1, AUDIT_USER_END); + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ++ options.use_dns ? remote_hostname(ssh) : NULL, + ssh_remote_ipaddr(ssh), + "ssh", 1, AUDIT_USER_LOGOUT); + } +@@ -265,6 +280,7 @@ audit_event(struct ssh *ssh, ssh_audit_e + case SSH_CONNECTION_ABANDON: + case SSH_INVALID_USER: + linux_audit_user_logxxx(-1, audit_username(), ++ options.use_dns ? remote_hostname(ssh) : NULL, + ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN); + break; + default: diff --git a/SOURCES/openssh-8.7p1-sigpipe.patch b/SOURCES/openssh-8.7p1-sigpipe.patch new file mode 100644 index 0000000..be73b2c --- /dev/null +++ b/SOURCES/openssh-8.7p1-sigpipe.patch @@ -0,0 +1,21 @@ +diff --git a/ssh.c b/ssh.c +index 89ca1940..559bf2af 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1124,6 +1124,8 @@ main(int ac, char **av) + } + } + ++ ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ ++ + /* + * Initialize "log" output. Since we are the client all output + * goes to stderr unless otherwise specified by -y or -E. +@@ -1652,7 +1654,6 @@ main(int ac, char **av) + options.num_system_hostfiles); + tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles); + +- ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ + ssh_signal(SIGCHLD, main_sigchld_handler); + + /* Log into the remote system. Never returns if the login fails. */ diff --git a/SOURCES/sshd-keygen b/SOURCES/sshd-keygen index 141814c..0fd2a53 100644 --- a/SOURCES/sshd-keygen +++ b/SOURCES/sshd-keygen @@ -9,8 +9,14 @@ case $KEYTYPE in if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then exit 0 fi ;; - "rsa") ;; # always ok - "ecdsa") ;; + "rsa") + if [[ ! -z $SSH_RSA_BITS ]]; then + SSH_KEYGEN_OPTIONS="-b $SSH_RSA_BITS" + fi ;; # always ok + "ecdsa") + if [[ ! -z $SSH_ECDSA_BITS ]]; then + SSH_KEYGEN_OPTIONS="-b $SSH_ECDSA_BITS" + fi ;; *) # wrong argument exit 12 ;; esac @@ -25,7 +31,7 @@ fi rm -f $KEY{,.pub} # create new keys -if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then +if ! $KEYGEN -q -t $KEYTYPE $SSH_KEYGEN_OPTIONS -f $KEY -C '' -N '' >&/dev/null; then exit 1 fi diff --git a/SOURCES/sshd.sysconfig b/SOURCES/sshd.sysconfig index a217ce7..ee44ae6 100644 --- a/SOURCES/sshd.sysconfig +++ b/SOURCES/sshd.sysconfig @@ -5,3 +5,6 @@ # example using systemctl enable sshd-keygen@dsa.service to allow creation # of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key # creation. + +#SSH_RSA_BITS=3072 +#SSH_ECDSA_BITS=256 diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index b678330..e69e53a 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -47,14 +47,14 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 38 +%global openssh_rel 43 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}.4 +Release: %{openssh_rel}%{?dist} URL: http://www.openssh.com/portable.html #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -84,6 +84,8 @@ Patch100: openssh-6.7p1-coverity.patch Patch200: openssh-7.6p1-audit.patch # Audit race condition in forked child (#1310684) Patch201: openssh-7.1p2-audit-race-condition.patch +# Correctly audit hostname and IP address +Patch202: openssh-8.7p1-audit-hostname.patch # --- pam_ssh-agent --- # make it build reusing the openssh sources @@ -288,7 +290,9 @@ Patch1017: openssh-9.4p2-limit-delay.patch Patch1018: openssh-9.6p1-CVE-2023-48795.patch #upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a Patch1019: openssh-9.6p1-CVE-2023-51385.patch -Patch1020: openssh-9.8p1-upstream-cve-2024-6387.patch +#upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c +Patch1020: openssh-8.7p1-sigpipe.patch +Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch License: BSD Requires: /sbin/nologin @@ -363,7 +367,7 @@ Requires: openssh = %{version}-%{release} %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.4 +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist} License: BSD %description @@ -485,6 +489,7 @@ popd %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race +%patch202 -p1 -b .audit-hostname %patch700 -p1 -b .fips %patch1000 -p1 -b .minimize-sha1-use @@ -512,7 +517,8 @@ popd %patch1017 -p1 -b .limitdelay %patch1018 -p1 -b .cve-2023-48795 %patch1019 -p1 -b .cve-2023-51385 -%patch1020 -p1 -b .cve-2024-6387 +%patch1020 -p1 -b .earlypipe +%patch1021 -p1 -b .cve-2024-6387 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -800,19 +806,27 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog -* Wed Jul 03 2024 Dmitry Belyavskiy - 8.7p1-38.4 -- rebuilt - -* Wed Jul 03 2024 Dmitry Belyavskiy - 8.7p1-38.3 -- rebuilt - -* Mon Jul 01 2024 Dmitry Belyavskiy - 8.7p1-38.2 +* Tue Jul 09 2024 Dmitry Belyavskiy - 8.7p1-43 - Possible remote code execution due to a race condition (CVE-2024-6409) - Resolves: RHEL-45740 + Resolves: RHEL-45741 -* Fri Jun 28 2024 Dmitry Belyavskiy - 8.7p1-38.1 +* Thu Jul 04 2024 Dmitry Belyavskiy - 8.7p1-42 - Possible remote code execution due to a race condition (CVE-2024-6387) - Resolves: RHEL-45347 + Resolves: RHEL-45348 + +* Mon Jun 03 2024 Dmitry Belyavskiy - 8.7p1-41 +- Fix ssh multiplexing connect timeout processing + Resolves: RHEL-37748 + +* Thu May 02 2024 Zoltan Fridrich - 8.7p1-40 +- Correctly audit hostname and IP address + Resolves: RHEL-22316 +- Make default key sizes configurable in sshd-keygen + Resolves: RHEL-26454 + +* Wed Apr 24 2024 Dmitry Belyavskiy - 8.7p1-39 +- Use FIPS-compatible API for key derivation + Resolves: RHEL-32809 * Fri Jan 05 2024 Dmitry Belyavskiy - 8.7p1-38 - Fix Terrapin attack From 89eae95cdcab34ca1117b8bd9cb44d37a591c262 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 13 May 2025 14:28:28 +0000 Subject: [PATCH 4/5] import UBI openssh-8.7p1-45.el9 --- ...nssh-8.7p1-allow-duplicate-subsystem.patch | 32 +++++++++ SOURCES/openssh-8.7p1-openssl-log.patch | 65 +++++++++++++++++ SOURCES/openssh-8.7p1-redhat-help.patch | 40 +++++++++++ SOURCES/openssh-9.9p2-error_processing.patch | 69 +++++++++++++++++++ SPECS/openssh.spec | 27 +++++++- 5 files changed, 232 insertions(+), 1 deletion(-) create mode 100644 SOURCES/openssh-8.7p1-allow-duplicate-subsystem.patch create mode 100644 SOURCES/openssh-8.7p1-openssl-log.patch create mode 100644 SOURCES/openssh-8.7p1-redhat-help.patch create mode 100644 SOURCES/openssh-9.9p2-error_processing.patch diff --git a/SOURCES/openssh-8.7p1-allow-duplicate-subsystem.patch b/SOURCES/openssh-8.7p1-allow-duplicate-subsystem.patch new file mode 100644 index 0000000..22fe73b --- /dev/null +++ b/SOURCES/openssh-8.7p1-allow-duplicate-subsystem.patch @@ -0,0 +1,32 @@ +diff --git a/servconf.c b/servconf.c +index e16f9e90fc71..a3779a9d86ee 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -1942,13 +1942,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, + fatal("%s line %d: %s missing argument.", + filename, linenum, keyword); + if (!*activep) { +- arg = argv_next(&ac, &av); ++ argv_consume(&ac); ++ break; ++ } ++ found = 0; ++ for (i = 0; i < options->num_subsystems; i++) { ++ if (strcmp(arg, options->subsystem_name[i]) == 0) { ++ found = 1; ++ break; ++ } ++ } ++ if (found) { ++ debug("%s line %d: Subsystem '%s' already defined.", ++ filename, linenum, arg); ++ argv_consume(&ac); + break; + } +- for (i = 0; i < options->num_subsystems; i++) +- if (strcmp(arg, options->subsystem_name[i]) == 0) +- fatal("%s line %d: Subsystem '%s' " +- "already defined.", filename, linenum, arg); + options->subsystem_name[options->num_subsystems] = xstrdup(arg); + arg = argv_next(&ac, &av); + if (!arg || *arg == '\0') diff --git a/SOURCES/openssh-8.7p1-openssl-log.patch b/SOURCES/openssh-8.7p1-openssl-log.patch new file mode 100644 index 0000000..9c9a3f5 --- /dev/null +++ b/SOURCES/openssh-8.7p1-openssl-log.patch @@ -0,0 +1,65 @@ +diff -up openssh-8.7p1/log.c.xxx openssh-8.7p1/log.c +--- openssh-8.7p1/log.c.xxx 2024-10-18 13:00:56.419560563 +0200 ++++ openssh-8.7p1/log.c 2024-10-18 13:22:35.954819016 +0200 +@@ -438,6 +438,26 @@ sshlog(const char *file, const char *fun + va_end(args); + } + ++#ifdef WITH_OPENSSL ++static int ++openssl_error_print_cb(const char *str, size_t len, void *u) ++{ ++ sshlogdirect(SYSLOG_LEVEL_DEBUG1, 0, "openssl error %s", str); ++ return 0; ++} ++#endif ++ ++void ++sshlog_openssl(int r) ++{ ++#ifdef WITH_OPENSSL ++ if (r != SSH_ERR_LIBCRYPTO_ERROR) return; ++ ++ ERR_print_errors_cb(openssl_error_print_cb, NULL); ++#endif ++ return; ++} ++ + void + sshlogdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) +diff -up openssh-8.7p1/log.h.xxx openssh-8.7p1/log.h +--- openssh-8.7p1/log.h.xxx 2024-10-18 12:56:18.944971946 +0200 ++++ openssh-8.7p1/log.h 2024-10-18 13:03:38.324351416 +0200 +@@ -71,6 +71,7 @@ void cleanup_exit(int) __attribute__((n + void sshlog(const char *, const char *, int, int, + LogLevel, const char *, const char *, ...) + __attribute__((format(printf, 7, 8))); ++void sshlog_openssl(int); + void sshlogv(const char *, const char *, int, int, + LogLevel, const char *, const char *, va_list); + void sshsigdie(const char *, const char *, int, int, +diff -up openssh-8.7p1/auth2-pubkey.c.yyy openssh-8.7p1/auth2-pubkey.c +--- openssh-8.7p1/auth2-pubkey.c.yyy 2024-10-18 13:27:00.709055845 +0200 ++++ openssh-8.7p1/auth2-pubkey.c 2024-10-18 13:27:31.638784460 +0200 +@@ -131,6 +131,7 @@ userauth_pubkey(struct ssh *ssh) + goto done; + } + if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { ++ sshlog_openssl(r); + error_fr(r, "parse key"); + goto done; + } +diff -up openssh-8.7p1/dispatch.c.yyy openssh-8.7p1/dispatch.c +--- openssh-8.7p1/dispatch.c.yyy 2024-10-18 13:27:56.349366570 +0200 ++++ openssh-8.7p1/dispatch.c 2024-10-18 13:28:17.921874757 +0200 +@@ -130,6 +130,8 @@ ssh_dispatch_run_fatal(struct ssh *ssh, + { + int r; + +- if ((r = ssh_dispatch_run(ssh, mode, done)) != 0) ++ if ((r = ssh_dispatch_run(ssh, mode, done)) != 0) { ++ sshlog_openssl(r); + sshpkt_fatal(ssh, r, "%s", __func__); ++ } + } diff --git a/SOURCES/openssh-8.7p1-redhat-help.patch b/SOURCES/openssh-8.7p1-redhat-help.patch new file mode 100644 index 0000000..e71c824 --- /dev/null +++ b/SOURCES/openssh-8.7p1-redhat-help.patch @@ -0,0 +1,40 @@ +diff -up openssh-8.7p1/ssh.c.xxx openssh-8.7p1/ssh.c +--- openssh-8.7p1/ssh.c.xxx 2024-09-11 14:24:06.711088878 +0200 ++++ openssh-8.7p1/ssh.c 2024-09-11 14:35:12.883765718 +0200 +@@ -175,6 +175,16 @@ extern int muxserver_sock; + extern u_int muxclient_command; + + /* Prints a help message to the user. This function never returns. */ ++static void ++redhat_usage(void) ++{ ++ if(isatty(fileno(stderr))) { ++ fprintf(stderr, ++"\nYou can find some explanations for typical errors at this link:\n" ++" https://red.ht/support_rhel_ssh\n" ++ ); ++ } ++} + + static void + usage(void) +@@ -188,6 +196,7 @@ usage(void) + " [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n" + " [-w local_tun[:remote_tun]] destination [command]\n" + ); ++ redhat_usage(); + exit(255); + } + +@@ -1609,8 +1618,10 @@ main(int ac, char **av) + /* Open a connection to the remote host. */ + if (ssh_connect(ssh, host, host_arg, addrs, &hostaddr, options.port, + options.connection_attempts, +- &timeout_ms, options.tcp_keep_alive) != 0) ++ &timeout_ms, options.tcp_keep_alive) != 0) { ++ redhat_usage(); + exit(255); ++ } + + if (addrs != NULL) + freeaddrinfo(addrs); diff --git a/SOURCES/openssh-9.9p2-error_processing.patch b/SOURCES/openssh-9.9p2-error_processing.patch new file mode 100644 index 0000000..d42a370 --- /dev/null +++ b/SOURCES/openssh-9.9p2-error_processing.patch @@ -0,0 +1,69 @@ +diff --git a/krl.c b/krl.c +index e2efdf06..0d0f6953 100644 +--- a/krl.c ++++ b/krl.c +@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + if (rs->lo - bitmap_start > INT_MAX) { ++ r = SSH_ERR_INVALID_FORMAT; + error_f("insane bitmap gap"); + goto out; + } +@@ -1059,6 +1060,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp) + goto out; + + if ((krl = ssh_krl_init()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; + error_f("alloc failed"); + goto out; + } +diff --git a/sshconnect2.c b/sshconnect2.c +index a69c4da1..1ee6000a 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -99,7 +99,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) + options.required_rsa_size)) != 0) + fatal_r(r, "Bad server host key"); + if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, +- xxx_conn_info) == -1) ++ xxx_conn_info) != 0) + fatal("Host key verification failed."); + return 0; + } +@@ -699,6 +699,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + + if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { + debug_f("server sent unknown pkalg %s", pkalg); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { +@@ -709,6 +710,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + error("input_userauth_pk_ok: type mismatch " + "for decoded key (received %d, expected %d)", + key->type, pktype); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + +@@ -728,6 +730,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + SSH_FP_DEFAULT); + error_f("server replied with unknown key: %s %s", + sshkey_type(key), fp == NULL ? "" : fp); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + ident = format_identity(id); +diff --git a/sshsig.c b/sshsig.c +index 6e03c0b0..3da005d6 100644 +--- a/sshsig.c ++++ b/sshsig.c +@@ -879,6 +879,7 @@ cert_filter_principals(const char *path, u_long linenum, + } + if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { + error_f("buffer error"); ++ r = SSH_ERR_ALLOC_FAIL; + goto out; + } + /* success */ diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index e69e53a..7fa9a25 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -47,7 +47,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 43 +%global openssh_rel 45 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -293,6 +293,13 @@ Patch1019: openssh-9.6p1-CVE-2023-51385.patch #upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c Patch1020: openssh-8.7p1-sigpipe.patch Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch +Patch1022: openssh-8.7p1-redhat-help.patch +Patch1023: openssh-8.7p1-openssl-log.patch +#upstream commit 52dfe3c72d98503d8b7c6f64fc7e19d685636c0b +Patch1024: openssh-8.7p1-allow-duplicate-subsystem.patch +# upstream 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 +# upstream 0832aac79517611dd4de93ad0a83577994d9c907 +Patch1025: openssh-9.9p2-error_processing.patch License: BSD Requires: /sbin/nologin @@ -519,6 +526,10 @@ popd %patch1019 -p1 -b .cve-2023-51385 %patch1020 -p1 -b .earlypipe %patch1021 -p1 -b .cve-2024-6387 +%patch1022 -p1 -b .redhat-help +%patch1023 -p1 -b .openssl-log +%patch1024 -p1 -b .allow-dup-subsystem +%patch1025 -p1 -b .errcode_set autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -806,6 +817,20 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Tue Feb 18 2025 Dmitry Belyavskiy - 8.7p1-45 +- Fix missing error codes set and invalid error code checks in OpenSSH. It + prevents memory exhaustion attack and a MITM attack when VerifyHostKeyDNS + is on (CVE-2025-26465). + Resolves: RHEL-78700 + +* Mon Oct 21 2024 Dmitry Belyavskiy - 8.7p1-44 +- Add extra help information on ssh early failure + Resolves: RHEL-33809 +- Provide details on crypto error instead of "error in libcrypto" + Resolves: RHEL-52293 +- Allow duplicate Subsystem directive + Resolves: RHEL-47112 + * Tue Jul 09 2024 Dmitry Belyavskiy - 8.7p1-43 - Possible remote code execution due to a race condition (CVE-2024-6409) Resolves: RHEL-45741 From 631f195fc3d01ca7ce417d385fa99511d0f67a46 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 11 Nov 2025 15:54:09 +0000 Subject: [PATCH 5/5] import UBI openssh-8.7p1-46.el9 --- SOURCES/openssh-8.7p1-redhat-help.patch | 39 ++++++++++--------------- SPECS/openssh.spec | 6 +++- 2 files changed, 21 insertions(+), 24 deletions(-) diff --git a/SOURCES/openssh-8.7p1-redhat-help.patch b/SOURCES/openssh-8.7p1-redhat-help.patch index e71c824..0d1753b 100644 --- a/SOURCES/openssh-8.7p1-redhat-help.patch +++ b/SOURCES/openssh-8.7p1-redhat-help.patch @@ -1,38 +1,31 @@ -diff -up openssh-8.7p1/ssh.c.xxx openssh-8.7p1/ssh.c ---- openssh-8.7p1/ssh.c.xxx 2024-09-11 14:24:06.711088878 +0200 -+++ openssh-8.7p1/ssh.c 2024-09-11 14:35:12.883765718 +0200 -@@ -175,6 +175,16 @@ extern int muxserver_sock; +diff --color -ruNp a/ssh.c b/ssh.c +--- a/ssh.c 2025-07-21 16:24:30.348843762 +0200 ++++ b/ssh.c 2025-07-21 16:27:20.477953307 +0200 +@@ -174,6 +174,17 @@ static int forward_confirms_pending = -1 + extern int muxserver_sock; extern u_int muxclient_command; - /* Prints a help message to the user. This function never returns. */ +static void -+redhat_usage(void) ++redhat_help_message(void) +{ -+ if(isatty(fileno(stderr))) { -+ fprintf(stderr, -+"\nYou can find some explanations for typical errors at this link:\n" -+" https://red.ht/support_rhel_ssh\n" -+ ); -+ } ++ if (log_level_get() >= SYSLOG_LEVEL_DEBUG1 && ++ isatty(fileno(stderr))) { ++ fprintf(stderr, ++"\nThe link below provides guidance on resolving common SSH errors:\n" ++" https://red.ht/support_rhel_ssh\n"); ++ } +} ++ + /* Prints a help message to the user. This function never returns. */ static void - usage(void) -@@ -188,6 +196,7 @@ usage(void) - " [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n" - " [-w local_tun[:remote_tun]] destination [command]\n" - ); -+ redhat_usage(); - exit(255); - } - -@@ -1609,8 +1618,10 @@ main(int ac, char **av) +@@ -1609,8 +1620,10 @@ main(int ac, char **av) /* Open a connection to the remote host. */ if (ssh_connect(ssh, host, host_arg, addrs, &hostaddr, options.port, options.connection_attempts, - &timeout_ms, options.tcp_keep_alive) != 0) + &timeout_ms, options.tcp_keep_alive) != 0) { -+ redhat_usage(); ++ redhat_help_message(); exit(255); + } diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 7fa9a25..4cb5799 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -47,7 +47,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 45 +%global openssh_rel 46 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -817,6 +817,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Mon Jul 21 2025 Zoltan Fridrich - 8.7p1-46 +- Move the redhat help message to debug1 log level + Resolves: RHEL-104580 + * Tue Feb 18 2025 Dmitry Belyavskiy - 8.7p1-45 - Fix missing error codes set and invalid error code checks in OpenSSH. It prevents memory exhaustion attack and a MITM attack when VerifyHostKeyDNS