diff --git a/openssh-9.3p1-upstream-cve-2023-38408.patch b/openssh-9.3p1-upstream-cve-2023-38408.patch new file mode 100644 index 0000000..5632ba1 --- /dev/null +++ b/openssh-9.3p1-upstream-cve-2023-38408.patch @@ -0,0 +1,17 @@ +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 6be647ec..ebddf6c3 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin, + error("dlopen %s failed: %s", provider_module, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + + p->module->handle = handle; + /* setup the pkcs11 callbacks */ diff --git a/openssh.spec b/openssh.spec index cd44e45..a217196 100644 --- a/openssh.spec +++ b/openssh.spec @@ -66,7 +66,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.0p1 -%global openssh_rel 17 +%global openssh_rel 18 %global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_rel 7 @@ -277,6 +277,9 @@ Patch985: openssh-8.7p1-minimize-sha1-use.patch Patch986: openssh-9.1p1-sshbanner.patch # Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6 Patch987: openssh-8.0p1-ipv6-process.patch +# upsream commit +# b23fe83f06ee7e721033769cfa03ae840476d280 +Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch License: BSD Group: Applications/Internet @@ -517,6 +520,8 @@ popd %patch100 -p1 -b .coverity +%patch1015 -p1 -b .cve-2023-38408 + autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} autoreconf @@ -801,6 +806,10 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Thu Jul 20 2023 Dmitry Belyavskiy - 8.0p1-18 +- Avoid remote code execution in ssh-agent PKCS#11 support + Resolves: CVE-2023-38408 + * Tue Dec 20 2022 Dmitry Belyavskiy - 8.0p1-17 - Fix parsing of IPv6 IPs in sftp client (#2151334) - Avoid ssh banner one-byte overflow (#2138344)