Providing a kill switch for scp to deal with CVE-2020-15778

Resolves: RHEL-22870
2024-02-06 12:32:38 +01:00 · 2024-02-06 12:32:38 +01:00 · 13cf39f11a
commit 13cf39f11a
parent ff2aae200d
2 changed files with 54 additions and 1 deletions
--- a/openssh-8.7p1-scp-kill-switch.patch
+++ b/openssh-8.7p1-scp-kill-switch.patch
@ -0,0 +1,46 @@
+diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h
+--- openssh-8.7p1/pathnames.h.kill-scp	2021-09-16 11:37:57.240171687 +0200
+++ openssh-8.7p1/pathnames.h	2021-09-16 11:42:29.183427917 +0200
+@@ -42,6 +42,7 @@
+ #define _PATH_HOST_XMSS_KEY_FILE	SSHDIR "/ssh_host_xmss_key"
+ #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
+ #define _PATH_DH_MODULI			SSHDIR "/moduli"
+#define _PATH_SCP_KILL_SWITCH		SSHDIR "/disable_scp"
+ 
+ #ifndef _PATH_SSH_PROGRAM
+ #define _PATH_SSH_PROGRAM		"/usr/bin/ssh"
+diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1
+--- openssh-8.7p1/scp.1.kill-scp	2021-09-16 12:09:02.646714578 +0200
+++ openssh-8.7p1/scp.1	2021-09-16 12:26:49.978628226 +0200
+@@ -278,6 +278,13 @@ to print debugging messages about their
+ This is helpful in
+ debugging connection, authentication, and configuration problems.
+ .El
+.Pp
+Usage of SCP protocol can be blocked by creating a world-readable
+.Ar /etc/ssh/disable_scp
+file. If this file exists, when SCP protocol is in use (either remotely or 
+via the
+.Fl O
+option), the program will exit.
+ .Sh EXIT STATUS
+ .Ex -std scp
+ .Sh SEE ALSO
+diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c
+--- openssh-8.7p1/scp.c.kill-scp	2021-09-16 11:42:56.013650519 +0200
+++ openssh-8.7p1/scp.c	2021-09-16 11:53:03.249713836 +0200
+@@ -596,6 +596,14 @@ main(int argc, char **argv)
+ 	argc -= optind;
+ 	argv += optind;
+ 
+	{
+		FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r");
+		if (f != NULL) {
+			fclose(f);
+			fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH);
+		}
+	}
+
+ 	if ((pwd = getpwuid(userid = getuid())) == NULL)
+ 		fatal("unknown user %u", (u_int) userid);
+ 
--- a/openssh.spec
+++ b/openssh.spec
@ -66,7 +66,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 23
+%global openssh_rel 24
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7

@ -290,6 +290,8 @@ Patch1017: openssh-9.4p2-limit-delay.patch
 Patch1018: openssh-9.6p1-CVE-2023-48795.patch
 #upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
 Patch1019: openssh-9.6p1-CVE-2023-51385.patch
+# SCP kill switch
+Patch1020: openssh-8.7p1-scp-kill-switch.patch

 License: BSD
 Group: Applications/Internet
@ -536,6 +538,7 @@ popd
 %patch1017 -p1 -b .limitdelay
 %patch1018 -p1 -b .cve-2023-48795
 %patch1019 -p1 -b .cve-2023-51385
+%patch1020 -p1 -b .scp-kill-switch

 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -821,6 +824,10 @@ getent passwd sshd >/dev/null || \
 %endif

 %changelog
+* Tue Feb 06 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-24
+- Providing a kill switch for scp to deal with CVE-2020-15778
+  Resolves: RHEL-22870
+
 * Fri Jan 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-23
 - Fix Terrapin attack
  Resolves: RHEL-19308