From 13cf39f11abe142d38a9fa9315f64e2d60a3801a Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Tue, 6 Feb 2024 12:32:38 +0100
Subject: [PATCH] Providing a kill switch for scp to deal with CVE-2020-15778

Resolves: RHEL-22870
---
 openssh-8.7p1-scp-kill-switch.patch | 46 +++++++++++++++++++++++++++++
 openssh.spec                        |  9 +++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 openssh-8.7p1-scp-kill-switch.patch

diff --git a/openssh-8.7p1-scp-kill-switch.patch b/openssh-8.7p1-scp-kill-switch.patch
new file mode 100644
index 0000000..cbfbf56
--- /dev/null
+++ b/openssh-8.7p1-scp-kill-switch.patch
@@ -0,0 +1,46 @@
+diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h
+--- openssh-8.7p1/pathnames.h.kill-scp	2021-09-16 11:37:57.240171687 +0200
++++ openssh-8.7p1/pathnames.h	2021-09-16 11:42:29.183427917 +0200
+@@ -42,6 +42,7 @@
+ #define _PATH_HOST_XMSS_KEY_FILE	SSHDIR "/ssh_host_xmss_key"
+ #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
+ #define _PATH_DH_MODULI			SSHDIR "/moduli"
++#define _PATH_SCP_KILL_SWITCH		SSHDIR "/disable_scp"
+ 
+ #ifndef _PATH_SSH_PROGRAM
+ #define _PATH_SSH_PROGRAM		"/usr/bin/ssh"
+diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1
+--- openssh-8.7p1/scp.1.kill-scp	2021-09-16 12:09:02.646714578 +0200
++++ openssh-8.7p1/scp.1	2021-09-16 12:26:49.978628226 +0200
+@@ -278,6 +278,13 @@ to print debugging messages about their
+ This is helpful in
+ debugging connection, authentication, and configuration problems.
+ .El
++.Pp
++Usage of SCP protocol can be blocked by creating a world-readable
++.Ar /etc/ssh/disable_scp
++file. If this file exists, when SCP protocol is in use (either remotely or 
++via the
++.Fl O
++option), the program will exit.
+ .Sh EXIT STATUS
+ .Ex -std scp
+ .Sh SEE ALSO
+diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c
+--- openssh-8.7p1/scp.c.kill-scp	2021-09-16 11:42:56.013650519 +0200
++++ openssh-8.7p1/scp.c	2021-09-16 11:53:03.249713836 +0200
+@@ -596,6 +596,14 @@ main(int argc, char **argv)
+ 	argc -= optind;
+ 	argv += optind;
+ 
++	{
++		FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r");
++		if (f != NULL) {
++			fclose(f);
++			fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH);
++		}
++	}
++
+ 	if ((pwd = getpwuid(userid = getuid())) == NULL)
+ 		fatal("unknown user %u", (u_int) userid);
+ 
diff --git a/openssh.spec b/openssh.spec
index 70874e5..0889e50 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -66,7 +66,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 23
+%global openssh_rel 24
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7
 
@@ -290,6 +290,8 @@ Patch1017: openssh-9.4p2-limit-delay.patch
 Patch1018: openssh-9.6p1-CVE-2023-48795.patch
 #upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
 Patch1019: openssh-9.6p1-CVE-2023-51385.patch
+# SCP kill switch
+Patch1020: openssh-8.7p1-scp-kill-switch.patch
 
 License: BSD
 Group: Applications/Internet
@@ -536,6 +538,7 @@ popd
 %patch1017 -p1 -b .limitdelay
 %patch1018 -p1 -b .cve-2023-48795
 %patch1019 -p1 -b .cve-2023-51385
+%patch1020 -p1 -b .scp-kill-switch
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -821,6 +824,10 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Tue Feb 06 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-24
+- Providing a kill switch for scp to deal with CVE-2020-15778
+  Resolves: RHEL-22870
+
 * Fri Jan 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-23
 - Fix Terrapin attack
   Resolves: RHEL-19308