Fix self-DoS

Resolves: CVE-2023-25136 Remove too aggressive coverity fix causing native tests failure
2023-04-13 18:14:19 +02:00 · 2023-04-13 18:14:19 +02:00 · 745da74ea2
commit 745da74ea2
parent d5591fb5ab
3 changed files with 50 additions and 34 deletions
--- a/openssh-6.7p1-coverity.patch
+++ b/openssh-6.7p1-coverity.patch
@ -28,36 +28,6 @@ diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
 	return 0;
 }
 
-diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.coverity	2016-12-23 16:40:26.881788686 +0100
-+++ openssh-7.4p1/channels.c	2016-12-23 16:42:36.244818763 +0100
-@@ -3804,7 +3804,7 @@ int
- channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
- {
- 	int r, success = 0, idx = -1;
-	char *host_to_connect, *listen_host, *listen_path;
-+	char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL;
- 	int port_to_connect, listen_port;
- 
- 	/* Send the forward request to the remote side. */
-@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct
- 	success = 1;
- 	if (success) {
- 		/* Record that connection to this host/port is permitted. */
-		host_to_connect = listen_host = listen_path = NULL;
- 		port_to_connect = listen_port = 0;
- 		if (fwd->connect_path != NULL) {
- 			host_to_connect = xstrdup(fwd->connect_path);
-@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct
- 		    host_to_connect, port_to_connect,
- 		    listen_host, listen_path, listen_port, NULL);
- 	}
-+	free(host_to_connect);
-+	free(listen_host);
-+	free(listen_path);
- 	return idx;
- }
- 
 diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
 --- openssh-8.5p1/dns.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/dns.c	2021-03-24 12:03:33.783968166 +0100
--- a/openssh-8.7p1-CVE-2023-25136.patch
+++ b/openssh-8.7p1-CVE-2023-25136.patch
@ -0,0 +1,38 @@
+diff --git a/compat.c b/compat.c
+index 46dfe3a9c2e..478a9403eea 100644
+--- a/compat.c
+++ b/compat.c
+@@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
+ char *
+ compat_kex_proposal(struct ssh *ssh, char *p)
+ {
+-	char *cp = NULL;
+	char *cp = NULL, *cp2 = NULL;
+ 
+ 	if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
+ 		return xstrdup(p);
+ 	debug2_f("original KEX proposal: %s", p);
+ 	if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
+-		if ((p = match_filter_denylist(p,
+		if ((cp = match_filter_denylist(p,
+ 		    "curve25519-sha256@libssh.org")) == NULL)
+ 			fatal("match_filter_denylist failed");
+ 	if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
+-		cp = p;
+-		if ((p = match_filter_denylist(p,
+		if ((cp2 = match_filter_denylist(cp ? cp : p,
+ 		    "diffie-hellman-group-exchange-sha256,"
+ 		    "diffie-hellman-group-exchange-sha1")) == NULL)
+ 			fatal("match_filter_denylist failed");
+ 		free(cp);
+		cp = cp2;
+ 	}
+-	debug2_f("compat KEX proposal: %s", p);
+-	if (*p == '\0')
+	if (cp == NULL || *cp == '\0')
+ 		fatal("No supported key exchange algorithms found");
+-	return p;
+	debug2_f("compat KEX proposal: %s", cp);
+	return cp;
+ }
+ 
--- a/openssh.spec
+++ b/openssh.spec
@ -47,14 +47,14 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 9.0p1
-%global openssh_rel 14
+%global openssh_rel 15
 %global pam_ssh_agent_ver 0.10.4
-%global pam_ssh_agent_rel 7
+%global pam_ssh_agent_rel 8

 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}.2
+Release: %{openssh_rel}%{?dist}
 URL: http://www.openssh.com/portable.html
 #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -241,6 +241,8 @@ Patch1007: openssh-configure-c99-1.patch
 Patch1008: openssh-configure-c99-2.patch
 Patch1009: openssh-configure-c99-3.patch

+Patch1010: openssh-8.7p1-CVE-2023-25136.patch
+
 # downstream only
 # we skip some ssh-rsa/ssh-dss tests to make native test suite pass
 #Patch1100: openssh-8.8p1-skip-some-tests.patch
@ -319,7 +321,7 @@ Requires: openssh = %{version}-%{release}
 %package -n pam_ssh_agent_auth
 Summary: PAM module for authentication with ssh-agent
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2
+Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
 License: BSD

 %description
@ -450,6 +452,7 @@ popd
 %patch1007 -p1 -b .configure-c99-1
 %patch1008 -p1 -b .configure-c99-2
 %patch1009 -p1 -b .configure-c99-3
+%patch1010 -p1 -b .cve-2023-25136

 #%patch1100 -p1 -b .skipsshrsadsstests

@ -759,6 +762,11 @@ test -f %{sysconfig_anaconda} && \
 %endif

 %changelog
+* Thu Apr 13 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-15
+- Fix self-DoS
+  Resolves: CVE-2023-25136
+- Remove too aggressive coverity fix causing native tests failure
+
 * Wed Apr 12 2023 Florian Weimer <fweimer@redhat.com> - 9.0p1-14.2
 - C99 compatiblity fixes