From 745da74ea2771ceb4b4aacb406cc248f609ded31 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 13 Apr 2023 18:14:19 +0200 Subject: [PATCH] Fix self-DoS Resolves: CVE-2023-25136 Remove too aggressive coverity fix causing native tests failure --- openssh-6.7p1-coverity.patch | 30 ----------------------- openssh-8.7p1-CVE-2023-25136.patch | 38 ++++++++++++++++++++++++++++++ openssh.spec | 16 +++++++++---- 3 files changed, 50 insertions(+), 34 deletions(-) create mode 100644 openssh-8.7p1-CVE-2023-25136.patch diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 1923ac8..08d6b99 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -28,36 +28,6 @@ diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c return 0; } -diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c ---- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100 -+++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100 -@@ -3804,7 +3804,7 @@ int - channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) - { - int r, success = 0, idx = -1; -- char *host_to_connect, *listen_host, *listen_path; -+ char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL; - int port_to_connect, listen_port; - - /* Send the forward request to the remote side. */ -@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct - success = 1; - if (success) { - /* Record that connection to this host/port is permitted. */ -- host_to_connect = listen_host = listen_path = NULL; - port_to_connect = listen_port = 0; - if (fwd->connect_path != NULL) { - host_to_connect = xstrdup(fwd->connect_path); -@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct - host_to_connect, port_to_connect, - listen_host, listen_path, listen_port, NULL); - } -+ free(host_to_connect); -+ free(listen_host); -+ free(listen_path); - return idx; - } - diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c --- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100 diff --git a/openssh-8.7p1-CVE-2023-25136.patch b/openssh-8.7p1-CVE-2023-25136.patch new file mode 100644 index 0000000..ca661ee --- /dev/null +++ b/openssh-8.7p1-CVE-2023-25136.patch @@ -0,0 +1,38 @@ +diff --git a/compat.c b/compat.c +index 46dfe3a9c2e..478a9403eea 100644 +--- a/compat.c ++++ b/compat.c +@@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) + char * + compat_kex_proposal(struct ssh *ssh, char *p) + { +- char *cp = NULL; ++ char *cp = NULL, *cp2 = NULL; + + if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) + return xstrdup(p); + debug2_f("original KEX proposal: %s", p); + if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) +- if ((p = match_filter_denylist(p, ++ if ((cp = match_filter_denylist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_denylist failed"); + if ((ssh->compat & SSH_OLD_DHGEX) != 0) { +- cp = p; +- if ((p = match_filter_denylist(p, ++ if ((cp2 = match_filter_denylist(cp ? cp : p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_denylist failed"); + free(cp); ++ cp = cp2; + } +- debug2_f("compat KEX proposal: %s", p); +- if (*p == '\0') ++ if (cp == NULL || *cp == '\0') + fatal("No supported key exchange algorithms found"); +- return p; ++ debug2_f("compat KEX proposal: %s", cp); ++ return cp; + } + diff --git a/openssh.spec b/openssh.spec index b483c3e..2d72e88 100644 --- a/openssh.spec +++ b/openssh.spec @@ -47,14 +47,14 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 9.0p1 -%global openssh_rel 14 +%global openssh_rel 15 %global pam_ssh_agent_ver 0.10.4 -%global pam_ssh_agent_rel 7 +%global pam_ssh_agent_rel 8 Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}.2 +Release: %{openssh_rel}%{?dist} URL: http://www.openssh.com/portable.html #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -241,6 +241,8 @@ Patch1007: openssh-configure-c99-1.patch Patch1008: openssh-configure-c99-2.patch Patch1009: openssh-configure-c99-3.patch +Patch1010: openssh-8.7p1-CVE-2023-25136.patch + # downstream only # we skip some ssh-rsa/ssh-dss tests to make native test suite pass #Patch1100: openssh-8.8p1-skip-some-tests.patch @@ -319,7 +321,7 @@ Requires: openssh = %{version}-%{release} %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2 +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist} License: BSD %description @@ -450,6 +452,7 @@ popd %patch1007 -p1 -b .configure-c99-1 %patch1008 -p1 -b .configure-c99-2 %patch1009 -p1 -b .configure-c99-3 +%patch1010 -p1 -b .cve-2023-25136 #%patch1100 -p1 -b .skipsshrsadsstests @@ -759,6 +762,11 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Apr 13 2023 Dmitry Belyavskiy - 9.0p1-15 +- Fix self-DoS + Resolves: CVE-2023-25136 +- Remove too aggressive coverity fix causing native tests failure + * Wed Apr 12 2023 Florian Weimer - 9.0p1-14.2 - C99 compatiblity fixes