Upstream fix for CVE-2021-41617

Resolves: rhbz#2008886
This commit is contained in:
Dmitry Belyavskiy 2021-10-01 13:25:56 +02:00
parent f32839a5e4
commit aa1b338db7
2 changed files with 33 additions and 1 deletions

View File

@ -0,0 +1,25 @@
diff --git a/misc.c b/misc.c
index b8d1040d..0134d694 100644
--- a/misc.c
+++ b/misc.c
@@ -56,6 +56,7 @@
#ifdef HAVE_PATHS_H
# include <paths.h>
#include <pwd.h>
+#include <grp.h>
#endif
#ifdef SSH_TUN_OPENBSD
#include <net/if.h>
@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
}
closefrom(STDERR_FILENO + 1);
+ if (geteuid() == 0 &&
+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
+ error("%s: initgroups(%s, %u): %s", tag,
+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+ _exit(1);
+ }
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
strerror(errno));

View File

@ -51,7 +51,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.7p1 %global openssh_ver 8.7p1
%global openssh_rel 1 %global openssh_rel 2
%global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 4 %global pam_ssh_agent_rel 4
@ -197,6 +197,8 @@ Patch975: openssh-8.0p1-preserve-pam-errors.patch
Patch976: openssh-8.7p1-sftp-default-protocol.patch Patch976: openssh-8.7p1-sftp-default-protocol.patch
# Implement kill switch for SCP protocol # Implement kill switch for SCP protocol
Patch977: openssh-8.7p1-scp-kill-switch.patch Patch977: openssh-8.7p1-scp-kill-switch.patch
# CVE-2021-41617
Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
License: BSD License: BSD
Requires: /sbin/nologin Requires: /sbin/nologin
@ -374,6 +376,7 @@ popd
%patch975 -p1 -b .preserve-pam-errors %patch975 -p1 -b .preserve-pam-errors
%patch976 -p1 -b .sftp-by-default %patch976 -p1 -b .sftp-by-default
%patch977 -p1 -b .kill-scp %patch977 -p1 -b .kill-scp
%patch978 -p1 -b .cve-2021-41617
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race
@ -658,6 +661,10 @@ test -f %{sysconfig_anaconda} && \
%endif %endif
%changelog %changelog
* Fri Oct 01 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-2
- Upstream fix for CVE-2021-41617
Related: rhbz#2008886
* Fri Sep 24 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-1 + 0.10.4-4 * Fri Sep 24 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-1 + 0.10.4-4
- New upstream release - New upstream release
- Switch to SFTP protocol in scp utility by default - Switch to SFTP protocol in scp utility by default