Upstream fix for CVE-2021-41617

Resolves: rhbz#2008292
This commit is contained in:
Dmitry Belyavskiy 2021-09-29 13:39:26 +02:00
parent 72aea69dd8
commit c5e4c28ae1
2 changed files with 38 additions and 1 deletions

View File

@ -0,0 +1,31 @@
diff --git a/misc.c b/misc.c
index b8d1040d..0134d694 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@@ -56,6 +56,7 @@
#ifdef HAVE_PATHS_H
# include <paths.h>
#include <pwd.h>
+#include <grp.h>
#endif
#ifdef SSH_TUN_OPENBSD
#include <net/if.h>
@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
}
closefrom(STDERR_FILENO + 1);
+ if (geteuid() == 0 &&
+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
+ error("%s: initgroups(%s, %u): %s", tag,
+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+ _exit(1);
+ }
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
strerror(errno));

View File

@ -51,7 +51,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.7p1 %global openssh_ver 8.7p1
%global openssh_rel 2 %global openssh_rel 3
%global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 4 %global pam_ssh_agent_rel 4
@ -197,6 +197,8 @@ Patch975: openssh-8.0p1-preserve-pam-errors.patch
Patch976: openssh-8.7p1-sftp-default-protocol.patch Patch976: openssh-8.7p1-sftp-default-protocol.patch
# Implement kill switch for SCP protocol # Implement kill switch for SCP protocol
Patch977: openssh-8.7p1-scp-kill-switch.patch Patch977: openssh-8.7p1-scp-kill-switch.patch
# CVE-2021-41617
Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
License: BSD License: BSD
Requires: /sbin/nologin Requires: /sbin/nologin
@ -375,6 +377,7 @@ popd
%patch975 -p1 -b .preserve-pam-errors %patch975 -p1 -b .preserve-pam-errors
%patch976 -p1 -b .sftp-by-default %patch976 -p1 -b .sftp-by-default
%patch977 -p1 -b .kill-scp %patch977 -p1 -b .kill-scp
%patch978 -p1 -b .cve-2021-41617
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race
@ -660,6 +663,9 @@ test -f %{sysconfig_anaconda} && \
%endif %endif
%changelog %changelog
* Wed Sep 29 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-3
- CVE-2021-41617 fix (#2008292)
* Thu Sep 16 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-2 * Thu Sep 16 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-2
- Use SFTP protocol for scp by default (#2004956) - Use SFTP protocol for scp by default (#2004956)