[kirkstone] openssh: fix CVE-2023-28531

Message ID	20230328084141.49802-1-Qi.Chen@windriver.com
State	New, archived
Headers	show Return-Path: <Qi.Chen@windriver.com> ip: 205.220.166.238, mailfrom: prvs=24515f2299=qi.chen@windriver.com) From: Chen Qi <Qi.Chen@windriver.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone][PATCH] openssh: fix CVE-2023-28531 Date: Tue, 28 Mar 2023 01:41:41 -0700 Message-Id: <20230328084141.49802-1-Qi.Chen@windriver.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0
Series	[kirkstone] openssh: fix CVE-2023-28531 \| expand [kirkstone] openssh: fix CVE-2023-28531

Message ID

20230328084141.49802-1-Qi.Chen@windriver.com

State

New, archived

Headers

From: Chen Qi <Qi.Chen@windriver.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone][PATCH] openssh: fix CVE-2023-28531
Date: Tue, 28 Mar 2023 01:41:41 -0700
Message-Id: <20230328084141.49802-1-Qi.Chen@windriver.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 0Z6xORbccKjxv97iyihH9EGFzFnEyy7G4GsqCnxBDf5ThJXCesswg96x05Grvp5wHCkUBHY1RVix9tJliZlkdFoIGS2bPGpFW7Ls92jjpqtjuIL9wJ5D3OZ+j2v82e+oNwiA5XYIWWzQpmha8Wz3XTKp0REbslhDNnGhMe61vvZo4cIgXVYLV16NSIPAWMOR5pqtn5IQVFzGN4VzJWfJq+GeyElVJMhnv0xGp6LbfI+SMUyw/rU7RaCbkvlNX7vYeuhOcVG38YQfooiWFMfsQau9nly7mI3+hxh4oLPTYric0qZBSVfqrAe0C1fOwxgy9Dmvz/LVPOyo6hZxXX4ZeUanBSNw57BAq3aEGsNKqVE8MGxSMFvPkUhskJfHWv6U4UBipbC6UTcGP97cklqxCZxRLYKL9frUxelz/6rL2B+Uoz+4k7pTl21FtU5LkN0btuTAZBTlZ0nM6lgqhJysgUhacNLow5yQg88WQ+o5N/IFdmM5xahnz3kgMl+6RZ7lFUJzXXObMEsWr41fYEIoZ4gbO9zNxYg7QygrE2pKYTXsQGBO0QPm9bXxpLj6UAGo9M+zmybX9k6zZTXIk1mi9k1QgWsStVKR2kKPGXtHLRC5zfn/ZFi31aYzkhYejhGYSVPbIRwwDDEv3kNSMkDTZChwbn8UFv9ffmgBEmCvbUdvaZTy1G5I5N5LzFVXYssMICD5N7T4KP8LrBETZqxlqnePKir06aDgK2egCyD/K2nIxV/poNnh7WEMi6hVKZSWzj+HDmQuiV6f/+HwM2BwZTXbJuHtHyezslKjEucPaB3HdwjggbjHgzLzB1xokl3oTRGKrFOqNwCZpvj3f6AbWSCeKvamfNIQp6abwSls/KeGzLFEpo6r4GaKR5nNCCFyoRby9E/OBPVuTTDWWDoIDLiYAnF2ea4cvpYvb+uRDR+WGveKNUVRQaW5tZmfhmGZ8wvr0oTj3/W39j8SFNcTech6j9mVK5oYyP1egCjaGMAdgGHn8+/SXbcdnAj8w7ddYeDkmT/MjSDhETLJSfyCCajv1oj5oZ71IE0MTqMa76vd+KN6l8s6k0QD6ae9V7rDfFTqYfRAyFe2kRJkNszrw+Jo2I8vxW7x0hGHUoMTaleD76GaCo4WD+oJGwM5S0rqPPsDkFKSK+sFj0HCua3XosAfmvDb2zofXyayzLx8/eZMFIMn7rf4U+tRgpLK/pLOE+2jbR1G3g9fzU8aRqf/dlF+MPhV3GTyCLOARz4AWILHPab/0qErgI73rRF34H1is/O/tQZgMK406tkQteimr4MhO/BSTaYaJBqi9USi7t9b34+kz49QF3whHbD1dV1an3hu/8ICne8XQESquKDaoB3qPOjVIPTt63in6TRpBgvOlDlHE/rhvHscU1EMuwD0ybTg1HCErxO/oDn50il9g9Xlh3ry/0el63C4h7ZeuLkKXhOQaWsgyGk/yrpNAipdcs4wESDrv/XaPLpmPb2CpIF9WXHmciPFQQoH6SPbTnurrcfigw5kAnUN/oLvzZhalBXPgwoTTJoTvXp+MpQLG+kf2Xe51ECWtK/KLC0o2twMsPQdW9Gy6JmLwwwCSE6umuYimuHgCKwjjoh38EFyxA==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 afd98772-d084-4ce7-eaee-08db2f684772
X-MS-Exchange-CrossTenant-AuthSource: CO6PR11MB5602.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Mar 2023 08:41:52.6127
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 3NszlDNWeZ2aMyM5gMSu3TG7YEPkPtXeLK3Y1yHiqGhQjhsOPL3smAAF3tThzBEqVLFM1wPU2DgTR2THCi3rFw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB6501
X-Proofpoint-GUID: pW0KAjGSA-x1zSSryrpnnISNiWuthM7m
X-Proofpoint-ORIG-GUID: pW0KAjGSA-x1zSSryrpnnISNiWuthM7m
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22
 definitions=2023-03-24_11,2023-03-27_02,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0 malwarescore=0
 adultscore=0 clxscore=1015 mlxlogscore=999 bulkscore=0 spamscore=0
 impostorscore=0 phishscore=0 mlxscore=0 priorityscore=1501
 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2303200000 definitions=main-2303280072
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 28 Mar 2023 08:42:05 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/179213

Series

[kirkstone] openssh: fix CVE-2023-28531 | expand

Commit Message

ChenQi March 28, 2023, 8:41 a.m. UTC

Backport patch to fix CVE-2023-28531.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 ...-destination-constraints-for-smartca.patch | 35 +++++++++++++++++++
 .../openssh/openssh_8.9p1.bb                  |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch

Comments

Ricardo Salveti June 13, 2023, 1:59 a.m. UTC | #1

Hi,

Was looking if CVE-2023-28531 was backported to kirkstone already and
noticed this patch was already proposed before, but not
merged/accepted.

Since it showed up once in the metrics report, was it decided to be
ignored in the end (but then I wasn't able to find it defined in
CVE_CHECK_IGNORE)?

Thanks,

Ricardo

On Tue, Mar 28, 2023 at 5:42 AM Chen Qi <Qi.Chen@windriver.com> wrote:
>
> Backport patch to fix CVE-2023-28531.
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>  ...-destination-constraints-for-smartca.patch | 35 +++++++++++++++++++
>  .../openssh/openssh_8.9p1.bb                  |  1 +
>  2 files changed, 36 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
> new file mode 100644
> index 0000000000..b4e7ce7ef6
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
> @@ -0,0 +1,35 @@
> +From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001
> +From: "djm@openbsd.org" <djm@openbsd.org>
> +Date: Thu, 9 Mar 2023 06:58:26 +0000
> +Subject: [PATCH] upstream: include destination constraints for smartcard keys
> + too.
> +
> +Spotted by Luci Stanescu; ok deraadt@ markus@
> +
> +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f
> +
> +CVE: CVE-2023-28531
> +
> +Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed]
> +
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + authfd.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/authfd.c b/authfd.c
> +index 76e48aab..dca8e55b 100644
> +--- a/authfd.c
> ++++ b/authfd.c
> +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
> +     struct dest_constraint **dest_constraints, size_t ndest_constraints)
> + {
> +       struct sshbuf *msg;
> +-      int r, constrained = (life || confirm);
> ++      int r, constrained = (life || confirm || dest_constraints);
> +       u_char type;
> +
> +       if (add) {
> +--
> +2.37.1
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> index 6057d055f4..d81072537c 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
>             file://add-test-support-for-busybox.patch \
>             file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \
>             file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \
> +           file://0001-upstream-include-destination-constraints-for-smartca.patch \
>             "
>  SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
>
> --
> 2.37.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#179213): https://lists.openembedded.org/g/openembedded-core/message/179213
> Mute This Topic: https://lists.openembedded.org/mt/97901027/3616986
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ricardo@foundries.io]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Steve Sakoman June 13, 2023, 3:08 a.m. UTC | #2

On Mon, Jun 12, 2023 at 4:00 PM Ricardo Salveti <ricardo@foundries.io> wrote:
>
> Hi,
>
> Was looking if CVE-2023-28531 was backported to kirkstone already and
> noticed this patch was already proposed before, but not
> merged/accepted.

Sigh, it looks like I somehow missed this one and no one followed up on it :-(

I've got it in my test queue now.

Thanks for letting me know!

Steve

> Since it showed up once in the metrics report, was it decided to be
> ignored in the end (but then I wasn't able to find it defined in
> CVE_CHECK_IGNORE)?
>
> Thanks,
>
> Ricardo
>
> On Tue, Mar 28, 2023 at 5:42 AM Chen Qi <Qi.Chen@windriver.com> wrote:
> >
> > Backport patch to fix CVE-2023-28531.
> >
> > Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> > ---
> >  ...-destination-constraints-for-smartca.patch | 35 +++++++++++++++++++
> >  .../openssh/openssh_8.9p1.bb                  |  1 +
> >  2 files changed, 36 insertions(+)
> >  create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
> >
> > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
> > new file mode 100644
> > index 0000000000..b4e7ce7ef6
> > --- /dev/null
> > +++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
> > @@ -0,0 +1,35 @@
> > +From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001
> > +From: "djm@openbsd.org" <djm@openbsd.org>
> > +Date: Thu, 9 Mar 2023 06:58:26 +0000
> > +Subject: [PATCH] upstream: include destination constraints for smartcard keys
> > + too.
> > +
> > +Spotted by Luci Stanescu; ok deraadt@ markus@
> > +
> > +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f
> > +
> > +CVE: CVE-2023-28531
> > +
> > +Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed]
> > +
> > +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> > +---
> > + authfd.c | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/authfd.c b/authfd.c
> > +index 76e48aab..dca8e55b 100644
> > +--- a/authfd.c
> > ++++ b/authfd.c
> > +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
> > +     struct dest_constraint **dest_constraints, size_t ndest_constraints)
> > + {
> > +       struct sshbuf *msg;
> > +-      int r, constrained = (life || confirm);
> > ++      int r, constrained = (life || confirm || dest_constraints);
> > +       u_char type;
> > +
> > +       if (add) {
> > +--
> > +2.37.1
> > +
> > diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> > index 6057d055f4..d81072537c 100644
> > --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> > +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> > @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
> >             file://add-test-support-for-busybox.patch \
> >             file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \
> >             file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \
> > +           file://0001-upstream-include-destination-constraints-for-smartca.patch \
> >             "
> >  SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
> >
> > --
> > 2.37.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#179213): https://lists.openembedded.org/g/openembedded-core/message/179213
> > Mute This Topic: https://lists.openembedded.org/mt/97901027/3616986
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ricardo@foundries.io]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
>
> --
> Ricardo Salveti

Ricardo Salveti June 13, 2023, 3:11 p.m. UTC | #3

On Tue, Jun 13, 2023 at 12:08 AM Steve Sakoman <steve@sakoman.com> wrote:
>
> On Mon, Jun 12, 2023 at 4:00 PM Ricardo Salveti <ricardo@foundries.io> wrote:
> >
> > Hi,
> >
> > Was looking if CVE-2023-28531 was backported to kirkstone already and
> > noticed this patch was already proposed before, but not
> > merged/accepted.
>
> Sigh, it looks like I somehow missed this one and no one followed up on it :-(
>
> I've got it in my test queue now.
>
> Thanks for letting me know!

Awesome, thanks!

diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
new file mode 100644
index 0000000000..b4e7ce7ef6
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
@@ -0,0 +1,35 @@ 
+From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 9 Mar 2023 06:58:26 +0000
+Subject: [PATCH] upstream: include destination constraints for smartcard keys
+ too.
+
+Spotted by Luci Stanescu; ok deraadt@ markus@
+
+OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f
+
+CVE: CVE-2023-28531
+
+Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ authfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/authfd.c b/authfd.c
+index 76e48aab..dca8e55b 100644
+--- a/authfd.c
++++ b/authfd.c
+@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
+     struct dest_constraint **dest_constraints, size_t ndest_constraints)
+ {
+ 	struct sshbuf *msg;
+-	int r, constrained = (life || confirm);
++	int r, constrained = (life || confirm || dest_constraints);
+ 	u_char type;
+ 
+ 	if (add) {
+-- 
+2.37.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 6057d055f4..d81072537c 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -26,6 +26,7 @@  SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://add-test-support-for-busybox.patch \
            file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \
            file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \
+           file://0001-upstream-include-destination-constraints-for-smartca.patch \
            "
 SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"

[kirkstone] openssh: fix CVE-2023-28531

Commit Message

Comments

Patch