Message ID | 20230328084141.49802-1-Qi.Chen@windriver.com |
---|---|
State | New, archived |
Headers | show |
Series | [kirkstone] openssh: fix CVE-2023-28531 | expand |
Hi, Was looking if CVE-2023-28531 was backported to kirkstone already and noticed this patch was already proposed before, but not merged/accepted. Since it showed up once in the metrics report, was it decided to be ignored in the end (but then I wasn't able to find it defined in CVE_CHECK_IGNORE)? Thanks, Ricardo On Tue, Mar 28, 2023 at 5:42 AM Chen Qi <Qi.Chen@windriver.com> wrote: > > Backport patch to fix CVE-2023-28531. > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > --- > ...-destination-constraints-for-smartca.patch | 35 +++++++++++++++++++ > .../openssh/openssh_8.9p1.bb | 1 + > 2 files changed, 36 insertions(+) > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > new file mode 100644 > index 0000000000..b4e7ce7ef6 > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > @@ -0,0 +1,35 @@ > +From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001 > +From: "djm@openbsd.org" <djm@openbsd.org> > +Date: Thu, 9 Mar 2023 06:58:26 +0000 > +Subject: [PATCH] upstream: include destination constraints for smartcard keys > + too. > + > +Spotted by Luci Stanescu; ok deraadt@ markus@ > + > +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f > + > +CVE: CVE-2023-28531 > + > +Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed] > + > +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > +--- > + authfd.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/authfd.c b/authfd.c > +index 76e48aab..dca8e55b 100644 > +--- a/authfd.c > ++++ b/authfd.c > +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, > + struct dest_constraint **dest_constraints, size_t ndest_constraints) > + { > + struct sshbuf *msg; > +- int r, constrained = (life || confirm); > ++ int r, constrained = (life || confirm || dest_constraints); > + u_char type; > + > + if (add) { > +-- > +2.37.1 > + > diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > index 6057d055f4..d81072537c 100644 > --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > file://add-test-support-for-busybox.patch \ > file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \ > file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \ > + file://0001-upstream-include-destination-constraints-for-smartca.patch \ > " > SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7" > > -- > 2.37.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#179213): https://lists.openembedded.org/g/openembedded-core/message/179213 > Mute This Topic: https://lists.openembedded.org/mt/97901027/3616986 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ricardo@foundries.io] > -=-=-=-=-=-=-=-=-=-=-=- >
On Mon, Jun 12, 2023 at 4:00 PM Ricardo Salveti <ricardo@foundries.io> wrote: > > Hi, > > Was looking if CVE-2023-28531 was backported to kirkstone already and > noticed this patch was already proposed before, but not > merged/accepted. Sigh, it looks like I somehow missed this one and no one followed up on it :-( I've got it in my test queue now. Thanks for letting me know! Steve > Since it showed up once in the metrics report, was it decided to be > ignored in the end (but then I wasn't able to find it defined in > CVE_CHECK_IGNORE)? > > Thanks, > > Ricardo > > On Tue, Mar 28, 2023 at 5:42 AM Chen Qi <Qi.Chen@windriver.com> wrote: > > > > Backport patch to fix CVE-2023-28531. > > > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > > --- > > ...-destination-constraints-for-smartca.patch | 35 +++++++++++++++++++ > > .../openssh/openssh_8.9p1.bb | 1 + > > 2 files changed, 36 insertions(+) > > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > > > > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > > new file mode 100644 > > index 0000000000..b4e7ce7ef6 > > --- /dev/null > > +++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch > > @@ -0,0 +1,35 @@ > > +From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001 > > +From: "djm@openbsd.org" <djm@openbsd.org> > > +Date: Thu, 9 Mar 2023 06:58:26 +0000 > > +Subject: [PATCH] upstream: include destination constraints for smartcard keys > > + too. > > + > > +Spotted by Luci Stanescu; ok deraadt@ markus@ > > + > > +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f > > + > > +CVE: CVE-2023-28531 > > + > > +Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed] > > + > > +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > > +--- > > + authfd.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/authfd.c b/authfd.c > > +index 76e48aab..dca8e55b 100644 > > +--- a/authfd.c > > ++++ b/authfd.c > > +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, > > + struct dest_constraint **dest_constraints, size_t ndest_constraints) > > + { > > + struct sshbuf *msg; > > +- int r, constrained = (life || confirm); > > ++ int r, constrained = (life || confirm || dest_constraints); > > + u_char type; > > + > > + if (add) { > > +-- > > +2.37.1 > > + > > diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > > index 6057d055f4..d81072537c 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > > +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb > > @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > > file://add-test-support-for-busybox.patch \ > > file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \ > > file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \ > > + file://0001-upstream-include-destination-constraints-for-smartca.patch \ > > " > > SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7" > > > > -- > > 2.37.1 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#179213): https://lists.openembedded.org/g/openembedded-core/message/179213 > > Mute This Topic: https://lists.openembedded.org/mt/97901027/3616986 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ricardo@foundries.io] > > -=-=-=-=-=-=-=-=-=-=-=- > > > > > -- > Ricardo Salveti
On Tue, Jun 13, 2023 at 12:08 AM Steve Sakoman <steve@sakoman.com> wrote: > > On Mon, Jun 12, 2023 at 4:00 PM Ricardo Salveti <ricardo@foundries.io> wrote: > > > > Hi, > > > > Was looking if CVE-2023-28531 was backported to kirkstone already and > > noticed this patch was already proposed before, but not > > merged/accepted. > > Sigh, it looks like I somehow missed this one and no one followed up on it :-( > > I've got it in my test queue now. > > Thanks for letting me know! Awesome, thanks!
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch new file mode 100644 index 0000000000..b4e7ce7ef6 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch @@ -0,0 +1,35 @@ +From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 9 Mar 2023 06:58:26 +0000 +Subject: [PATCH] upstream: include destination constraints for smartcard keys + too. + +Spotted by Luci Stanescu; ok deraadt@ markus@ + +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f + +CVE: CVE-2023-28531 + +Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + authfd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/authfd.c b/authfd.c +index 76e48aab..dca8e55b 100644 +--- a/authfd.c ++++ b/authfd.c +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, + struct dest_constraint **dest_constraints, size_t ndest_constraints) + { + struct sshbuf *msg; +- int r, constrained = (life || confirm); ++ int r, constrained = (life || confirm || dest_constraints); + u_char type; + + if (add) { +-- +2.37.1 + diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb index 6057d055f4..d81072537c 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://add-test-support-for-busybox.patch \ file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \ file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \ + file://0001-upstream-include-destination-constraints-for-smartca.patch \ " SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
Backport patch to fix CVE-2023-28531. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> --- ...-destination-constraints-for-smartca.patch | 35 +++++++++++++++++++ .../openssh/openssh_8.9p1.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch