| Message ID | 20240703121701.175028-1-jose.quaresma@foundries.io |
|---|---|
| State | Under Review |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [scarthgap] openssh: fix CVE-2024-6387 | expand |
On Wed, Jul 3, 2024 at 5:17 AM Jose Quaresma via lists.openembedded.org <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). > Race condition resulting in potential remote code execution. > A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems. > This attack could be prevented by disabling the login grace timeout (LoginGraceTime=0 in sshd_config) > though this makes denial-of service against sshd(8) considerably easier. > For more information, please refer to the release notes [1] and the > report from the Qualys Security Advisory Team [2] who discovered the bug. > > [1] https://www.openssh.com/txt/release-9.8 > [2] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt > > References: > https://www.openssh.com/security.html > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > --- > .../openssh/openssh/CVE-2024-6387.patch | 27 +++++++++++++++++++ > .../openssh/openssh_9.6p1.bb | 1 + > 2 files changed, 28 insertions(+) > create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > > diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > new file mode 100644 > index 0000000000..3e7c707100 > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > @@ -0,0 +1,27 @@ > +Description: fix signal handler race condition > +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497 > + > +CVE: CVE-2024-6387 > + > +Upstream-Status: Backport > +https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc Launchpad is not the upstream for openssh, please send a V2 that references the actual upstream commit. Thanks! Steve > + > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > + > +--- a/log.c > ++++ b/log.c > +@@ -452,12 +452,14 @@ void > + sshsigdie(const char *file, const char *func, int line, int showfunc, > + LogLevel level, const char *suffix, const char *fmt, ...) > + { > ++#if 0 > + va_list args; > + > + va_start(args, fmt); > + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, > + suffix, fmt, args); > + va_end(args); > ++#endif > + _exit(1); > + } > + > diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb > index d941664b41..3cdf0327b0 100644 > --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb > @@ -27,6 +27,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > file://add-test-support-for-busybox.patch \ > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > + file://CVE-2024-6387.patch \ > " > SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c" > > -- > 2.45.2 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#201470): https://lists.openembedded.org/g/openembedded-core/message/201470 > Mute This Topic: https://lists.openembedded.org/mt/107018061/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Steve Sakoman <steve@sakoman.com> escreveu (quarta, 3/07/2024 à(s) 14:37): > On Wed, Jul 3, 2024 at 5:17 AM Jose Quaresma via > lists.openembedded.org > <quaresma.jose=gmail.com@lists.openembedded.org> wrote: > > > > sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). > > Race condition resulting in potential remote code execution. > > A race condition in sshd(8) could allow remote code execution as root on > non-OpenBSD systems. > > This attack could be prevented by disabling the login grace timeout > (LoginGraceTime=0 in sshd_config) > > though this makes denial-of service against sshd(8) considerably easier. > > For more information, please refer to the release notes [1] and the > > report from the Qualys Security Advisory Team [2] who discovered the bug. > > > > [1] https://www.openssh.com/txt/release-9.8 > > [2] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt > > > > References: > > https://www.openssh.com/security.html > > > > Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > --- > > .../openssh/openssh/CVE-2024-6387.patch | 27 +++++++++++++++++++ > > .../openssh/openssh_9.6p1.bb | 1 + > > 2 files changed, 28 insertions(+) > > create mode 100644 > meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > > > > diff --git > a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > > new file mode 100644 > > index 0000000000..3e7c707100 > > --- /dev/null > > +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch > > @@ -0,0 +1,27 @@ > > +Description: fix signal handler race condition > > +Bug-Ubuntu: > https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497 > > + > > +CVE: CVE-2024-6387 > > + > > +Upstream-Status: Backport > > + > https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc > > Launchpad is not the upstream for openssh, please send a V2 that > references the actual upstream commit. > A similar question was made for the kirkstone version on https://lists.openembedded.org/g/openembedded-core/message/201441 As I responded yesterday, this patch uses the suggested fix of the regression report. I can remove the Backport from the Upstream-Status but I don't know what to put in this case. For not using this fix and using the one mentioned, I need more time to analyze. https://github.com/openssh/openssh-portable/commit/b00331402fe5c60d577f3ffcc35e49286cdc6b47 Jose > > Thanks! > > Steve > > > + > > +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> > > + > > +--- a/log.c > > ++++ b/log.c > > +@@ -452,12 +452,14 @@ void > > + sshsigdie(const char *file, const char *func, int line, int showfunc, > > + LogLevel level, const char *suffix, const char *fmt, ...) > > + { > > ++#if 0 > > + va_list args; > > + > > + va_start(args, fmt); > > + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, > > + suffix, fmt, args); > > + va_end(args); > > ++#endif > > + _exit(1); > > + } > > + > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb > b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb > > index d941664b41..3cdf0327b0 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb > > +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb > > @@ -27,6 +27,7 @@ SRC_URI = " > http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > > file://add-test-support-for-busybox.patch \ > > > file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ > > > file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ > > + file://CVE-2024-6387.patch \ > > " > > SRC_URI[sha256sum] = > "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c" > > > > -- > > 2.45.2 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#201470): > https://lists.openembedded.org/g/openembedded-core/message/201470 > > Mute This Topic: https://lists.openembedded.org/mt/107018061/3620601 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > steve@sakoman.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch new file mode 100644 index 0000000000..3e7c707100 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch @@ -0,0 +1,27 @@ +Description: fix signal handler race condition +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497 + +CVE: CVE-2024-6387 + +Upstream-Status: Backport +https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc + +Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> + +--- a/log.c ++++ b/log.c +@@ -452,12 +452,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#if 0 + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index d941664b41..3cdf0327b0 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -27,6 +27,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://add-test-support-for-busybox.patch \ file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ + file://CVE-2024-6387.patch \ " SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"
sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). Race condition resulting in potential remote code execution. A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems. This attack could be prevented by disabling the login grace timeout (LoginGraceTime=0 in sshd_config) though this makes denial-of service against sshd(8) considerably easier. For more information, please refer to the release notes [1] and the report from the Qualys Security Advisory Team [2] who discovered the bug. [1] https://www.openssh.com/txt/release-9.8 [2] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt References: https://www.openssh.com/security.html Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> --- .../openssh/openssh/CVE-2024-6387.patch | 27 +++++++++++++++++++ .../openssh/openssh_9.6p1.bb | 1 + 2 files changed, 28 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch