Re: [OE-core] [poky][dunfell][PATCHv2] openssh: fix CVE-2020-14145

Steve Sakoman Wed, 31 Mar 2021 11:01:50 -0700

V2 also fails to build:

ERROR: openssh-8.2p1-r0 do_patch: Command Error: 'quilt --quiltrc
/home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/openssh/8.2p1-r0/recipe-sysroot-native/etc/quiltrc
push' exited with 0  Output:
Applying patch CVE-2020-14145.patch
patching file sshconnect2.c
Hunk #1 FAILED at 102.
Hunk #2 FAILED at 119.
Hunk #3 FAILED at 159.
3 out of 3 hunks FAILED -- rejects in file sshconnect2.c
Patch CVE-2020-14145.patch does not apply (enforce with -f)


Before submitting please verify that your patches both apply to the
head of the dunfell branch, and build as well!

Steve


On Wed, Mar 31, 2021 at 7:21 AM Sana Kazi <sana.k...@kpit.com> wrote:
>
> From: Lee Chee Yang <chee.yang....@intel.com>
>
> (From OE-Core rev: 38482edf1a31ed0735b746cf0ab3e1adda4199d1)
>
> Signed-off-by: Lee Chee Yang <chee.yang....@intel.com>
> Signed-off-by: Anuj Mittal <anuj.mit...@intel.com>
> Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
> Signed-off-by: Sana Kazi <sana.k...@kpit.com>
> ---
>  .../openssh/openssh/CVE-2020-14145.patch      | 90 +++++++++++++++++++
>  .../openssh/openssh_8.2p1.bb                  |  1 +
>  2 files changed, 91 insertions(+)
>  create mode 100644 
> meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch 
> b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> new file mode 100644
> index 0000000000..0046ee1a51
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> @@ -0,0 +1,90 @@
> +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
> +From: "d...@openbsd.org" <d...@openbsd.org>
> +Date: Fri, 18 Sep 2020 05:23:03 +0000
> +Subject: [PATCH] upstream: tweak the client hostkey preference ordering
> + algorithm to
> +
> +prefer the default ordering if the user has a key that matches the
> +best-preference default algorithm.
> +
> +feedback and ok markus@
> +
> +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
> +
> +Upstream-Status: Backport
> +[https://github.com/openssh/openssh-portable/commit/b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
> +CVE: CVE-2020-14145
> +Signed-off-by: Chee Yang Lee <chee.yang....@intel.com>
> +
> +---
> + sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
> + 1 file changed, 37 insertions(+), 2 deletions(-)
> +
> +diff --git a/sshconnect2.c b/sshconnect2.c
> +index 347e348c60..f64aae66af 100644
> +--- a/sshconnect2.c
> ++++ b/sshconnect2.c
> +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, 
> struct ssh *ssh)
> +       return 0;
> + }
> +
> ++/* Returns the first item from a comma-separated algorithm list */
> ++static char *
> ++first_alg(const char *algs)
> ++{
> ++      char *ret, *cp;
> ++
> ++      ret = xstrdup(algs);
> ++      if ((cp = strchr(ret, ',')) != NULL)
> ++              *cp = '\0';
> ++      return ret;
> ++}
> ++
> + static char *
> + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> + {
> +-      char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
> ++      char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
> ++      char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
> +       size_t maxlen;
> +-      struct hostkeys *hostkeys;
> ++      struct hostkeys *hostkeys = NULL;
> +       int ktype;
> +       u_int i;
> +
> +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr 
> *hostaddr, u_short port)
> +       for (i = 0; i < options.num_system_hostfiles; i++)
> +               load_hostkeys(hostkeys, hostname, 
> options.system_hostfiles[i]);
> +
> ++      /*
> ++       * If a plain public key exists that matches the type of the best
> ++       * preference HostkeyAlgorithms, then use the whole list as is.
> ++       * Note that we ignore whether the best preference algorithm is a
> ++       * certificate type, as sshconnect.c will downgrade certs to
> ++       * plain keys if necessary.
> ++       */
> ++      best = first_alg(options.hostkeyalgorithms);
> ++      if (lookup_key_in_hostkeys_by_type(hostkeys,
> ++          sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
> ++              debug3("%s: have matching best-preference key type %s, "
> ++                  "using HostkeyAlgorithms verbatim", __func__, best);
> ++              ret = xstrdup(options.hostkeyalgorithms);
> ++              goto out;
> ++      }
> ++
> ++      /*
> ++       * Otherwise, prefer the host key algorithms that match known keys
> ++       * while keeping the ordering of HostkeyAlgorithms as much as 
> possible.
> ++       */
> +       oavail = avail = xstrdup(options.hostkeyalgorithms);
> +       maxlen = strlen(avail) + 1;
> +       first = xmalloc(maxlen);
> +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, 
> u_short port)
> +       if (*first != '\0')
> +               debug3("%s: prefer hostkeyalgs: %s", __func__, first);
> +
> ++ out:
> ++      free(best);
> +       free(first);
> +       free(last);
> +       free(hostname);
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb 
> b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> index fe94f30503..17965557a7 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> @@ -24,6 +24,7 @@ SRC_URI = 
> "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
>             file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
>             file://sshd_check_keys \
>             file://add-test-support-for-busybox.patch \
> +           file://CVE-2020-14145.patch \
>             "
>  SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
>  SRC_URI[sha256sum] = 
> "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and 
> is the property of the KPIT Technologies Ltd. It is intended only for the 
> person to whom it is addressed. If you are not the intended recipient, you 
> are not authorized to read, print, retain copy, disseminate, distribute, or 
> use this message or any part thereof. If you receive this message in error, 
> please notify the sender immediately and delete all copies of this message. 
> KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#150123): 
https://lists.openembedded.org/g/openembedded-core/message/150123
Mute This Topic: https://lists.openembedded.org/mt/81755669/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [poky][dunfell][PATCHv2] openssh: fix CVE-2020-14145

Reply via email to