On Thu, 30 Dec 2021, 21:17 Steve Sakoman, <st...@sakoman.com> wrote: On Thu, Dec 30, 2021 at 9:04 AM Jacob Kroon <jacob.kr...@gmail.com> wrote: > > On 12/30/21 19:54, Jacob Kroon via lists.openembedded.org wrote: > > On 12/22/21 15:12, Steve Sakoman wrote: > >> From: sana kazi <sanakazis...@gmail.com> > >> > >> Add patch to fix CVE-2021-41617 > >> Link: https://bugzilla.suse.com/attachment.cgi?id=854015 > >> > >> Signed-off-by: Sana Kazi <sana.k...@kpit.com> > >> Signed-off-by: Sana Kazi <sanakazis...@gmail.com> > >> Signed-off-by: Steve Sakoman <st...@sakoman.com> > >> --- > >> .../openssh/openssh/CVE-2021-41617.patch | 52 +++++++++++++++++++ > >> .../openssh/openssh_8.2p1.bb | 1 + > >> 2 files changed, 53 insertions(+) > >> create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch > >> > >> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch > >> new file mode 100644 > >> index 0000000000..bda896f581 > >> --- /dev/null > >> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch > >> @@ -0,0 +1,52 @@ > >> +From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001 > >> +From: Ali Abdallah <aabdal...@suse.de> > >> +Date: Wed, 24 Nov 2021 13:33:39 +0100 > >> +Subject: [PATCH] CVE-2021-41617 fix > >> + > >> +backport of the following two upstream commits > >> + > >> +f3cbe43e28fe71427d41cfe3a17125b972710455 > >> +bf944e3794eff5413f2df1ef37cddf96918c6bde > >> + > >> +CVE-2021-41617 failed to correctly initialise supplemental groups > >> +when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, > >> +where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser > >> +directive has been set to run the command as a different user. Instead > >> +these commands would inherit the groups that sshd(8) was started with. > >> +--- > >> + auth.c | 8 ++++++++ > >> + 1 file changed, 8 insertions(+) > >> + > >> +CVE: CVE-2021-41617 > >> +Upstream-Status: Backport [ https://bugzilla.suse.com/attachment.cgi?id=854015] > >> +Comment: No change in any hunk > >> +Signed-off-by: Sana Kazi <sana.k...@kpit.com> > >> + > >> +diff --git a/auth.c b/auth.c > >> +index 163038f..a47b267 100644 > >> +--- a/auth.c > >> ++++ b/auth.c > >> +@@ -52,6 +52,7 @@ > >> + #include <limits.h> > >> + #include <netdb.h> > >> + #include <time.h> > >> ++#include <grp.h> > >> + > >> + #include "xmalloc.h" > >> + #include "match.h" > >> +@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command, > >> + } > >> + closefrom(STDERR_FILENO + 1); > >> + > >> ++ if (geteuid() == 0 && > >> ++ initgroups(pw->pw_name, pw->pw_gid) == -1) { > >> ++ error("%s: initgroups(%s, %u): %s", tag, > >> ++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); > >> ++ _exit(1); > >> ++ } > >> ++ > >> + /* Don't use permanently_set_uid() here to avoid fatal() */ > >> + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) { > >> + error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, > >> +-- > >> +2.26.2 > >> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb > >> index b60d1a6bd4..e903ec487d 100644 > >> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb > >> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb > >> @@ -26,6 +26,7 @@ SRC_URI = " http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > >> file://add-test-support-for-busybox.patch \ > >> file://CVE-2020-14145.patch \ > >> file://CVE-2021-28041.patch \ > >> + file://CVE-2021-41617.patch \ > >> " > >> SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" > >> SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" > >> > >> > >> > >> > >> > > > > I would have expected this patch to leave a mark in my buildhistory, but > > nothing related to openssh(d) shows up. > > > > Size of /usr/sbin/sshd stays the same, which at least to me is a little > > odd.. but I can see that the sha256sum output of sshd changes. > > > > (It would be nice to have sha256sum hashes of files in buildhistory) > > > > Am I the only one who thinks this is a little strange ? > > > > /Jacob > > > > Let me rephrase, I do see changes related to debug information and the > debug package, but no change in the resulting '/usr/sbin/sshd' size that > goes in the final image.
Yes, it is unusual that the size of sshd is the same pre and post patch. I checked the size of auth.o pre and post patch, and it is also the same (not surprisingly!) However I've verified that the patch modifies auth.c as desired, and the md5sums for both auth.o and ssshd are different pre and post patch (as expected) So this is just one of those cases where different code results in the same size! Steve Thanks for double checking. /Jacob
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160067): https://lists.openembedded.org/g/openembedded-core/message/160067 Mute This Topic: https://lists.openembedded.org/mt/87898179/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
