sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.
Porting patch from <https://github.com/openbsd/src/commit/ c76fac666ea038753294f2ac94d310f8adece9ce> to solve CVE-2016-10010. Adapted the patch to solve context issues. Signed-off-by: Li Zhou <li.z...@windriver.com> --- .../openssh/openssh/openssh-CVE-2016-10010.patch | 38 ++++++++++++++++++++++ meta/recipes-connectivity/openssh/openssh_7.3p1.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch new file mode 100644 index 0000000..239912f --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch @@ -0,0 +1,38 @@ +From e86492668e4005eb3b20ba827a7e8474f2888e7e Mon Sep 17 00:00:00 2001 +From: Li Zhou <li.z...@windriver.com> +Date: Wed, 25 Jan 2017 11:01:10 +0800 +Subject: [PATCH] openssh: disable Unix-domain socket forwarding when privsep + is disabled + +Upstream-Status: Backport + +Signed-off-by: Li Zhou <li.z...@windriver.com> +--- + serverloop.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/serverloop.c b/serverloop.c +index 3563e5d..233de42 100644 +--- a/serverloop.c ++++ b/serverloop.c +@@ -999,7 +999,7 @@ server_request_direct_streamlocal(void) + + /* XXX fine grained permissions */ + if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && +- !no_port_forwarding_flag) { ++ !no_port_forwarding_flag && use_privsep) { + c = channel_connect_to_path(target, + "direct-streamlo...@openssh.com", "direct-streamlocal"); + } else { +@@ -1280,7 +1280,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) + + /* check permissions */ + if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 +- || no_port_forwarding_flag) { ++ || no_port_forwarding_flag || !use_privsep) { + success = 0; + packet_send_debug("Server has disabled port forwarding."); + } else { +-- +1.9.1 + diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb index 94eb0ed..522bda6 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ file://fix-CVE-2016-8858.patch \ + file://openssh-CVE-2016-10010.patch \ " PAM_SRC_URI = "file://sshd" -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
