diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch')
| -rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch new file mode 100644 index 0000000000..934775bdec --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch @@ -0,0 +1,120 @@ +From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 13:56:33 +0000 +Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11 + provider libraries to ssh-agent by default. + +The old behaviour of allowing remote clients from loading providers +can be restored using `ssh-agent -O allow-remote-pkcs11`. + +Detection of local/remote clients requires a ssh(1) that supports +the `session-bind@openssh.com` extension. Forwarding access to a +ssh-agent socket using non-OpenSSH tools may circumvent this control. + +ok markus@ + +OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-agent.1 | 20 ++++++++++++++++++++ + ssh-agent.c | 26 ++++++++++++++++++++++++-- + 2 files changed, 44 insertions(+), 2 deletions(-) + +diff --git a/ssh-agent.1 b/ssh-agent.1 +index fff0db6..a0f1e21 100644 +--- a/ssh-agent.1 ++++ b/ssh-agent.1 +@@ -97,6 +97,26 @@ The default is + Kill the current agent (given by the + .Ev SSH_AGENT_PID + environment variable). ++Currently two options are supported: ++.Cm allow-remote-pkcs11 ++and ++.Pp ++The ++.Cm allow-remote-pkcs11 ++option allows clients of a forwarded ++.Nm ++to load PKCS#11 or FIDO provider libraries. ++By default only local clients may perform this operation. ++Note that signalling that a ++.Nm ++client remote is performed by ++.Xr ssh 1 , ++and use of other tools to forward access to the agent socket may circumvent ++this restriction. ++.Pp ++The ++.Cm no-restrict-websafe , ++instructs + .It Fl P Ar provider_whitelist + Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator + shared libraries that may be used with the +diff --git a/ssh-agent.c b/ssh-agent.c +index 01c7f2b..40c1b6b 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -167,6 +167,12 @@ char socket_dir[PATH_MAX]; + /* PKCS#11/Security key path whitelist */ + static char *provider_whitelist; + ++/* ++ * Allows PKCS11 providers or SK keys that use non-internal providers to ++ * be added over a remote connection (identified by session-bind@openssh.com). ++ */ ++static int remote_add_provider; ++ + /* locking */ + #define LOCK_SIZE 32 + #define LOCK_SALT_SIZE 16 +@@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e) + if (strcasecmp(sk_provider, "internal") == 0) { + debug("%s: internal provider", __func__); + } else { ++ if (e->nsession_ids != 0 && !remote_add_provider) { ++ verbose("failed add of SK provider \"%.100s\": " ++ "remote addition of providers is disabled", ++ sk_provider); ++ free(sk_provider); ++ free(comment); ++ sshkey_free(k); ++ goto send; ++ } + if (realpath(sk_provider, canonical_provider) == NULL) { + verbose("failed provider \"%.100s\": " + "realpath: %s", sk_provider, +@@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e) + goto send; + } + } ++ if (e->nsession_ids != 0 && !remote_add_provider) { ++ verbose("failed PKCS#11 add of \"%.100s\": remote addition of " ++ "providers is disabled", provider); ++ goto send; ++ } + if (realpath(provider, canonical_provider) == NULL) { + verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", + provider, strerror(errno)); +@@ -1556,7 +1576,9 @@ main(int ac, char **av) + break; + case 'O': + if (strcmp(optarg, "no-restrict-websafe") == 0) +- restrict_websafe = 0; ++ restrict_websafe = 0; ++ else if (strcmp(optarg, "allow-remote-pkcs11") == 0) ++ remote_add_provider = 1; + else + fatal("Unknown -O option"); + break; +-- +2.41.0 |