~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[alpine-aports] [PATCH v3.4] main/openssh: security fixes #6584

Details
Message ID
<20161228145435.267-1-sergej.lukin@gmail.com>
Sender timestamp
1482936875
DKIM signature
missing
Download raw message
Patch: +366 -4
CVE-2016-10009
CVE-2016-10010
CVE-2016-10011
CVE-2016-10012
---
 main/openssh/APKBUILD               |  35 ++++++++--
 main/openssh/CVE-2016-10009.patch   | 130 ++++++++++++++++++++++++++++++++++++
 main/openssh/CVE-2016-10010.patch   |  29 ++++++++
 main/openssh/CVE-2016-10011.patch   |  37 ++++++++++
 main/openssh/CVE-2016-10012-1.patch |  89 ++++++++++++++++++++++++
 main/openssh/CVE-2016-10012-2.patch |  33 +++++++++
 main/openssh/CVE-2016-10012-3.patch |  17 +++++
 7 files changed, 366 insertions(+), 4 deletions(-)
 create mode 100644 main/openssh/CVE-2016-10009.patch
 create mode 100644 main/openssh/CVE-2016-10010.patch
 create mode 100644 main/openssh/CVE-2016-10011.patch
 create mode 100644 main/openssh/CVE-2016-10012-1.patch
 create mode 100644 main/openssh/CVE-2016-10012-2.patch
 create mode 100644 main/openssh/CVE-2016-10012-3.patch

diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index 84924d7..b37435b 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -1,9 +1,10 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Conptributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=openssh
pkgver=7.2_p2
_myver=${pkgver%_*}${pkgver#*_}
pkgrel=3
pkgrel=4
pkgdesc="Port of OpenBSD's free SSH release"
url="http://www.openssh.org/portable.html"
arch="all"
@@ -23,6 +24,12 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
	openssh-sftp-interactive.diff
	CVE-2016-6210.patch
	CVE-2016-6515.patch
	CVE-2016-10009.patch
	CVE-2016-10010.patch
	CVE-2016-10011.patch
	CVE-2016-10012-1.patch
	CVE-2016-10012-2.patch
	CVE-2016-10012-3.patch
	"
# HPN patches are from: http://www.psc.edu/index.php/hpn-ssh

@@ -31,6 +38,11 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
#     - CVE-2016-6210
#   7.2_p2-r2:
#     - CVE-2016-6515
#   7.2_p2-r1:
#     - CVE-2016-10009
#     - CVE-2016-10010
#     - CVE-2016-10011
#     - CVE-2016-10012

_builddir="$srcdir"/$pkgname-$_myver
prepare() {
@@ -134,7 +146,12 @@ cd52fe99cb4b7d0d847bf5d710d93564  openssh6.5-peaktput.diff
ccff4ede2075bcdaa070940cb4eadba2  sshd.confd
2dd7e366607e95f9762273067309fd6e  openssh-sftp-interactive.diff
baccdaf19767102c91343742cc09ebc9  CVE-2016-6210.patch
c70de89a56f365514ea7a877c8267715  CVE-2016-6515.patch"
c70de89a56f365514ea7a877c8267715  CVE-2016-6515.patch
c90d3f553ab3f7e18eef857160b4f3e4  CVE-2016-10009.patch
ff2645ea513fd071553f657aabb49e2b  CVE-2016-10010.patch
af9e3c0a4d90b72cc9532120dd50341c  CVE-2016-10012-1.patch
7bc38d8b2ff07def069a063a4ba74311  CVE-2016-10012-2.patch
75b99affc2a24f8187561e27a90cfbc8  CVE-2016-10012-3.patch"
sha256sums="a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c  openssh-7.2p2.tar.gz
bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249  openssh6.5-peaktput.diff
861132af07c18f5e0ac7b64f389a929e61a051887bf44bda770a97e3afd9bfb6  openssh7.1-dynwindows.diff
@@ -144,7 +161,12 @@ bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249  openssh6.5-pea
3342d2fc9b174f898f887237002f04fa9bc01c31e9a851e063ca7de8825ad0eb  sshd.confd
4ce1ad5f767c0f4e854a0cfeef0e2e400f333c649e552df1ecc317e6a6557376  openssh-sftp-interactive.diff
53ee8c957e9dd3bb51fe629d04e6373c6e4b62026352463bad916a4e66c00f37  CVE-2016-6210.patch
dae8c7167a614eae45e5efadd635791e1d7f47dadfa605819a29f7b8ecedf9aa  CVE-2016-6515.patch"
dae8c7167a614eae45e5efadd635791e1d7f47dadfa605819a29f7b8ecedf9aa  CVE-2016-6515.patch
21cc3551212d0e7468ea624fed9a77f75c26ee618d0c8f9db5ba371a6714c2c9  CVE-2016-10009.patch
477fe3e0aa4e84ed456ed976070596047a587e0a743c2be8a69274869e904a01  CVE-2016-10010.patch
fedc1069bdbd7e95b8ba7f597fa0f07cae09714ba839b454596e5aa860698004  CVE-2016-10012-1.patch
2be09b0a0aa4b3859fddd360a679b41c95f97a7e11df95aa1a1abe174f97bab7  CVE-2016-10012-2.patch
bd6fa4cfd9cd7ebdfb4e9b8b6295b6b9579e48e90d46da1ec0a9d53aa1479369  CVE-2016-10012-3.patch"
sha512sums="44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b  openssh-7.2p2.tar.gz
e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1  openssh6.5-peaktput.diff
72a7dc21d18388c635d14dda762ac50caeefd38f0153d8ea36d18e9d7c982e104f7b7a3af8c18fd479c31201fbdee1639f3a1ec60d035d4ca8721a8563fa11a0  openssh7.1-dynwindows.diff
@@ -154,4 +176,9 @@ f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b33894
ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4  sshd.confd
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  openssh-sftp-interactive.diff
202ae2ca83c0caeb0099ca22e7a248053d29cc7751c5b5865004108e4b998d7bf738df8cc0aa138a2b770748e5f90835e707434acd4719ce388181db1dc81ccd  CVE-2016-6210.patch
23794c9035ac25851734f154fca25f10fdb4bb6fc02c4162e7593ee7f05dbbd7bc3d158fca640cc57819e8fb9d64053f188f7a2cbb204c7f37fe6a60115f2ac6  CVE-2016-6515.patch"
23794c9035ac25851734f154fca25f10fdb4bb6fc02c4162e7593ee7f05dbbd7bc3d158fca640cc57819e8fb9d64053f188f7a2cbb204c7f37fe6a60115f2ac6  CVE-2016-6515.patch
8fed8ced305b61428a83c074c4a4ea53c7ad5a59c68604398852a5e33b728c241ca12f89f15fb6d3df37e82854b574a117522e4c178e20ca466f3f725ad05be1  CVE-2016-10009.patch
d6798d818ff7dfad0cd314c2f0e2d3d5477e4567f5422ff2409fdd56050d45e88073fb2b9008c3335cc3ac596b6c0ed13128fa5d588cbb56d4919ab62b218c26  CVE-2016-10010.patch
8d7601ecf86d5e4fcb7908690598d28af25a7e019d359b7b680a235844403414127262978e07679e36cef2293c114d417bd139c8791423febdb4ce2437d628b6  CVE-2016-10012-1.patch
8f2e4b851d69ff1328452ed0b2f804cb55f1ba668a9a77cb1b14c8bbd573436d8f4daa163662ac40e15bebfedaba2a666519c9b9e6f53a769415cef343e61fd5  CVE-2016-10012-2.patch
deef0aba42fa3d5c63807cfb106eaee25be2ab63a0f7cd80046ffd8e67bbc78ca19f1cdf433d522dbd09b088c4f0a165f3edcaba4c12d0200f8615da3c98f78a  CVE-2016-10012-3.patch"
diff --git a/main/openssh/CVE-2016-10009.patch b/main/openssh/CVE-2016-10009.patch
new file mode 100644
index 0000000..a7adc16
--- /dev/null
+++ b/main/openssh/CVE-2016-10009.patch
@@ -0,0 +1,130 @@
patch was slightly modified to be applied to openssh-7.2_p2
Original patch:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215&sortby=date&f=h&f=u

===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-agent.c,v
retrieving revision 1.214
retrieving revision 1.215
diff -u -r1.214 -r1.215
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -69,11 +69,16 @@
 #include "misc.h"
 #include "digest.h"
 #include "ssherr.h"
+#include "match.h"
 
 #ifdef ENABLE_PKCS11
 #include "ssh-pkcs11.h"
 #endif
 
+#ifndef DEFAULT_PKCS11_WHITELIST
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
+#endif
+
 #if defined(HAVE_SYS_PRCTL_H)
 #include <sys/prctl.h>  /* For prctl() and PR_SET_DUMPABLE */
 #endif
@@ -121,6 +126,9 @@
 char socket_name[PATH_MAX];
 char socket_dir[PATH_MAX];
 
+/* PKCS#11 path whitelist */
+static char *pkcs11_whitelist;
+
 /* locking */
 #define LOCK_SIZE	32
 #define LOCK_SALT_SIZE	16
@@ -724,7 +732,7 @@
 static void
 process_add_smartcard_key(SocketEntry *e)
 {
-	char *provider = NULL, *pin;
+	char *provider = NULL, *pin, canonical_provider[PATH_MAX];
 	int r, i, version, count = 0, success = 0, confirm = 0;
 	u_int seconds;
 	time_t death = 0;
@@ -756,10 +764,21 @@
 			goto send;
 		}
 	}
+	if (realpath(provider, canonical_provider) == NULL) {
+		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+		    provider, strerror(errno));
+		goto send;
+	}
+	if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
+		verbose("refusing PKCS#11 add of \"%.100s\": "
+		    "provider not whitelisted", canonical_provider);
+		goto send;
+	}
+	debug("%s: add %.100s", __func__, canonical_provider);
 	if (lifetime && !death)
 		death = monotime() + lifetime;
 
-	count = pkcs11_add_provider(provider, pin, &keys);
+	count = pkcs11_add_provider(canonical_provider, pin, &keys);
 	for (i = 0; i < count; i++) {
 		k = keys[i];
 		version = k->type == KEY_RSA1 ? 1 : 2;
@@ -767,8 +786,8 @@
 		if (lookup_identity(k, version) == NULL) {
 			id = xcalloc(1, sizeof(Identity));
 			id->key = k;
-			id->provider = xstrdup(provider);
-			id->comment = xstrdup(provider); /* XXX */
+			id->provider = xstrdup(canonical_provider);
+			id->comment = xstrdup(canonical_provider); /* XXX */
 			id->death = death;
 			id->confirm = confirm;
 			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
@@ -1157,7 +1176,7 @@
 {
 	fprintf(stderr,
 	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
-	    "                 [-t life] [command [arg ...]]\n"
+	    "                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
 	    "       ssh-agent [-c | -s] -k\n");
 	exit(1);
 }
@@ -1191,7 +1210,7 @@
 	OpenSSL_add_all_algorithms();
 #endif
 
-	while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
+	while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
 		switch (ch) {
 		case 'E':
 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -1206,6 +1225,11 @@
 		case 'k':
 			k_flag++;
 			break;
+		case 'P':
+			if (pkcs11_whitelist != NULL)
+				fatal("-P option already specified");
+			pkcs11_whitelist = xstrdup(optarg);
+			break;
 		case 's':
 			if (c_flag)
 				usage();
@@ -1240,6 +1264,9 @@
 	if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
 		usage();
 
+	if (pkcs11_whitelist == NULL)
+		pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
+
 	if (ac == 0 && !c_flag && !s_flag) {
 		shell = getenv("SHELL");
 		if (shell != NULL && (len = strlen(shell)) > 2 &&
@@ -1385,7 +1412,7 @@
 	signal(SIGTERM, cleanup_handler);
 	nalloc = 0;
 
-	if (pledge("stdio cpath unix id proc exec", NULL) == -1)
+	if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
 		fatal("%s: pledge: %s", __progname, strerror(errno));
 
 	while (1) {
diff --git a/main/openssh/CVE-2016-10010.patch b/main/openssh/CVE-2016-10010.patch
new file mode 100644
index 0000000..7d3f45e
--- /dev/null
+++ b/main/openssh/CVE-2016-10010.patch
@@ -0,0 +1,29 @@
patch was slightly modified to be applied to openssh-7.2_p2
Original patch:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/serverloop.c.diff?r1=1.188&r2=1.189&sortby=date&f=h&f=u

===================================================================
RCS file: /cvs/src/usr.bin/ssh/serverloop.c,v
retrieving revision 1.188
retrieving revision 1.189
diff -u -r1.188 -r1.189
--- a/serverloop.c
+++ b/serverloop.c
@@ -472,7 +472,7 @@
 
 	/* XXX fine grained permissions */
 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
-	    !no_port_forwarding_flag) {
+	    !no_port_forwarding_flag && use_privsep) {
 		c = channel_connect_to_path(target,
 		    "direct-streamlocal@openssh.com", "direct-streamlocal");
 	} else {
@@ -748,7 +749,7 @@
 
 		/* check permissions */
 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
-		    || no_port_forwarding_flag) {
+		    || no_port_forwarding_flag || !use_privsep) {
 			success = 0;
 			packet_send_debug("Server has disabled port forwarding.");
 		} else {
diff --git a/main/openssh/CVE-2016-10011.patch b/main/openssh/CVE-2016-10011.patch
new file mode 100644
index 0000000..aea75f3
--- /dev/null
+++ b/main/openssh/CVE-2016-10011.patch
@@ -0,0 +1,37 @@
patch was slightly modified to be applied to openssh-7.2_p2
Original patch:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.121&r2=1.122

===================================================================
RCS file: /cvs/src/usr.bin/ssh/authfile.c,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -r1.121 -r1.122
--- a/authfile.c
+++ b/authfile.c
@@ -98,13 +98,24 @@
 	u_char buf[1024];
 	size_t len;
 	struct stat st;
-	int r;
+	int r, dontmax = 0;
 
 	if (fstat(fd, &st) < 0)
 		return SSH_ERR_SYSTEM_ERROR;
 	if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
 	    st.st_size > MAX_KEY_FILE_SIZE)
 		return SSH_ERR_INVALID_FORMAT;
+	/*
+	 * Pre-allocate the buffer used for the key contents and clamp its
+	 * maximum size. This ensures that key contents are never leaked via
+	 * implicit realloc() in the sshbuf code.
+	 */
+	if ((st.st_mode & S_IFREG) == 0 || st.st_size <= 0) {
+		st.st_size = 64*1024; /* 64k should be enough for anyone :) */
+		dontmax = 1;
+	}
+	if (dontmax && (r = sshbuf_set_max_size(blob, st.st_size)) != 0)
+		return r;
 	for (;;) {
 		if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
 			if (errno == EPIPE)
diff --git a/main/openssh/CVE-2016-10012-1.patch b/main/openssh/CVE-2016-10012-1.patch
new file mode 100644
index 0000000..4d228de
--- /dev/null
+++ b/main/openssh/CVE-2016-10012-1.patch
@@ -0,0 +1,89 @@
patch was slightly modified to be applied to openssh-7.2_p2
Original patch:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166

===================================================================
RCS file: /cvs/src/usr.bin/ssh/monitor.c,v
retrieving revision 1.165
retrieving revision 1.166
diff -u -r1.165 -r1.166
--- a/monitor.c
+++ b/monitor.c
@@ -70,7 +70,6 @@
 #include "misc.h"
 #include "servconf.h"
 #include "monitor.h"
-#include "monitor_mm.h"
 #ifdef GSSAPI
 #include "ssh-gss.h"
 #endif
@@ -335,31 +334,6 @@
 		monitor_read(pmonitor, mon_dispatch, NULL);
 }
 
-void
-monitor_sync(struct monitor *pmonitor)
-{
-	if (options.compression) {
-		/* The member allocation is not visible, so sync it */
-		mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback);
-	}
-}
-
-/* Allocation functions for zlib */
-static void *
-mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
-{
-	if (size == 0 || ncount == 0 || ncount > SIZE_MAX / size)
-		fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size);
-
-	return mm_malloc(mm, size * ncount);
-}
-
-static void
-mm_zfree(struct mm_master *mm, void *address)
-{
-	mm_free(mm, address);
-}
-
 static int
 monitor_read_log(struct monitor *pmonitor)
 {
@@ -1292,13 +1266,6 @@
 		kex->host_key_index=&get_hostkey_index;
 		kex->sign = sshd_hostkey_sign;
 	}
-
-	/* Update with new address */
-	if (options.compression) {
-		ssh_packet_set_compress_hooks(ssh, pmonitor->m_zlib,
-		    (ssh_packet_comp_alloc_func *)mm_zalloc,
-		    (ssh_packet_comp_free_func *)mm_zfree);
-	}
 }
 
 /* This function requries careful sanity checking */
@@ -1351,23 +1318,10 @@
 struct monitor *
 monitor_init(void)
 {
-	struct ssh *ssh = active_state;			/* XXX */
 	struct monitor *mon;
 
 	mon = xcalloc(1, sizeof(*mon));
-
 	monitor_openfds(mon, 1);
-
-	/* Used to share zlib space across processes */
-	if (options.compression) {
-		mon->m_zback = mm_create(NULL, MM_MEMSIZE);
-		mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE);
-
-		/* Compression needs to share state across borders */
-		ssh_packet_set_compress_hooks(ssh, mon->m_zlib,
-		    (ssh_packet_comp_alloc_func *)mm_zalloc,
-		    (ssh_packet_comp_free_func *)mm_zfree);
-	}
 
 	return mon;
 }
diff --git a/main/openssh/CVE-2016-10012-2.patch b/main/openssh/CVE-2016-10012-2.patch
new file mode 100644
index 0000000..4f462fb
--- /dev/null
+++ b/main/openssh/CVE-2016-10012-2.patch
@@ -0,0 +1,33 @@
patch was slightly modified to be applied to openssh-7.2_p2
Original patch:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20

===================================================================
RCS file: /cvs/src/usr.bin/ssh/monitor.h,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- a/monitor.h
+++ b/monitor.h
@@ -58,21 +58,17 @@
 	MONITOR_REQ_TERM = 50,
 };
 
-struct mm_master;
 struct monitor {
 	int			 m_recvfd;
 	int			 m_sendfd;
 	int			 m_log_recvfd;
 	int			 m_log_sendfd;
-	struct mm_master	*m_zback;
-	struct mm_master	*m_zlib;
 	struct kex		**m_pkex;
 	pid_t			 m_pid;
 };
 
 struct monitor *monitor_init(void);
 void monitor_reinit(struct monitor *);
-void monitor_sync(struct monitor *);
 
 struct Authctxt;
 void monitor_child_preauth(struct Authctxt *, struct monitor *);
diff --git a/main/openssh/CVE-2016-10012-3.patch b/main/openssh/CVE-2016-10012-3.patch
new file mode 100644
index 0000000..423b56a
--- /dev/null
+++ b/main/openssh/CVE-2016-10012-3.patch
@@ -0,0 +1,17 @@
CVE-2016-10012 fix for openssh-7.2_p2
Idea taken from patches:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20

===================================================================
--- a/sshd.c
+++ b/sshd.c
@@ -683,8 +683,5 @@
 			ssh_sandbox_parent_preauth(box, pid);
 		monitor_child_preauth(authctxt, pmonitor);
 
-		/* Sync memory */
-		monitor_sync(pmonitor);
-
 		/* Wait for the child's exit status */
 		while (waitpid(pid, &status, 0) < 0) { 
-- 
2.8.3



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)