From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] openssh: Update to version 9.3p1 Date: Tue, 18 Apr 2023 21:12:00 +0000 Message-ID: <434eed07-5eb6-0a40-9d95-c7ae7b43eda1@ipfire.org> In-Reply-To: <20230327212709.3955444-3-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4527607563712949115==" List-Id: --===============4527607563712949115== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable As always, thank you very much! Reviewed-by: Peter M=C3=BCller > - Update from version 9.2p1 to 9.3p1 > - Update of rootfile not required > - Removal of patch as this was only required for i586 builds which are no l= onger done in > IPFire > - Changelog > 9.3p1 (2023-03-15) > This release fixes a number of security bugs. > Security > This release contains fixes for a security problem and a memory > safety problem. The memory safety problem is not believed to be > exploitable, but we report most network-reachable memory faults as > security bugs. > * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the > per-hop destination constraints (ssh-add -h ...) added in OpenSSH > 8.9, a logic error prevented the constraints from being > communicated to the agent. This resulted in the keys being added > without constraints. The common cases of non-smartcard keys and > keys without destination constraints are unaffected. This problem > was reported by Luci Stanescu. > * ssh(1): Portable OpenSSH provides an implementation of the > getrrsetbyname(3) function if the standard library does not > provide it, for use by the VerifyHostKeyDNS feature. A > specifically crafted DNS response could cause this function to > perform an out-of-bounds read of adjacent stack data, but this > condition does not appear to be exploitable beyond denial-of- > service to the ssh(1) client. > The getrrsetbyname(3) replacement is only included if the system's > standard library lacks this function and portable OpenSSH was not > compiled with the ldns library (--with-ldns). getrrsetbyname(3) is > only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This > problem was found by the Coverity static analyzer. > New features > * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=3Dsha1|sha256 when > outputting SSHFP fingerprints to allow algorithm selection. bz3493 > * sshd(8): add a `sshd -G` option that parses and prints the > effective configuration without attempting to load private keys > and perform other checks. This allows usage of the option before > keys have been generated and for configuration evaluation and > verification by unprivileged users. > Bugfixes > * scp(1), sftp(1): fix progressmeter corruption on wide displays; > bz3534 > * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability > of private keys as some systems are starting to disable RSA/SHA1 > in libcrypto. > * sftp-server(8): fix a memory leak. GHPR363 > * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol > compatibility code and simplify what's left. > * Fix a number of low-impact Coverity static analysis findings. > These include several reported via bz2687 > * ssh_config(5), sshd_config(5): mention that some options are not > first-match-wins. > * Rework logging for the regression tests. Regression tests will now > capture separate logs for each ssh and sshd invocation in a test. > * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage > says it should; bz3532. > * ssh(1): ensure that there is a terminating newline when adding a > new entry to known_hosts; bz3529 > Portability > * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of > mmap(2), madvise(2) and futex(2) flags, removing some concerning > kernel attack surface. > * sshd(8): improve Linux seccomp-bpf sandbox for older systems; > bz3537 >=20 > Signed-off-by: Adolf Belka > --- > lfs/openssh | 5 ++--- > ...SH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch | 13 ------------- > 2 files changed, 2 insertions(+), 16 deletions(-) > delete mode 100644 src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_ti= me64.patch >=20 > diff --git a/lfs/openssh b/lfs/openssh > index 89f486a79..5a18edd70 100644 > --- a/lfs/openssh > +++ b/lfs/openssh > @@ -24,7 +24,7 @@ > =20 > include Config > =20 > -VER =3D 9.2p1 > +VER =3D 9.3p1 > =20 > THISAPP =3D openssh-$(VER) > DL_FILE =3D $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_BLAKE2 =3D 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d= 75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21 > +$(DL_FILE)_BLAKE2 =3D 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace= 7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d > =20 > install : $(TARGET) > =20 > @@ -71,7 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure > - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/OpenSSH-8.2p1_glibc-= 2.31_clock_nanosleep_time64.patch > cd $(DIR_APP) && ./configure \ > --prefix=3D/usr \ > --sysconfdir=3D/etc/ssh \ > diff --git a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.pa= tch b/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch > deleted file mode 100644 > index 5199872d9..000000000 > --- a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch > +++ /dev/null > @@ -1,13 +0,0 @@ > -diff -Naur openssh-8.2p1.org/sandbox-seccomp-filter.c openssh-8.2p1/sandbo= x-seccomp-filter.c > ---- openssh-8.2p1.org/sandbox-seccomp-filter.c 2020-04-10 18:14:56.1523095= 84 +0200 > -+++ openssh-8.2p1/sandbox-seccomp-filter.c 2020-04-10 21:05:45.827921765 += 0200 > -@@ -253,6 +253,9 @@ > - #endif > - #ifdef __NR_clock_nanosleep_time64 > - SC_ALLOW(__NR_clock_nanosleep_time64), > -+#else > -+ /* on i586 glibc call syscall 407 which is not defined */ > -+ SC_ALLOW(407), > - #endif > - #ifdef __NR_clock_gettime64 > - SC_ALLOW(__NR_clock_gettime64), --===============4527607563712949115==--