[PATCH] openssh: Security Advisory - openssh - CVE-2016-10010

[PATCH] openssh: Security Advisory - openssh - CVE-2016-10010

[Li Zhou]

sshd in OpenSSH before 7.4, when privilege separation is not used,
creates forwarded Unix-domain sockets as root, which might allow
local users to gain privileges via unspecified vectors, related to
serverloop.c.

Porting patch from <https://github.com/openbsd/src/commit/
c76fac666ea038753294f2ac94d310f8adece9ce> to solve CVE-2016-10010.
Adapted the patch to solve context issues.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
 .../openssh/openssh/openssh-CVE-2016-10010.patch   | 38 ++++++++++++++++++++++
 meta/recipes-connectivity/openssh/openssh_7.3p1.bb |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch
new file mode 100644
index 0000000..239912f
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch
@@ -0,0 +1,38 @@
+From e86492668e4005eb3b20ba827a7e8474f2888e7e Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Wed, 25 Jan 2017 11:01:10 +0800
+Subject: [PATCH] openssh: disable Unix-domain socket forwarding when privsep
+ is disabled
+
+Upstream-Status: Backport
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ serverloop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/serverloop.c b/serverloop.c
+index 3563e5d..233de42 100644
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -999,7 +999,7 @@ server_request_direct_streamlocal(void)
+ 
+ 	/* XXX fine grained permissions */
+ 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+-	    !no_port_forwarding_flag) {
++	    !no_port_forwarding_flag && use_privsep) {
+ 		c = channel_connect_to_path(target,
+ 		    "direct-streamlocal@openssh.com", "direct-streamlocal");
+ 	} else {
+@@ -1280,7 +1280,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+ 
+ 		/* check permissions */
+ 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+-		    || no_port_forwarding_flag) {
++		    || no_port_forwarding_flag || !use_privsep) {
+ 			success = 0;
+ 			packet_send_debug("Server has disabled port forwarding.");
+ 		} else {
+-- 
+1.9.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
index 94eb0ed..522bda6 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://fix-CVE-2016-8858.patch \
+           file://openssh-CVE-2016-10010.patch \
            "
 
 PAM_SRC_URI = "file://sshd"
-- 
1.9.1

✗ patchtest: failure for openssh: Security Advisory - openssh - CVE-2016-10010

[Patchwork]

== Series Details ==

Series: openssh: Security Advisory - openssh - CVE-2016-10010
Revision: 1
URL   : https://patchwork.openembedded.org/series/4949/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Patch            openssh: Security Advisory - openssh - CVE-2016-10010
 Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] 
  Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: [PATCH] openssh: Security Advisory - openssh - CVE-2016-10010

[Alexander Kanavin]

On 01/25/2017 07:19 AM, Li Zhou wrote:
> sshd in OpenSSH before 7.4, when privilege separation is not used,
> creates forwarded Unix-domain sockets as root, which might allow
> local users to gain privileges via unspecified vectors, related to
> serverloop.c.
>
> Porting patch from <https://github.com/openbsd/src/commit/
> c76fac666ea038753294f2ac94d310f8adece9ce> to solve CVE-2016-10010.
> Adapted the patch to solve context issues.

Please update openssh to 7.4 instead, there is no need to backport fixes 
to master branch, if the issue can be solved by updating the recipe version.

Alex