* [OE-core][kirkstone][PATCH] openssh: fix CVE-2023-28531
@ 2023-03-28 8:41 Chen Qi
2023-06-13 1:59 ` Ricardo Salveti
0 siblings, 1 reply; 4+ messages in thread
From: Chen Qi @ 2023-03-28 8:41 UTC (permalink / raw)
To: openembedded-core
Backport patch to fix CVE-2023-28531.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
...-destination-constraints-for-smartca.patch | 35 +++++++++++++++++++
.../openssh/openssh_8.9p1.bb | 1 +
2 files changed, 36 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
new file mode 100644
index 0000000000..b4e7ce7ef6
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
@@ -0,0 +1,35 @@
+From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 9 Mar 2023 06:58:26 +0000
+Subject: [PATCH] upstream: include destination constraints for smartcard keys
+ too.
+
+Spotted by Luci Stanescu; ok deraadt@ markus@
+
+OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f
+
+CVE: CVE-2023-28531
+
+Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ authfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/authfd.c b/authfd.c
+index 76e48aab..dca8e55b 100644
+--- a/authfd.c
++++ b/authfd.c
+@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
+ struct dest_constraint **dest_constraints, size_t ndest_constraints)
+ {
+ struct sshbuf *msg;
+- int r, constrained = (life || confirm);
++ int r, constrained = (life || confirm || dest_constraints);
+ u_char type;
+
+ if (add) {
+--
+2.37.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 6057d055f4..d81072537c 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://add-test-support-for-busybox.patch \
file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \
file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \
+ file://0001-upstream-include-destination-constraints-for-smartca.patch \
"
SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
--
2.37.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core][kirkstone][PATCH] openssh: fix CVE-2023-28531
2023-03-28 8:41 [OE-core][kirkstone][PATCH] openssh: fix CVE-2023-28531 Chen Qi
@ 2023-06-13 1:59 ` Ricardo Salveti
2023-06-13 3:08 ` Steve Sakoman
0 siblings, 1 reply; 4+ messages in thread
From: Ricardo Salveti @ 2023-06-13 1:59 UTC (permalink / raw)
To: Chen Qi; +Cc: openembedded-core, Steve Sakoman, Jose Quaresma
Hi,
Was looking if CVE-2023-28531 was backported to kirkstone already and
noticed this patch was already proposed before, but not
merged/accepted.
Since it showed up once in the metrics report, was it decided to be
ignored in the end (but then I wasn't able to find it defined in
CVE_CHECK_IGNORE)?
Thanks,
Ricardo
On Tue, Mar 28, 2023 at 5:42 AM Chen Qi <Qi.Chen@windriver.com> wrote:
>
> Backport patch to fix CVE-2023-28531.
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> ...-destination-constraints-for-smartca.patch | 35 +++++++++++++++++++
> .../openssh/openssh_8.9p1.bb | 1 +
> 2 files changed, 36 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
> new file mode 100644
> index 0000000000..b4e7ce7ef6
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
> @@ -0,0 +1,35 @@
> +From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001
> +From: "djm@openbsd.org" <djm@openbsd.org>
> +Date: Thu, 9 Mar 2023 06:58:26 +0000
> +Subject: [PATCH] upstream: include destination constraints for smartcard keys
> + too.
> +
> +Spotted by Luci Stanescu; ok deraadt@ markus@
> +
> +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f
> +
> +CVE: CVE-2023-28531
> +
> +Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed]
> +
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + authfd.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/authfd.c b/authfd.c
> +index 76e48aab..dca8e55b 100644
> +--- a/authfd.c
> ++++ b/authfd.c
> +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
> + struct dest_constraint **dest_constraints, size_t ndest_constraints)
> + {
> + struct sshbuf *msg;
> +- int r, constrained = (life || confirm);
> ++ int r, constrained = (life || confirm || dest_constraints);
> + u_char type;
> +
> + if (add) {
> +--
> +2.37.1
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> index 6057d055f4..d81072537c 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
> file://add-test-support-for-busybox.patch \
> file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \
> file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \
> + file://0001-upstream-include-destination-constraints-for-smartca.patch \
> "
> SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
>
> --
> 2.37.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#179213): https://lists.openembedded.org/g/openembedded-core/message/179213
> Mute This Topic: https://lists.openembedded.org/mt/97901027/3616986
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ricardo@foundries.io]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Ricardo Salveti
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][kirkstone][PATCH] openssh: fix CVE-2023-28531
2023-06-13 1:59 ` Ricardo Salveti
@ 2023-06-13 3:08 ` Steve Sakoman
2023-06-13 15:11 ` Ricardo Salveti
0 siblings, 1 reply; 4+ messages in thread
From: Steve Sakoman @ 2023-06-13 3:08 UTC (permalink / raw)
To: Ricardo Salveti; +Cc: Chen Qi, openembedded-core, Jose Quaresma
On Mon, Jun 12, 2023 at 4:00 PM Ricardo Salveti <ricardo@foundries.io> wrote:
>
> Hi,
>
> Was looking if CVE-2023-28531 was backported to kirkstone already and
> noticed this patch was already proposed before, but not
> merged/accepted.
Sigh, it looks like I somehow missed this one and no one followed up on it :-(
I've got it in my test queue now.
Thanks for letting me know!
Steve
> Since it showed up once in the metrics report, was it decided to be
> ignored in the end (but then I wasn't able to find it defined in
> CVE_CHECK_IGNORE)?
>
> Thanks,
>
> Ricardo
>
> On Tue, Mar 28, 2023 at 5:42 AM Chen Qi <Qi.Chen@windriver.com> wrote:
> >
> > Backport patch to fix CVE-2023-28531.
> >
> > Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> > ---
> > ...-destination-constraints-for-smartca.patch | 35 +++++++++++++++++++
> > .../openssh/openssh_8.9p1.bb | 1 +
> > 2 files changed, 36 insertions(+)
> > create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
> >
> > diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
> > new file mode 100644
> > index 0000000000..b4e7ce7ef6
> > --- /dev/null
> > +++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch
> > @@ -0,0 +1,35 @@
> > +From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001
> > +From: "djm@openbsd.org" <djm@openbsd.org>
> > +Date: Thu, 9 Mar 2023 06:58:26 +0000
> > +Subject: [PATCH] upstream: include destination constraints for smartcard keys
> > + too.
> > +
> > +Spotted by Luci Stanescu; ok deraadt@ markus@
> > +
> > +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f
> > +
> > +CVE: CVE-2023-28531
> > +
> > +Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed]
> > +
> > +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> > +---
> > + authfd.c | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/authfd.c b/authfd.c
> > +index 76e48aab..dca8e55b 100644
> > +--- a/authfd.c
> > ++++ b/authfd.c
> > +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
> > + struct dest_constraint **dest_constraints, size_t ndest_constraints)
> > + {
> > + struct sshbuf *msg;
> > +- int r, constrained = (life || confirm);
> > ++ int r, constrained = (life || confirm || dest_constraints);
> > + u_char type;
> > +
> > + if (add) {
> > +--
> > +2.37.1
> > +
> > diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> > index 6057d055f4..d81072537c 100644
> > --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> > +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
> > @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
> > file://add-test-support-for-busybox.patch \
> > file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \
> > file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \
> > + file://0001-upstream-include-destination-constraints-for-smartca.patch \
> > "
> > SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
> >
> > --
> > 2.37.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#179213): https://lists.openembedded.org/g/openembedded-core/message/179213
> > Mute This Topic: https://lists.openembedded.org/mt/97901027/3616986
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ricardo@foundries.io]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
>
> --
> Ricardo Salveti
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][kirkstone][PATCH] openssh: fix CVE-2023-28531
2023-06-13 3:08 ` Steve Sakoman
@ 2023-06-13 15:11 ` Ricardo Salveti
0 siblings, 0 replies; 4+ messages in thread
From: Ricardo Salveti @ 2023-06-13 15:11 UTC (permalink / raw)
To: Steve Sakoman; +Cc: Chen Qi, openembedded-core, Jose Quaresma
On Tue, Jun 13, 2023 at 12:08 AM Steve Sakoman <steve@sakoman.com> wrote:
>
> On Mon, Jun 12, 2023 at 4:00 PM Ricardo Salveti <ricardo@foundries.io> wrote:
> >
> > Hi,
> >
> > Was looking if CVE-2023-28531 was backported to kirkstone already and
> > noticed this patch was already proposed before, but not
> > merged/accepted.
>
> Sigh, it looks like I somehow missed this one and no one followed up on it :-(
>
> I've got it in my test queue now.
>
> Thanks for letting me know!
Awesome, thanks!
--
Ricardo Salveti
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-06-13 15:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-28 8:41 [OE-core][kirkstone][PATCH] openssh: fix CVE-2023-28531 Chen Qi
2023-06-13 1:59 ` Ricardo Salveti
2023-06-13 3:08 ` Steve Sakoman
2023-06-13 15:11 ` Ricardo Salveti
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox