From: Jacob Kroon <jacob.kroon@gmail.com>
To: Steve Sakoman <steve@sakoman.com>,
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][dunfell 02/14] openssh: Fix CVE-2021-41617
Date: Thu, 30 Dec 2021 19:54:57 +0100 [thread overview]
Message-ID: <4f71652d-7857-7513-9add-fca8621231cd@gmail.com> (raw)
In-Reply-To: <a4e272700e18ca7e86e24ce4e24031ce7745c87b.1640181998.git.steve@sakoman.com>
On 12/22/21 15:12, Steve Sakoman wrote:
> From: sana kazi <sanakazisk19@gmail.com>
>
> Add patch to fix CVE-2021-41617
> Link: https://bugzilla.suse.com/attachment.cgi?id=854015
>
> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
> .../openssh/openssh/CVE-2021-41617.patch | 52 +++++++++++++++++++
> .../openssh/openssh_8.2p1.bb | 1 +
> 2 files changed, 53 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> new file mode 100644
> index 0000000000..bda896f581
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> @@ -0,0 +1,52 @@
> +From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
> +From: Ali Abdallah <aabdallah@suse.de>
> +Date: Wed, 24 Nov 2021 13:33:39 +0100
> +Subject: [PATCH] CVE-2021-41617 fix
> +
> +backport of the following two upstream commits
> +
> +f3cbe43e28fe71427d41cfe3a17125b972710455
> +bf944e3794eff5413f2df1ef37cddf96918c6bde
> +
> +CVE-2021-41617 failed to correctly initialise supplemental groups
> +when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
> +where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
> +directive has been set to run the command as a different user. Instead
> +these commands would inherit the groups that sshd(8) was started with.
> +---
> + auth.c | 8 ++++++++
> + 1 file changed, 8 insertions(+)
> +
> +CVE: CVE-2021-41617
> +Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
> +Comment: No change in any hunk
> +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> +
> +diff --git a/auth.c b/auth.c
> +index 163038f..a47b267 100644
> +--- a/auth.c
> ++++ b/auth.c
> +@@ -52,6 +52,7 @@
> + #include <limits.h>
> + #include <netdb.h>
> + #include <time.h>
> ++#include <grp.h>
> +
> + #include "xmalloc.h"
> + #include "match.h"
> +@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
> + }
> + closefrom(STDERR_FILENO + 1);
> +
> ++ if (geteuid() == 0 &&
> ++ initgroups(pw->pw_name, pw->pw_gid) == -1) {
> ++ error("%s: initgroups(%s, %u): %s", tag,
> ++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
> ++ _exit(1);
> ++ }
> ++
> + /* Don't use permanently_set_uid() here to avoid fatal() */
> + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
> + error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
> +--
> +2.26.2
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> index b60d1a6bd4..e903ec487d 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
> file://add-test-support-for-busybox.patch \
> file://CVE-2020-14145.patch \
> file://CVE-2021-28041.patch \
> + file://CVE-2021-41617.patch \
> "
> SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
> SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#159947): https://lists.openembedded.org/g/openembedded-core/message/159947
> Mute This Topic: https://lists.openembedded.org/mt/87898179/4454410
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [jacob.kroon@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
I would have expected this patch to leave a mark in my buildhistory, but
nothing related to openssh(d) shows up.
Size of /usr/sbin/sshd stays the same, which at least to me is a little
odd.. but I can see that the sha256sum output of sshd changes.
(It would be nice to have sha256sum hashes of files in buildhistory)
Am I the only one who thinks this is a little strange ?
/Jacob
next prev parent reply other threads:[~2021-12-30 18:55 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-22 14:12 [OE-core][dunfell 00/14] Patch review Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 01/14] bluez: fix CVE-2021-0129 Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 02/14] openssh: Fix CVE-2021-41617 Steve Sakoman
2021-12-30 18:54 ` Jacob Kroon [this message]
[not found] ` <16C59D37B8124AF8.22808@lists.openembedded.org>
2021-12-30 19:04 ` Jacob Kroon
2021-12-30 20:17 ` Steve Sakoman
2021-12-30 22:00 ` Jacob Kroon
2021-12-22 14:12 ` [OE-core][dunfell 03/14] openssh: Whitelist CVE-2016-20012 Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 04/14] vim: fix CVE-2021-4069 Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 05/14] inetutils: fix CVE-2021-40491 Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 06/14] dropbear: Fix CVE-2020-36254 Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 07/14] bootchart2: remove wait_boot logic Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 08/14] linux-yocto/5.4: update to v5.4.159 Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 09/14] linux-yocto/5.4: update to v5.4.162 Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 10/14] linux-yocto/5.4: update to v5.4.163 Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 11/14] linux-yocto/5.4: update to v5.4.165 Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 12/14] linux-yocto/5.4: update to v5.4.167 Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 13/14] gstreamer1.0: fix failing ptest Steve Sakoman
2021-12-22 14:12 ` [OE-core][dunfell 14/14] selftest: skip virgl test on fedora 34 entirely Steve Sakoman
2021-12-23 9:19 ` Mittal, Anuj
2021-12-23 14:41 ` Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4f71652d-7857-7513-9add-fca8621231cd@gmail.com \
--to=jacob.kroon@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox