* [PATCH] openssh: CVE-2011-4327
@ 2012-11-27 5:53 Li Wang
0 siblings, 0 replies; 6+ messages in thread
From: Li Wang @ 2012-11-27 5:53 UTC (permalink / raw)
To: openembedded-core
A security flaw was found in the way ssh-keysign,
a ssh helper program for host based authentication,
attempted to retrieve enough entropy information on configurations that
lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
be executed to retrieve the entropy from the system environment).
A local attacker could use this flaw to obtain unauthorized access to host keys
via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
http://www.openssh.com/txt/portable-keysign-rand-helper.adv
[YOCTO #3493]
Signed-off-by: Li Wang <li.wang@windriver.com>
---
.../openssh-6.0p1/openssh-CVE-2011-4327.patch | 27 ++++++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_6.0p1.bb | 3 ++-
2 files changed, 29 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
new file mode 100644
index 0000000..8489edc
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
@@ -0,0 +1,27 @@
+openssh-CVE-2011-4327
+
+A security flaw was found in the way ssh-keysign,
+a ssh helper program for host based authentication,
+attempted to retrieve enough entropy information on configurations that
+lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
+be executed to retrieve the entropy from the system environment).
+A local attacker could use this flaw to obtain unauthorized access to host keys
+via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
+http://www.openssh.com/txt/portable-keysign-rand-helper.adv
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+--- a/ssh-keysign.c
++++ b/ssh-keysign.c
+@@ -170,6 +170,10 @@
+ key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+ key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
+ key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
++ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
++ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
++ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
++ fatal("fcntl failed");
+
+ original_real_uid = getuid(); /* XXX readconf.c needs this */
+ if ((pw = getpwuid(original_real_uid)) == NULL)
diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
index 31202d4..df77040 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
@@ -7,7 +7,7 @@ SECTION = "console/network"
LICENSE = "BSD"
LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
-PR = "r3"
+PR = "r4"
DEPENDS = "zlib openssl"
DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
@@ -23,6 +23,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
file://sshd_config \
file://ssh_config \
file://init \
+ file://openssh-CVE-2011-4327.patch \
${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
PAM_SRC_URI = "file://sshd"
--
1.7.11
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] openssh: CVE-2011-4327
@ 2012-11-27 6:13 Li Wang
2012-11-29 17:47 ` Saul Wold
2012-11-30 22:41 ` Scott Garman
0 siblings, 2 replies; 6+ messages in thread
From: Li Wang @ 2012-11-27 6:13 UTC (permalink / raw)
To: openembedded-core
A security flaw was found in the way ssh-keysign,
a ssh helper program for host based authentication,
attempted to retrieve enough entropy information on configurations that
lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
be executed to retrieve the entropy from the system environment).
A local attacker could use this flaw to obtain unauthorized access to host keys
via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
http://www.openssh.com/txt/portable-keysign-rand-helper.adv
[YOCTO #3493]
Signed-off-by: Li Wang <li.wang@windriver.com>
---
.../openssh-6.0p1/openssh-CVE-2011-4327.patch | 27 ++++++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_6.0p1.bb | 3 ++-
2 files changed, 29 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
new file mode 100644
index 0000000..8489edc
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
@@ -0,0 +1,27 @@
+openssh-CVE-2011-4327
+
+A security flaw was found in the way ssh-keysign,
+a ssh helper program for host based authentication,
+attempted to retrieve enough entropy information on configurations that
+lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
+be executed to retrieve the entropy from the system environment).
+A local attacker could use this flaw to obtain unauthorized access to host keys
+via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
+http://www.openssh.com/txt/portable-keysign-rand-helper.adv
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+--- a/ssh-keysign.c
++++ b/ssh-keysign.c
+@@ -170,6 +170,10 @@
+ key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+ key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
+ key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
++ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
++ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
++ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
++ fatal("fcntl failed");
+
+ original_real_uid = getuid(); /* XXX readconf.c needs this */
+ if ((pw = getpwuid(original_real_uid)) == NULL)
diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
index 31202d4..df77040 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
@@ -7,7 +7,7 @@ SECTION = "console/network"
LICENSE = "BSD"
LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
-PR = "r3"
+PR = "r4"
DEPENDS = "zlib openssl"
DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
@@ -23,6 +23,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
file://sshd_config \
file://ssh_config \
file://init \
+ file://openssh-CVE-2011-4327.patch \
${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
PAM_SRC_URI = "file://sshd"
--
1.7.11
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] openssh: CVE-2011-4327
2012-11-27 6:13 [PATCH] openssh: CVE-2011-4327 Li Wang
@ 2012-11-29 17:47 ` Saul Wold
2012-11-30 22:41 ` Scott Garman
1 sibling, 0 replies; 6+ messages in thread
From: Saul Wold @ 2012-11-29 17:47 UTC (permalink / raw)
To: Li Wang; +Cc: openembedded-core
On 11/26/2012 10:13 PM, Li Wang wrote:
> A security flaw was found in the way ssh-keysign,
> a ssh helper program for host based authentication,
> attempted to retrieve enough entropy information on configurations that
> lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
> be executed to retrieve the entropy from the system environment).
> A local attacker could use this flaw to obtain unauthorized access to host keys
> via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
> http://www.openssh.com/txt/portable-keysign-rand-helper.adv
>
> [YOCTO #3493]
>
> Signed-off-by: Li Wang <li.wang@windriver.com>
> ---
> .../openssh-6.0p1/openssh-CVE-2011-4327.patch | 27 ++++++++++++++++++++++
> meta/recipes-connectivity/openssh/openssh_6.0p1.bb | 3 ++-
> 2 files changed, 29 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
> new file mode 100644
> index 0000000..8489edc
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh-6.0p1/openssh-CVE-2011-4327.patch
This has already been merged, but can you please send a patch to add the
Upstream-Status
Thanks
Sau!
> @@ -0,0 +1,27 @@
> +openssh-CVE-2011-4327
> +
> +A security flaw was found in the way ssh-keysign,
> +a ssh helper program for host based authentication,
> +attempted to retrieve enough entropy information on configurations that
> +lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
> +be executed to retrieve the entropy from the system environment).
> +A local attacker could use this flaw to obtain unauthorized access to host keys
> +via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
> +
> +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
> +http://www.openssh.com/txt/portable-keysign-rand-helper.adv
> +
> +Signed-off-by: Li Wang <li.wang@windriver.com>
> +--- a/ssh-keysign.c
> ++++ b/ssh-keysign.c
> +@@ -170,6 +170,10 @@
> + key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
> + key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
> + key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
> ++ if (fcntl(key_fd[0], F_SETFD, FD_CLOEXEC) != 0 ||
> ++ fcntl(key_fd[1], F_SETFD, FD_CLOEXEC) != 0 ||
> ++ fcntl(key_fd[2], F_SETFD, FD_CLOEXEC) != 0)
> ++ fatal("fcntl failed");
> +
> + original_real_uid = getuid(); /* XXX readconf.c needs this */
> + if ((pw = getpwuid(original_real_uid)) == NULL)
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
> index 31202d4..df77040 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.0p1.bb
> @@ -7,7 +7,7 @@ SECTION = "console/network"
> LICENSE = "BSD"
> LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
>
> -PR = "r3"
> +PR = "r4"
>
> DEPENDS = "zlib openssl"
> DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
> @@ -23,6 +23,7 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
> file://sshd_config \
> file://ssh_config \
> file://init \
> + file://openssh-CVE-2011-4327.patch \
> ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
>
> PAM_SRC_URI = "file://sshd"
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] openssh: CVE-2011-4327
2012-11-27 6:13 [PATCH] openssh: CVE-2011-4327 Li Wang
2012-11-29 17:47 ` Saul Wold
@ 2012-11-30 22:41 ` Scott Garman
2012-12-03 14:13 ` Burton, Ross
1 sibling, 1 reply; 6+ messages in thread
From: Scott Garman @ 2012-11-30 22:41 UTC (permalink / raw)
To: openembedded-core
On 11/26/2012 10:13 PM, Li Wang wrote:
> A security flaw was found in the way ssh-keysign,
> a ssh helper program for host based authentication,
> attempted to retrieve enough entropy information on configurations that
> lacked a built-in entropy pool in OpenSSL (a ssh-rand-helper program would
> be executed to retrieve the entropy from the system environment).
> A local attacker could use this flaw to obtain unauthorized access to host keys
> via ptrace(2) process trace attached to the 'ssh-rand-helper' program.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4327
> http://www.openssh.com/txt/portable-keysign-rand-helper.adv
>
> [YOCTO #3493]
>
> Signed-off-by: Li Wang <li.wang@windriver.com>
Hi Li,
The second link you referenced above explains that the vulnerability
exists in versions prior to openssh 5.8p2, and yet your patch was
submitted against openssh 6.0p1. So it seems that this would not apply.
Or am I misunderstanding the nature of the bug?
Thanks,
Scott
--
Scott Garman
Embedded Linux Engineer - Yocto Project
Intel Open Source Technology Center
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] openssh: CVE-2011-4327
2012-11-30 22:41 ` Scott Garman
@ 2012-12-03 14:13 ` Burton, Ross
2012-12-04 1:28 ` Li.Wang
0 siblings, 1 reply; 6+ messages in thread
From: Burton, Ross @ 2012-12-03 14:13 UTC (permalink / raw)
To: Scott Garman, li.wang; +Cc: openembedded-core
On 30 November 2012 22:41, Scott Garman <scott.a.garman@intel.com> wrote:
> The second link you referenced above explains that the vulnerability exists
> in versions prior to openssh 5.8p2, and yet your patch was submitted against
> openssh 6.0p1. So it seems that this would not apply. Or am I
> misunderstanding the nature of the bug?
Prior to 5.8p2 *and* not Linux:
2. Affected configurations
Portable OpenSSH prior to version 5.8p2 only on platforms
that are configured to use ssh-rand-helper for entropy
collection.
ssh-rand-helper is enabled at configure time when it is
detected that OpenSSL does not have a built-in source of
randomness, and only used at runtime if this condition
remains. Platforms that support /dev/random or otherwise
configure OpenSSL with a random number provider are not
vulnerable.
In particular, *BSD, OS X, Cygwin and Linux are not
affected.
Ross
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] openssh: CVE-2011-4327
2012-12-03 14:13 ` Burton, Ross
@ 2012-12-04 1:28 ` Li.Wang
0 siblings, 0 replies; 6+ messages in thread
From: Li.Wang @ 2012-12-04 1:28 UTC (permalink / raw)
To: Burton, Ross; +Cc: openembedded-core, Scott Garman
This is my neglect.
The function has already been removed from OpenSSH prior to version 5.8p2:
ChangeLog:
20110505
- (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]
[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c]
[ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c]
[ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh]
[regress/README.regress] Remove ssh-rand-helper and all its
tentacles. PRNGd seeding has been rolled into entropy.c directly.
Thanks to tim@ for testing on affected platforms.
So, please revert the patch.
Thanks,
LiWang.
Burton, Ross wrote:
> On 30 November 2012 22:41, Scott Garman <scott.a.garman@intel.com> wrote:
>
>> The second link you referenced above explains that the vulnerability exists
>> in versions prior to openssh 5.8p2, and yet your patch was submitted against
>> openssh 6.0p1. So it seems that this would not apply. Or am I
>> misunderstanding the nature of the bug?
>>
>
> Prior to 5.8p2 *and* not Linux:
>
> 2. Affected configurations
>
> Portable OpenSSH prior to version 5.8p2 only on platforms
> that are configured to use ssh-rand-helper for entropy
> collection.
>
> ssh-rand-helper is enabled at configure time when it is
> detected that OpenSSL does not have a built-in source of
> randomness, and only used at runtime if this condition
> remains. Platforms that support /dev/random or otherwise
> configure OpenSSL with a random number provider are not
> vulnerable.
>
> In particular, *BSD, OS X, Cygwin and Linux are not
> affected.
>
> Ross
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-12-04 1:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-27 6:13 [PATCH] openssh: CVE-2011-4327 Li Wang
2012-11-29 17:47 ` Saul Wold
2012-11-30 22:41 ` Scott Garman
2012-12-03 14:13 ` Burton, Ross
2012-12-04 1:28 ` Li.Wang
-- strict thread matches above, loose matches on Subject: below --
2012-11-27 5:53 Li Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox