Re: [OE-core] [poky][dunfell][PATCHv2] openssh: fix CVE-2020-14145

Steve Sakoman Thu, 01 Apr 2021 08:55:56 -0700

On Wed, Mar 31, 2021 at 11:19 PM Sana Kazi <sana.k...@kpit.com> wrote:
>
> Hi Steve,
>
> I have verified the patch on dunfell branch and it builds successfully.


Sorry, I tried your patch both locally and on the autobuilder and it
still fails to build:

https://errors.yoctoproject.org/Errors/Details/575272/

Steve


> ________________________________
> From: Steve Sakoman <st...@sakoman.com>
> Sent: Wednesday, March 31, 2021 11:31 PM
> To: Sana Kazi <sana.k...@kpit.com>
> Cc: Patches and discussions about the oe-core layer 
> <Openembedded-core@lists.openembedded.org>; Khem Raj <raj.k...@gmail.com>; 
> Nisha Parrakat <nisha.parra...@kpit.com>; Purushottam Choudhary 
> <purushottam.choudh...@kpit.com>; Harpritkaur Bhandari 
> <harpritkaur.bhand...@kpit.com>
> Subject: Re: [OE-core] [poky][dunfell][PATCHv2] openssh: fix CVE-2020-14145
>
> V2 also fails to build:
>
> ERROR: openssh-8.2p1-r0 do_patch: Command Error: 'quilt --quiltrc
> /home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/openssh/8.2p1-r0/recipe-sysroot-native/etc/quiltrc
> push' exited with 0  Output:
> Applying patch CVE-2020-14145.patch
> patching file sshconnect2.c
> Hunk #1 FAILED at 102.
> Hunk #2 FAILED at 119.
> Hunk #3 FAILED at 159.
> 3 out of 3 hunks FAILED -- rejects in file sshconnect2.c
> Patch CVE-2020-14145.patch does not apply (enforce with -f)
>
> Before submitting please verify that your patches both apply to the
> head of the dunfell branch, and build as well!
>
> Steve
>
>
> On Wed, Mar 31, 2021 at 7:21 AM Sana Kazi <sana.k...@kpit.com> wrote:
> >
> > From: Lee Chee Yang <chee.yang....@intel.com>
> >
> > (From OE-Core rev: 38482edf1a31ed0735b746cf0ab3e1adda4199d1)
> >
> > Signed-off-by: Lee Chee Yang <chee.yang....@intel.com>
> > Signed-off-by: Anuj Mittal <anuj.mit...@intel.com>
> > Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
> > Signed-off-by: Sana Kazi <sana.k...@kpit.com>
> > ---
> >  .../openssh/openssh/CVE-2020-14145.patch      | 90 +++++++++++++++++++
> >  .../openssh/openssh_8.2p1.bb                  |  1 +
> >  2 files changed, 91 insertions(+)
> >  create mode 100644 
> > meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> >
> > diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch 
> > b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> > new file mode 100644
> > index 0000000000..0046ee1a51
> > --- /dev/null
> > +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> > @@ -0,0 +1,90 @@
> > +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
> > +From: "d...@openbsd.org" <d...@openbsd.org>
> > +Date: Fri, 18 Sep 2020 05:23:03 +0000
> > +Subject: [PATCH] upstream: tweak the client hostkey preference ordering
> > + algorithm to
> > +
> > +prefer the default ordering if the user has a key that matches the
> > +best-preference default algorithm.
> > +
> > +feedback and ok markus@
> > +
> > +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
> > +
> > +Upstream-Status: Backport
> > +[https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssh%2Fopenssh-portable%2Fcommit%2Fb3855ff053f5078ec3d3c653cdaedefaa5fc362d&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C4b74e63f0ba745d0e18608d8f46f0bd8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637528105076588451%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=FEdHjP9Fp%2BlrVEtby1zBa5W%2BlrkVHHFVJgMOk%2BvDusY%3D&amp;reserved=0]
> > +CVE: CVE-2020-14145
> > +Signed-off-by: Chee Yang Lee <chee.yang....@intel.com>
> > +
> > +---
> > + sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
> > + 1 file changed, 37 insertions(+), 2 deletions(-)
> > +
> > +diff --git a/sshconnect2.c b/sshconnect2.c
> > +index 347e348c60..f64aae66af 100644
> > +--- a/sshconnect2.c
> > ++++ b/sshconnect2.c
> > +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, 
> > struct ssh *ssh)
> > +       return 0;
> > + }
> > +
> > ++/* Returns the first item from a comma-separated algorithm list */
> > ++static char *
> > ++first_alg(const char *algs)
> > ++{
> > ++      char *ret, *cp;
> > ++
> > ++      ret = xstrdup(algs);
> > ++      if ((cp = strchr(ret, ',')) != NULL)
> > ++              *cp = '\0';
> > ++      return ret;
> > ++}
> > ++
> > + static char *
> > + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> > + {
> > +-      char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
> > ++      char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
> > ++      char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
> > +       size_t maxlen;
> > +-      struct hostkeys *hostkeys;
> > ++      struct hostkeys *hostkeys = NULL;
> > +       int ktype;
> > +       u_int i;
> > +
> > +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr 
> > *hostaddr, u_short port)
> > +       for (i = 0; i < options.num_system_hostfiles; i++)
> > +               load_hostkeys(hostkeys, hostname, 
> > options.system_hostfiles[i]);
> > +
> > ++      /*
> > ++       * If a plain public key exists that matches the type of the best
> > ++       * preference HostkeyAlgorithms, then use the whole list as is.
> > ++       * Note that we ignore whether the best preference algorithm is a
> > ++       * certificate type, as sshconnect.c will downgrade certs to
> > ++       * plain keys if necessary.
> > ++       */
> > ++      best = first_alg(options.hostkeyalgorithms);
> > ++      if (lookup_key_in_hostkeys_by_type(hostkeys,
> > ++          sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
> > ++              debug3("%s: have matching best-preference key type %s, "
> > ++                  "using HostkeyAlgorithms verbatim", __func__, best);
> > ++              ret = xstrdup(options.hostkeyalgorithms);
> > ++              goto out;
> > ++      }
> > ++
> > ++      /*
> > ++       * Otherwise, prefer the host key algorithms that match known keys
> > ++       * while keeping the ordering of HostkeyAlgorithms as much as 
> > possible.
> > ++       */
> > +       oavail = avail = xstrdup(options.hostkeyalgorithms);
> > +       maxlen = strlen(avail) + 1;
> > +       first = xmalloc(maxlen);
> > +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr 
> > *hostaddr, u_short port)
> > +       if (*first != '\0')
> > +               debug3("%s: prefer hostkeyalgs: %s", __func__, first);
> > +
> > ++ out:
> > ++      free(best);
> > +       free(first);
> > +       free(last);
> > +       free(hostname);
> > diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb 
> > b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> > index fe94f30503..17965557a7 100644
> > --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> > +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> > @@ -24,6 +24,7 @@ SRC_URI = 
> > "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fftp.openbsd.org%2Fpub%2FOpenBSD%2FOpenSSH%2Fportable%2Fopenssh-%24&amp;data=04%7C01%7CSana.Kazi%40kpit.com%7C4b74e63f0ba745d0e18608d8f46f0bd8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637528105076588451%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=ena%2BrAqlj%2BihIcDkex1Y%2Fd6v9GZZN%2BJOCwE34psSas8%3D&amp;reserved=0{PV}.tar
> >             
> > file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
> >             file://sshd_check_keys \
> >             file://add-test-support-for-busybox.patch \
> > +           file://CVE-2020-14145.patch \
> >             "
> >  SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
> >  SRC_URI[sha256sum] = 
> > "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
> > --
> > 2.17.1
> >
> > This message contains information that may be privileged or confidential 
> > and is the property of the KPIT Technologies Ltd. It is intended only for 
> > the person to whom it is addressed. If you are not the intended recipient, 
> > you are not authorized to read, print, retain copy, disseminate, 
> > distribute, or use this message or any part thereof. If you receive this 
> > message in error, please notify the sender immediately and delete all 
> > copies of this message. KPIT Technologies Ltd. does not accept any 
> > liability for virus infected mails.
> >
> >
> >
> This message contains information that may be privileged or confidential and 
> is the property of the KPIT Technologies Ltd. It is intended only for the 
> person to whom it is addressed. If you are not the intended recipient, you 
> are not authorized to read, print, retain copy, disseminate, distribute, or 
> use this message or any part thereof. If you receive this message in error, 
> please notify the sender immediately and delete all copies of this message. 
> KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#150164): 
https://lists.openembedded.org/g/openembedded-core/message/150164
Mute This Topic: https://lists.openembedded.org/mt/81755669/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [poky][dunfell][PATCHv2] openssh: fix CVE-2020-14145

Reply via email to