On Wed, Mar 31, 2021 at 11:19 PM Sana Kazi <sana.k...@kpit.com> wrote: > > Hi Steve, > > I have verified the patch on dunfell branch and it builds successfully.
Sorry, I tried your patch both locally and on the autobuilder and it still fails to build: https://errors.yoctoproject.org/Errors/Details/575272/ Steve > ________________________________ > From: Steve Sakoman <st...@sakoman.com> > Sent: Wednesday, March 31, 2021 11:31 PM > To: Sana Kazi <sana.k...@kpit.com> > Cc: Patches and discussions about the oe-core layer > <Openembedded-core@lists.openembedded.org>; Khem Raj <raj.k...@gmail.com>; > Nisha Parrakat <nisha.parra...@kpit.com>; Purushottam Choudhary > <purushottam.choudh...@kpit.com>; Harpritkaur Bhandari > <harpritkaur.bhand...@kpit.com> > Subject: Re: [OE-core] [poky][dunfell][PATCHv2] openssh: fix CVE-2020-14145 > > V2 also fails to build: > > ERROR: openssh-8.2p1-r0 do_patch: Command Error: 'quilt --quiltrc > /home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/openssh/8.2p1-r0/recipe-sysroot-native/etc/quiltrc > push' exited with 0 Output: > Applying patch CVE-2020-14145.patch > patching file sshconnect2.c > Hunk #1 FAILED at 102. > Hunk #2 FAILED at 119. > Hunk #3 FAILED at 159. > 3 out of 3 hunks FAILED -- rejects in file sshconnect2.c > Patch CVE-2020-14145.patch does not apply (enforce with -f) > > Before submitting please verify that your patches both apply to the > head of the dunfell branch, and build as well! > > Steve > > > On Wed, Mar 31, 2021 at 7:21 AM Sana Kazi <sana.k...@kpit.com> wrote: > > > > From: Lee Chee Yang <chee.yang....@intel.com> > > > > (From OE-Core rev: 38482edf1a31ed0735b746cf0ab3e1adda4199d1) > > > > Signed-off-by: Lee Chee Yang <chee.yang....@intel.com> > > Signed-off-by: Anuj Mittal <anuj.mit...@intel.com> > > Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org> > > Signed-off-by: Sana Kazi <sana.k...@kpit.com> > > --- > > .../openssh/openssh/CVE-2020-14145.patch | 90 +++++++++++++++++++ > > .../openssh/openssh_8.2p1.bb | 1 + > > 2 files changed, 91 insertions(+) > > create mode 100644 > > meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > > > > diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > > b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > > new file mode 100644 > > index 0000000000..0046ee1a51 > > --- /dev/null > > +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > > @@ -0,0 +1,90 @@ > > +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001 > > +From: "d...@openbsd.org" <d...@openbsd.org> > > +Date: Fri, 18 Sep 2020 05:23:03 +0000 > > +Subject: [PATCH] upstream: tweak the client hostkey preference ordering > > + algorithm to > > + > > +prefer the default ordering if the user has a key that matches the > > +best-preference default algorithm. > > + > > +feedback and ok markus@ > > + > > +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f > > + > > +Upstream-Status: Backport > > +[https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssh%2Fopenssh-portable%2Fcommit%2Fb3855ff053f5078ec3d3c653cdaedefaa5fc362d&data=04%7C01%7CSana.Kazi%40kpit.com%7C4b74e63f0ba745d0e18608d8f46f0bd8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637528105076588451%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FEdHjP9Fp%2BlrVEtby1zBa5W%2BlrkVHHFVJgMOk%2BvDusY%3D&reserved=0] > > +CVE: CVE-2020-14145 > > +Signed-off-by: Chee Yang Lee <chee.yang....@intel.com> > > + > > +--- > > + sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++--- > > + 1 file changed, 37 insertions(+), 2 deletions(-) > > + > > +diff --git a/sshconnect2.c b/sshconnect2.c > > +index 347e348c60..f64aae66af 100644 > > +--- a/sshconnect2.c > > ++++ b/sshconnect2.c > > +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, > > struct ssh *ssh) > > + return 0; > > + } > > + > > ++/* Returns the first item from a comma-separated algorithm list */ > > ++static char * > > ++first_alg(const char *algs) > > ++{ > > ++ char *ret, *cp; > > ++ > > ++ ret = xstrdup(algs); > > ++ if ((cp = strchr(ret, ',')) != NULL) > > ++ *cp = '\0'; > > ++ return ret; > > ++} > > ++ > > + static char * > > + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) > > + { > > +- char *oavail, *avail, *first, *last, *alg, *hostname, *ret; > > ++ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL; > > ++ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL; > > + size_t maxlen; > > +- struct hostkeys *hostkeys; > > ++ struct hostkeys *hostkeys = NULL; > > + int ktype; > > + u_int i; > > + > > +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr > > *hostaddr, u_short port) > > + for (i = 0; i < options.num_system_hostfiles; i++) > > + load_hostkeys(hostkeys, hostname, > > options.system_hostfiles[i]); > > + > > ++ /* > > ++ * If a plain public key exists that matches the type of the best > > ++ * preference HostkeyAlgorithms, then use the whole list as is. > > ++ * Note that we ignore whether the best preference algorithm is a > > ++ * certificate type, as sshconnect.c will downgrade certs to > > ++ * plain keys if necessary. > > ++ */ > > ++ best = first_alg(options.hostkeyalgorithms); > > ++ if (lookup_key_in_hostkeys_by_type(hostkeys, > > ++ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) { > > ++ debug3("%s: have matching best-preference key type %s, " > > ++ "using HostkeyAlgorithms verbatim", __func__, best); > > ++ ret = xstrdup(options.hostkeyalgorithms); > > ++ goto out; > > ++ } > > ++ > > ++ /* > > ++ * Otherwise, prefer the host key algorithms that match known keys > > ++ * while keeping the ordering of HostkeyAlgorithms as much as > > possible. > > ++ */ > > + oavail = avail = xstrdup(options.hostkeyalgorithms); > > + maxlen = strlen(avail) + 1; > > + first = xmalloc(maxlen); > > +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr > > *hostaddr, u_short port) > > + if (*first != '\0') > > + debug3("%s: prefer hostkeyalgs: %s", __func__, first); > > + > > ++ out: > > ++ free(best); > > + free(first); > > + free(last); > > + free(hostname); > > diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb > > b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb > > index fe94f30503..17965557a7 100644 > > --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb > > +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb > > @@ -24,6 +24,7 @@ SRC_URI = > > "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fftp.openbsd.org%2Fpub%2FOpenBSD%2FOpenSSH%2Fportable%2Fopenssh-%24&data=04%7C01%7CSana.Kazi%40kpit.com%7C4b74e63f0ba745d0e18608d8f46f0bd8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637528105076588451%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ena%2BrAqlj%2BihIcDkex1Y%2Fd6v9GZZN%2BJOCwE34psSas8%3D&reserved=0{PV}.tar > > > > file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ > > file://sshd_check_keys \ > > file://add-test-support-for-busybox.patch \ > > + file://CVE-2020-14145.patch \ > > " > > SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" > > SRC_URI[sha256sum] = > > "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" > > -- > > 2.17.1 > > > > This message contains information that may be privileged or confidential > > and is the property of the KPIT Technologies Ltd. It is intended only for > > the person to whom it is addressed. If you are not the intended recipient, > > you are not authorized to read, print, retain copy, disseminate, > > distribute, or use this message or any part thereof. If you receive this > > message in error, please notify the sender immediately and delete all > > copies of this message. KPIT Technologies Ltd. does not accept any > > liability for virus infected mails. > > > > > > > This message contains information that may be privileged or confidential and > is the property of the KPIT Technologies Ltd. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain copy, disseminate, distribute, or > use this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#150164): https://lists.openembedded.org/g/openembedded-core/message/150164 Mute This Topic: https://lists.openembedded.org/mt/81755669/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-