Steve Sakoman <st...@sakoman.com> escreveu (quarta, 3/07/2024 à(s) 14:41):
> On Tue, Jul 2, 2024 at 10:15 AM Jose Quaresma via > lists.openembedded.org > <quaresma.jose=gmail....@lists.openembedded.org> wrote: > > > > Hi Matthew, > > > > Matthew Bullock <mbull...@thegoodpenguin.co.uk> escreveu (terça, > 2/07/2024 à(s) 18:00): > >> > >> On Tue, 2 Jul 2024 at 17:34, Jose Quaresma via lists.openembedded.org > >> <quaresma.jose=gmail....@lists.openembedded.org> wrote: > >> > > >> > sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). > >> > Race condition resulting in potential remote code execution. > >> > A race condition in sshd(8) could allow remote code execution as root > on non-OpenBSD systems. > >> > This attack could be prevented by disabling the login grace timeout > (LoginGraceTime=0 in sshd_config) > >> > though this makes denial-of service against sshd(8) considerably > easier. > >> > For more information, please refer to the release notes [1] and the > >> > report from the Qualys Security Advisory Team [2] who discovered the > bug. > >> > >> Wouldn't it be better to use the much cleaner fix from openssh-portable: > >> > https://github.com/openssh/openssh-portable/commit/b00331402fe5c60d577f3ffcc35e49286cdc6b47 > >> > >> I realise that most of the distros seem to have copied the same early > >> patch but I assume that was to get the fix done prior to public > >> exposure. As there's a proper fix isn't that better? > >> > >> Matthew > > > > > > On the regression report [1] the suggested way to fix this is this one > as you can see below: > > [1] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt > > > > ======================================================================== > > > > Patches and mitigation > > > > ======================================================================== > > > > Because this fix is part of a large commit (81c1099), on top of an even > > larger defense-in-depth commit (03e3de4, "Start the process of splitting > > sshd into separate binaries"), it might prove difficult to backport. In > > Thanks for this additional explanation. You can disregard my previous > request for a V2 on the scarthgap version since there is no upstream > commit! > > Steve > Got it. I only saw this message after replying to the other scarthgap versio. Jose > > > that case, the signal handler race condition itself can be fixed by > > removing or commenting out the async-signal-unsafe code from the > > sshsigdie() function; for example: > > > > ------------------------------------------------------------------------ > > sshsigdie(const char *file, const char *func, int line, int showfunc, > > LogLevel level, const char *suffix, const char *fmt, ...) > > { > > #if 0 > > va_list args; > > > > va_start(args, fmt); > > sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, > > suffix, fmt, args); > > va_end(args); > > #endif > > _exit(1); > > } > > ------------------------------------------------------------------------ > > > > > > Jose > > > > -- > > Best regards, > > > > José Quaresma > > > > > > > -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201483): https://lists.openembedded.org/g/openembedded-core/message/201483 Mute This Topic: https://lists.openembedded.org/mt/107003224/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
