Re: [OE-core] [poky][dunfell][PATCH] openssh: Add fix for CVE-2020-14145
This patch fails on the autobuilder: stdio: ERROR: openssh-8.2p1-r0 do_patch: Command Error: 'quilt --quiltrc /home/pokybuild/yocto-worker/beaglebone-alt/build/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/openssh/8.2p1-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Steve On Tue, Mar 30, 2021 at 8:22 PM Sana Kazi wrote: > > Applied patch for CVE-2020-14145 which fixes > man-in-the-middle attack. > Link: > https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d > > Signed-off-by: Sana Kazi > --- > .../openssh/openssh/CVE-2020-14145.patch | 97 +++ > .../openssh/openssh_8.2p1.bb | 1 + > 2 files changed, 98 insertions(+) > create mode 100644 > meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > > diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > new file mode 100644 > index 00..3adb981fb4 > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch > @@ -0,0 +1,97 @@ > +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001 > +From: "d...@openbsd.org" > +Date: Fri, 18 Sep 2020 05:23:03 + > +Subject: upstream: tweak the client hostkey preference ordering algorithm to > + > +prefer the default ordering if the user has a key that matches the > +best-preference default algorithm. > + > +feedback and ok markus@ > + > +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f > + > +Signed-off-by: Sana Kazi > +--- > + sshconnect2.c | 41 ++--- > + 1 file changed, 38 insertions(+), 3 deletions(-) > + > +CVE: CVE-2020-14145 > +Upstream-Status: Backport > [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d] > +Comment: Refreshed first hunk > + > +diff --git a/sshconnect2.c b/sshconnect2.c > +index 347e348c..f64aae66 100644 > +--- a/sshconnect2.c > b/sshconnect2.c > +@@ -1,4 +1,4 @@ > +-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */ > ++/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */ > + /* > + * Copyright (c) 2000 Markus Friedl. All rights reserved. > + * Copyright (c) 2008 Damien Miller. All rights reserved. > +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, > struct ssh *ssh) > + return 0; > + } > + > ++/* Returns the first item from a comma-separated algorithm list */ > ++static char * > ++first_alg(const char *algs) > ++{ > ++ char *ret, *cp; > ++ > ++ ret = xstrdup(algs); > ++ if ((cp = strchr(ret, ',')) != NULL) > ++ *cp = '\0'; > ++ return ret; > ++} > ++ > + static char * > + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) > + { > +- char *oavail, *avail, *first, *last, *alg, *hostname, *ret; > ++ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL; > ++ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL; > + size_t maxlen; > +- struct hostkeys *hostkeys; > ++ struct hostkeys *hostkeys = NULL; > + int ktype; > + u_int i; > + > +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr > *hostaddr, u_short port) > + for (i = 0; i < options.num_system_hostfiles; i++) > + load_hostkeys(hostkeys, hostname, > options.system_hostfiles[i]); > + > ++ /* > ++ * If a plain public key exists that matches the type of the best > ++ * preference HostkeyAlgorithms, then use the whole list as is. > ++ * Note that we ignore whether the best preference algorithm is a > ++ * certificate type, as sshconnect.c will downgrade certs to > ++ * plain keys if necessary. > ++ */ > ++ best = first_alg(options.hostkeyalgorithms); > ++ if (lookup_key_in_hostkeys_by_type(hostkeys, > ++ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) { > ++ debug3("%s: have matching best-preference key type %s, " > ++ "using HostkeyAlgorithms verbatim", __func__, best); > ++ ret = xstrdup(options.hostkeyalgorithms); > ++ goto out; > ++ } > ++ > ++ /* > ++ * Otherwise, prefer the host key algorithms that match known keys > ++ * while keeping the ordering of HostkeyAlgorithms as much as > possible. > ++ */ > + oavail = avail = xstrdup(options.hostkeyalgorithms); > + maxlen = strlen(avail) + 1; > + first = xmalloc(maxlen); > +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, > u_short port) > + if (*first != '\0') > + debug3("%s: prefer hostkeyalgs: %s", __func__, first); > + > ++ out: > ++ free(best); > + free(first); > + free(last); > + free(hostname); > +-- > +cgit v1.2.3 > diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb > b/meta/rec
[OE-core] [poky][dunfell][PATCH] openssh: Add fix for CVE-2020-14145
Applied patch for CVE-2020-14145 which fixes man-in-the-middle attack. Link: https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d Signed-off-by: Sana Kazi --- .../openssh/openssh/CVE-2020-14145.patch | 97 +++ .../openssh/openssh_8.2p1.bb | 1 + 2 files changed, 98 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch new file mode 100644 index 00..3adb981fb4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch @@ -0,0 +1,97 @@ +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001 +From: "d...@openbsd.org" +Date: Fri, 18 Sep 2020 05:23:03 + +Subject: upstream: tweak the client hostkey preference ordering algorithm to + +prefer the default ordering if the user has a key that matches the +best-preference default algorithm. + +feedback and ok markus@ + +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f + +Signed-off-by: Sana Kazi +--- + sshconnect2.c | 41 ++--- + 1 file changed, 38 insertions(+), 3 deletions(-) + +CVE: CVE-2020-14145 +Upstream-Status: Backport [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d] +Comment: Refreshed first hunk + +diff --git a/sshconnect2.c b/sshconnect2.c +index 347e348c..f64aae66 100644 +--- a/sshconnect2.c b/sshconnect2.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */ ++/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2008 Damien Miller. All rights reserved. +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) + return 0; + } + ++/* Returns the first item from a comma-separated algorithm list */ ++static char * ++first_alg(const char *algs) ++{ ++ char *ret, *cp; ++ ++ ret = xstrdup(algs); ++ if ((cp = strchr(ret, ',')) != NULL) ++ *cp = '\0'; ++ return ret; ++} ++ + static char * + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) + { +- char *oavail, *avail, *first, *last, *alg, *hostname, *ret; ++ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL; ++ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL; + size_t maxlen; +- struct hostkeys *hostkeys; ++ struct hostkeys *hostkeys = NULL; + int ktype; + u_int i; + +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) + for (i = 0; i < options.num_system_hostfiles; i++) + load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); + ++ /* ++ * If a plain public key exists that matches the type of the best ++ * preference HostkeyAlgorithms, then use the whole list as is. ++ * Note that we ignore whether the best preference algorithm is a ++ * certificate type, as sshconnect.c will downgrade certs to ++ * plain keys if necessary. ++ */ ++ best = first_alg(options.hostkeyalgorithms); ++ if (lookup_key_in_hostkeys_by_type(hostkeys, ++ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) { ++ debug3("%s: have matching best-preference key type %s, " ++ "using HostkeyAlgorithms verbatim", __func__, best); ++ ret = xstrdup(options.hostkeyalgorithms); ++ goto out; ++ } ++ ++ /* ++ * Otherwise, prefer the host key algorithms that match known keys ++ * while keeping the ordering of HostkeyAlgorithms as much as possible. ++ */ + oavail = avail = xstrdup(options.hostkeyalgorithms); + maxlen = strlen(avail) + 1; + first = xmalloc(maxlen); +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) + if (*first != '\0') + debug3("%s: prefer hostkeyalgs: %s", __func__, first); + ++ out: ++ free(best); + free(first); + free(last); + free(hostname); +-- +cgit v1.2.3 diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index fe94f30503..17965557a7 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb @@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ + file://CVE-2020-14145.patch \ " SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" SRC_URI[sha256sum] = "43