Re: [OE-core] [poky][dunfell][PATCH] openssh: Add fix for CVE-2020-14145
This patch fails on the autobuilder:
stdio: ERROR: openssh-8.2p1-r0 do_patch: Command Error: 'quilt
--quiltrc
/home/pokybuild/yocto-worker/beaglebone-alt/build/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/openssh/8.2p1-r0/recipe-sysroot-native/etc/quiltrc
push' exited with 0 Output:
Steve
On Tue, Mar 30, 2021 at 8:22 PM Sana Kazi wrote:
>
> Applied patch for CVE-2020-14145 which fixes
> man-in-the-middle attack.
> Link:
> https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d
>
> Signed-off-by: Sana Kazi
> ---
> .../openssh/openssh/CVE-2020-14145.patch | 97 +++
> .../openssh/openssh_8.2p1.bb | 1 +
> 2 files changed, 98 insertions(+)
> create mode 100644
> meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> new file mode 100644
> index 00..3adb981fb4
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> @@ -0,0 +1,97 @@
> +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
> +From: "d...@openbsd.org"
> +Date: Fri, 18 Sep 2020 05:23:03 +
> +Subject: upstream: tweak the client hostkey preference ordering algorithm to
> +
> +prefer the default ordering if the user has a key that matches the
> +best-preference default algorithm.
> +
> +feedback and ok markus@
> +
> +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
> +
> +Signed-off-by: Sana Kazi
> +---
> + sshconnect2.c | 41 ++---
> + 1 file changed, 38 insertions(+), 3 deletions(-)
> +
> +CVE: CVE-2020-14145
> +Upstream-Status: Backport
> [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
> +Comment: Refreshed first hunk
> +
> +diff --git a/sshconnect2.c b/sshconnect2.c
> +index 347e348c..f64aae66 100644
> +--- a/sshconnect2.c
> b/sshconnect2.c
> +@@ -1,4 +1,4 @@
> +-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
> ++/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
> + /*
> + * Copyright (c) 2000 Markus Friedl. All rights reserved.
> + * Copyright (c) 2008 Damien Miller. All rights reserved.
> +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey,
> struct ssh *ssh)
> + return 0;
> + }
> +
> ++/* Returns the first item from a comma-separated algorithm list */
> ++static char *
> ++first_alg(const char *algs)
> ++{
> ++ char *ret, *cp;
> ++
> ++ ret = xstrdup(algs);
> ++ if ((cp = strchr(ret, ',')) != NULL)
> ++ *cp = '\0';
> ++ return ret;
> ++}
> ++
> + static char *
> + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> + {
> +- char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
> ++ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
> ++ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
> + size_t maxlen;
> +- struct hostkeys *hostkeys;
> ++ struct hostkeys *hostkeys = NULL;
> + int ktype;
> + u_int i;
> +
> +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr
> *hostaddr, u_short port)
> + for (i = 0; i < options.num_system_hostfiles; i++)
> + load_hostkeys(hostkeys, hostname,
> options.system_hostfiles[i]);
> +
> ++ /*
> ++ * If a plain public key exists that matches the type of the best
> ++ * preference HostkeyAlgorithms, then use the whole list as is.
> ++ * Note that we ignore whether the best preference algorithm is a
> ++ * certificate type, as sshconnect.c will downgrade certs to
> ++ * plain keys if necessary.
> ++ */
> ++ best = first_alg(options.hostkeyalgorithms);
> ++ if (lookup_key_in_hostkeys_by_type(hostkeys,
> ++ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
> ++ debug3("%s: have matching best-preference key type %s, "
> ++ "using HostkeyAlgorithms verbatim", __func__, best);
> ++ ret = xstrdup(options.hostkeyalgorithms);
> ++ goto out;
> ++ }
> ++
> ++ /*
> ++ * Otherwise, prefer the host key algorithms that match known keys
> ++ * while keeping the ordering of HostkeyAlgorithms as much as
> possible.
> ++ */
> + oavail = avail = xstrdup(options.hostkeyalgorithms);
> + maxlen = strlen(avail) + 1;
> + first = xmalloc(maxlen);
> +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr,
> u_short port)
> + if (*first != '\0')
> + debug3("%s: prefer hostkeyalgs: %s", __func__, first);
> +
> ++ out:
> ++ free(best);
> + free(first);
> + free(last);
> + free(hostname);
> +--
> +cgit v1.2.3
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> b/meta/rec
[OE-core] [poky][dunfell][PATCH] openssh: Add fix for CVE-2020-14145
Applied patch for CVE-2020-14145 which fixes
man-in-the-middle attack.
Link:
https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d
Signed-off-by: Sana Kazi
---
.../openssh/openssh/CVE-2020-14145.patch | 97 +++
.../openssh/openssh_8.2p1.bb | 1 +
2 files changed, 98 insertions(+)
create mode 100644
meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
new file mode 100644
index 00..3adb981fb4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
@@ -0,0 +1,97 @@
+From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org"
+Date: Fri, 18 Sep 2020 05:23:03 +
+Subject: upstream: tweak the client hostkey preference ordering algorithm to
+
+prefer the default ordering if the user has a key that matches the
+best-preference default algorithm.
+
+feedback and ok markus@
+
+OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
+
+Signed-off-by: Sana Kazi
+---
+ sshconnect2.c | 41 ++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+CVE: CVE-2020-14145
+Upstream-Status: Backport
[https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
+Comment: Refreshed first hunk
+
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 347e348c..f64aae66 100644
+--- a/sshconnect2.c
b/sshconnect2.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
++/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
+ /*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ * Copyright (c) 2008 Damien Miller. All rights reserved.
+@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct
ssh *ssh)
+ return 0;
+ }
+
++/* Returns the first item from a comma-separated algorithm list */
++static char *
++first_alg(const char *algs)
++{
++ char *ret, *cp;
++
++ ret = xstrdup(algs);
++ if ((cp = strchr(ret, ',')) != NULL)
++ *cp = '\0';
++ return ret;
++}
++
+ static char *
+ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ {
+- char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
++ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
++ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
+ size_t maxlen;
+- struct hostkeys *hostkeys;
++ struct hostkeys *hostkeys = NULL;
+ int ktype;
+ u_int i;
+
+@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr,
u_short port)
+ for (i = 0; i < options.num_system_hostfiles; i++)
+ load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+
++ /*
++ * If a plain public key exists that matches the type of the best
++ * preference HostkeyAlgorithms, then use the whole list as is.
++ * Note that we ignore whether the best preference algorithm is a
++ * certificate type, as sshconnect.c will downgrade certs to
++ * plain keys if necessary.
++ */
++ best = first_alg(options.hostkeyalgorithms);
++ if (lookup_key_in_hostkeys_by_type(hostkeys,
++ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
++ debug3("%s: have matching best-preference key type %s, "
++ "using HostkeyAlgorithms verbatim", __func__, best);
++ ret = xstrdup(options.hostkeyalgorithms);
++ goto out;
++ }
++
++ /*
++ * Otherwise, prefer the host key algorithms that match known keys
++ * while keeping the ordering of HostkeyAlgorithms as much as possible.
++ */
+ oavail = avail = xstrdup(options.hostkeyalgorithms);
+ maxlen = strlen(avail) + 1;
+ first = xmalloc(maxlen);
+@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr,
u_short port)
+ if (*first != '\0')
+ debug3("%s: prefer hostkeyalgs: %s", __func__, first);
+
++ out:
++ free(best);
+ free(first);
+ free(last);
+ free(hostname);
+--
+cgit v1.2.3
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index fe94f30503..17965557a7 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -24,6 +24,7 @@ SRC_URI =
"http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
file://sshd_check_keys \
file://add-test-support-for-busybox.patch \
+ file://CVE-2020-14145.patch \
"
SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
SRC_URI[sha256sum] =
"43
