From: Vijay Anusuri <vanus...@mvista.com> ssh(1) in OpenSSH versions 9.5p1 to 9.7p1 (inclusive). Logic error in ObscureKeystrokeTiming option. A logic error in the implementation of the ssh(1) ObscureKeystrokeTiming option rendered the feature ineffective and additionally exposed limited keystroke timing information when terminal echo was disabled, e.g. while entering passwords to su(8) or sudo(8). This condition could be avoided for affected versions by disabling the feature using ObscureKeystrokeTiming=no.
References: https://www.openssh.com/security.html https://www.openssh.com/txt/release-9.8 Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/146c420d29d055cc75c8606327a1cf8439fe3a08] Signed-off-by: Vijay Anusuri <vanus...@mvista.com> --- .../openssh/openssh/CVE-2024-39894.patch | 35 +++++++++++++++++++ .../openssh/openssh_9.6p1.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2024-39894.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-39894.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-39894.patch new file mode 100644 index 0000000000..898295340d --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2024-39894.patch @@ -0,0 +1,35 @@ +From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001 +From: "d...@openbsd.org" <d...@openbsd.org> +Date: Mon, 1 Jul 2024 04:31:17 +0000 +Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets, + we + +can't rely on channel_did_enqueue to tell that there is data to send. This +flag indicates that the channels code enqueued a packet on _this_ ppoll() +iteration, not that data was enqueued in _any_ ppoll() iteration in the +timeslice. ok markus@ + +OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/CVE-2024-39894.patch?h=ubuntu/noble-security +Upstream commit https://github.com/openssh/openssh-portable/commit/146c420d29d055cc75c8606327a1cf8439fe3a08] +CVE: CVE-2024-39894 +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> +--- + clientloop.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/clientloop.c ++++ b/clientloop.c +@@ -612,8 +612,9 @@ obfuscate_keystroke_timing(struct ssh *s + if (timespeccmp(&now, &chaff_until, >=)) { + /* Stop if there have been no keystrokes for a while */ + stop_reason = "chaff time expired"; +- } else if (timespeccmp(&now, &next_interval, >=)) { +- /* Otherwise if we were due to send, then send chaff */ ++ } else if (timespeccmp(&now, &next_interval, >=) && ++ !ssh_packet_have_data_to_write(ssh)) { ++ /* If due to send but have no data, then send chaff */ + if (send_chaff(ssh)) + nchaff++; + } diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index 3cdf0327b0..8bc4f4269a 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -28,6 +28,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ file://CVE-2024-6387.patch \ + file://CVE-2024-39894.patch \ " SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202083): https://lists.openembedded.org/g/openembedded-core/message/202083 Mute This Topic: https://lists.openembedded.org/mt/107248112/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-