Date: Fri, 13 Jan 2017 23:48:07 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r431450 - in branches/2017Q1/security/openssh-portable: . files Message-ID: <201701132348.v0DNm77u035069@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Fri Jan 13 23:48:07 2017 New Revision: 431450 URL: https://svnweb.freebsd.org/changeset/ports/431450 Log: MFH: r431438 r431445 Add patches to cover security issues CVE-2016-10009 and CVE-2016-10010. Security: 2c948527-d823-11e6-9171-14dae9d210b8 Submitted by: Tim Zingelman <zingelman@gmail.com> Add forgotten patch in r431438 for CVE-2016-10009 and CVE-2016-10010. Security: 2c948527-d823-11e6-9171-14dae9d210b8 Submitted by: Tim Zingelman <zingelman@gmail.com> Approved by: portmgr (implicit) Added: branches/2017Q1/security/openssh-portable/files/patch-serverloop.c - copied unchanged from r431445, head/security/openssh-portable/files/patch-serverloop.c Modified: branches/2017Q1/security/openssh-portable/Makefile branches/2017Q1/security/openssh-portable/files/patch-ssh-agent.1 branches/2017Q1/security/openssh-portable/files/patch-ssh-agent.c Directory Properties: branches/2017Q1/ (props changed) Modified: branches/2017Q1/security/openssh-portable/Makefile ============================================================================== --- branches/2017Q1/security/openssh-portable/Makefile Fri Jan 13 23:47:07 2017 (r431449) +++ branches/2017Q1/security/openssh-portable/Makefile Fri Jan 13 23:48:07 2017 (r431450) @@ -3,7 +3,7 @@ PORTNAME= openssh DISTVERSION= 7.3p1 -PORTREVISION= 1 +PORTREVISION= 5 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable Copied: branches/2017Q1/security/openssh-portable/files/patch-serverloop.c (from r431445, head/security/openssh-portable/files/patch-serverloop.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q1/security/openssh-portable/files/patch-serverloop.c Fri Jan 13 23:48:07 2017 (r431450, copy of r431445, head/security/openssh-portable/files/patch-serverloop.c) @@ -0,0 +1,23 @@ +Fix CVE-2016-10010 + + +--- serverloop.c.orig 2016-07-27 17:54:27.000000000 -0500 ++++ serverloop.c 2017-01-11 18:44:42.881227000 -0600 +@@ -999,7 +999,7 @@ + + /* XXX fine grained permissions */ + if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && +- !no_port_forwarding_flag) { ++ !no_port_forwarding_flag && use_privsep) { + c = channel_connect_to_path(target, + "direct-streamlocal@openssh.com", "direct-streamlocal"); + } else { +@@ -1280,7 +1280,7 @@ + + /* check permissions */ + if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 +- || no_port_forwarding_flag) { ++ || no_port_forwarding_flag || !use_privsep) { + success = 0; + packet_send_debug("Server has disabled port forwarding."); + } else { Modified: branches/2017Q1/security/openssh-portable/files/patch-ssh-agent.1 ============================================================================== --- branches/2017Q1/security/openssh-portable/files/patch-ssh-agent.1 Fri Jan 13 23:47:07 2017 (r431449) +++ branches/2017Q1/security/openssh-portable/files/patch-ssh-agent.1 Fri Jan 13 23:48:07 2017 (r431450) @@ -4,9 +4,12 @@ r226103 | des | 2011-10-07 08:10:16 -050 Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.1.orig 2015-05-29 03:27:21.000000000 -0500 -+++ ssh-agent.1 2015-06-02 09:45:37.025390000 -0500 -@@ -43,7 +43,7 @@ +Add a -P option to specify PKCS11_WHITELIST + + +--- ssh-agent.1.orig 2016-07-27 17:54:27.000000000 -0500 ++++ ssh-agent.1 2017-01-11 19:05:12.513900000 -0600 +@@ -43,10 +43,11 @@ .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s @@ -15,7 +18,30 @@ disconnected. .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash .Op Fl t Ar life -@@ -128,6 +128,8 @@ ++.Op Fl P Ar pkcs11_whitelist + .Op Ar command Op Ar arg ... + .Nm ssh-agent + .Op Fl c | s +@@ -121,6 +122,18 @@ + Kill the current agent (given by the + .Ev SSH_AGENT_PID + environment variable). ++.It Fl P ++Specify a pattern-list of acceptable paths for PKCS#11 shared libraries ++that may be added using the ++.Fl s ++option to ++.Xr ssh-add 1 . ++The default is to allow loading PKCS#11 libraries from ++.Dq /usr/lib/*,/usr/local/lib/* . ++PKCS#11 libraries that do not match the whitelist will be refused. ++See PATTERNS in ++.Xr ssh_config 5 ++for a description of pattern-list syntax. + .It Fl s + Generate Bourne shell commands on + .Dv stdout . +@@ -135,6 +148,8 @@ .Xr ssh-add 1 overrides this value. Without this option the default maximum lifetime is forever. @@ -23,4 +49,4 @@ disconnected. +Exit after the last client has disconnected. .El .Pp - If a commandline is given, this is executed as a subprocess of the agent. + If a command line is given, this is executed as a subprocess of the agent. Modified: branches/2017Q1/security/openssh-portable/files/patch-ssh-agent.c ============================================================================== --- branches/2017Q1/security/openssh-portable/files/patch-ssh-agent.c Fri Jan 13 23:47:07 2017 (r431449) +++ branches/2017Q1/security/openssh-portable/files/patch-ssh-agent.c Fri Jan 13 23:48:07 2017 (r431450) @@ -8,9 +8,39 @@ r226103 | des | 2011-10-07 08:10:16 -050 Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2015-05-29 03:27:21.000000000 -0500 -+++ ssh-agent.c 2015-06-02 09:46:54.719580000 -0500 -@@ -157,15 +157,34 @@ static long lifetime = 0; +Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009) + + +--- ssh-agent.c.orig 2016-07-27 17:54:27.000000000 -0500 ++++ ssh-agent.c 2017-01-11 19:02:59.600125000 -0600 +@@ -83,11 +83,16 @@ + #include "misc.h" + #include "digest.h" + #include "ssherr.h" ++#include "match.h" + + #ifdef ENABLE_PKCS11 + #include "ssh-pkcs11.h" + #endif + ++#ifndef DEFAULT_PKCS11_WHITELIST ++# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*" ++#endif ++ + typedef enum { + AUTH_UNUSED, + AUTH_SOCKET, +@@ -135,6 +140,9 @@ + char socket_name[PATH_MAX]; + char socket_dir[PATH_MAX]; + ++/* PKCS#11 path whitelist */ ++static char *pkcs11_whitelist; ++ + /* locking */ + #define LOCK_SIZE 32 + #define LOCK_SALT_SIZE 16 +@@ -150,15 +158,34 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -45,7 +75,50 @@ disconnected. } static void -@@ -939,6 +958,10 @@ new_socket(sock_type type, int fd) +@@ -738,7 +765,7 @@ + static void + process_add_smartcard_key(SocketEntry *e) + { +- char *provider = NULL, *pin; ++ char *provider = NULL, *pin, canonical_provider[PATH_MAX]; + int r, i, version, count = 0, success = 0, confirm = 0; + u_int seconds; + time_t death = 0; +@@ -770,10 +797,21 @@ + goto send; + } + } ++ if (realpath(provider, canonical_provider) == NULL) { ++ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", ++ provider, strerror(errno)); ++ goto send; ++ } ++ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) { ++ verbose("refusing PKCS#11 add of \"%.100s\": " ++ "provider not whitelisted", canonical_provider); ++ goto send; ++ } ++ debug("%s: add %.100s", __func__, canonical_provider); + if (lifetime && !death) + death = monotime() + lifetime; + +- count = pkcs11_add_provider(provider, pin, &keys); ++ count = pkcs11_add_provider(canonical_provider, pin, &keys); + for (i = 0; i < count; i++) { + k = keys[i]; + version = k->type == KEY_RSA1 ? 1 : 2; +@@ -781,8 +819,8 @@ + if (lookup_identity(k, version) == NULL) { + id = xcalloc(1, sizeof(Identity)); + id->key = k; +- id->provider = xstrdup(provider); +- id->comment = xstrdup(provider); /* XXX */ ++ id->provider = xstrdup(canonical_provider); ++ id->comment = xstrdup(canonical_provider); /* XXX */ + id->death = death; + id->confirm = confirm; + TAILQ_INSERT_TAIL(&tab->idlist, id, next); +@@ -945,6 +983,10 @@ { u_int i, old_alloc, new_alloc; @@ -56,33 +129,47 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1166,7 +1189,7 @@ static void +@@ -1172,8 +1214,8 @@ usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" +- " [-t life] [command [arg ...]]\n" + "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" - " [-t life] [command [arg ...]]\n" ++ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n" " ssh-agent [-c | -s] -k\n"); exit(1); -@@ -1197,6 +1220,7 @@ main(int ac, char **av) + } +@@ -1204,6 +1246,7 @@ /* drop */ setegid(getgid()); setgid(getgid()); + setuid(geteuid()); - #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) - /* Disable ptrace on Linux without sgid bit */ -@@ -1210,7 +1234,7 @@ main(int ac, char **av) + platform_disable_tracing(0); /* strict=no */ + +@@ -1214,7 +1257,7 @@ __progname = ssh_get_progname(av[0]); seed_rng(); - while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1249,6 +1273,9 @@ main(int ac, char **av) +@@ -1229,6 +1272,11 @@ + case 'k': + k_flag++; + break; ++ case 'P': ++ if (pkcs11_whitelist != NULL) ++ fatal("-P option already specified"); ++ pkcs11_whitelist = xstrdup(optarg); ++ break; + case 's': + if (c_flag) + usage(); +@@ -1253,6 +1301,9 @@ usage(); } break; @@ -92,3 +179,22 @@ disconnected. default: usage(); } +@@ -1263,6 +1314,9 @@ + if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag)) + usage(); + ++ if (pkcs11_whitelist == NULL) ++ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST); ++ + if (ac == 0 && !c_flag && !s_flag) { + shell = getenv("SHELL"); + if (shell != NULL && (len = strlen(shell)) > 2 && +@@ -1410,7 +1464,7 @@ + signal(SIGTERM, cleanup_handler); + nalloc = 0; + +- if (pledge("stdio cpath unix id proc exec", NULL) == -1) ++ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1) + fatal("%s: pledge: %s", __progname, strerror(errno)); + platform_pledge_agent(); +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701132348.v0DNm77u035069>