From b5f814bb5f623cf2251cf8d572e57f0f6145f3bc Mon Sep 17 00:00:00 2001
From: root <fundawang@yeah.net>
Date: Thu, 24 Aug 2023 18:33:07 +0800
Subject: [PATCH] Fix CVE-2023-25136 & CVE-2023-38408

---
 openssh-8.7p1-CVE-2023-25136.patch          | 38 ++++++++
 openssh-9.3p1-upstream-cve-2023-38408.patch | 98 +++++++++++++++++++++
 openssh.spec                                |  7 +-
 3 files changed, 142 insertions(+), 1 deletion(-)
 create mode 100644 openssh-8.7p1-CVE-2023-25136.patch
 create mode 100644 openssh-9.3p1-upstream-cve-2023-38408.patch

diff --git a/openssh-8.7p1-CVE-2023-25136.patch b/openssh-8.7p1-CVE-2023-25136.patch
new file mode 100644
index 0000000..ca661ee
--- /dev/null
+++ b/openssh-8.7p1-CVE-2023-25136.patch
@@ -0,0 +1,38 @@
+diff --git a/compat.c b/compat.c
+index 46dfe3a9c2e..478a9403eea 100644
+--- a/compat.c
++++ b/compat.c
+@@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
+ char *
+ compat_kex_proposal(struct ssh *ssh, char *p)
+ {
+-	char *cp = NULL;
++	char *cp = NULL, *cp2 = NULL;
+ 
+ 	if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
+ 		return xstrdup(p);
+ 	debug2_f("original KEX proposal: %s", p);
+ 	if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
+-		if ((p = match_filter_denylist(p,
++		if ((cp = match_filter_denylist(p,
+ 		    "curve25519-sha256@libssh.org")) == NULL)
+ 			fatal("match_filter_denylist failed");
+ 	if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
+-		cp = p;
+-		if ((p = match_filter_denylist(p,
++		if ((cp2 = match_filter_denylist(cp ? cp : p,
+ 		    "diffie-hellman-group-exchange-sha256,"
+ 		    "diffie-hellman-group-exchange-sha1")) == NULL)
+ 			fatal("match_filter_denylist failed");
+ 		free(cp);
++		cp = cp2;
+ 	}
+-	debug2_f("compat KEX proposal: %s", p);
+-	if (*p == '\0')
++	if (cp == NULL || *cp == '\0')
+ 		fatal("No supported key exchange algorithms found");
+-	return p;
++	debug2_f("compat KEX proposal: %s", cp);
++	return cp;
+ }
+ 
diff --git a/openssh-9.3p1-upstream-cve-2023-38408.patch b/openssh-9.3p1-upstream-cve-2023-38408.patch
new file mode 100644
index 0000000..0368886
--- /dev/null
+++ b/openssh-9.3p1-upstream-cve-2023-38408.patch
@@ -0,0 +1,98 @@
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 618bb198..8ea831f4 100644
+diff -up openssh-9.3p1/ssh-agent.c.cve openssh-9.3p1/ssh-agent.c
+--- openssh-9.3p1/ssh-agent.c.cve	2023-07-21 15:38:13.237276580 +0200
++++ openssh-9.3p1/ssh-agent.c	2023-07-21 15:41:30.269943569 +0200
+@@ -169,6 +169,12 @@ char socket_dir[PATH_MAX];
+ /* Pattern-list of allowed PKCS#11/Security key paths */
+ static char *allowed_providers;
+ 
++/*
++ * Allows PKCS11 providers or SK keys that use non-internal providers to
++ * be added over a remote connection (identified by session-bind@openssh.com).
++ */
++static int remote_add_provider;
++
+ /* locking */
+ #define LOCK_SIZE	32
+ #define LOCK_SALT_SIZE	16
+@@ -1228,6 +1234,12 @@ process_add_identity(SocketEntry *e)
+ 		if (strcasecmp(sk_provider, "internal") == 0) {
+ 			debug_f("internal provider");
+ 		} else {
++			if (e->nsession_ids != 0 && !remote_add_provider) {
++				verbose("failed add of SK provider \"%.100s\": "
++				    "remote addition of providers is disabled",
++				    sk_provider);
++				goto out;
++			}
+ 			if (realpath(sk_provider, canonical_provider) == NULL) {
+ 				verbose("failed provider \"%.100s\": "
+ 				    "realpath: %s", sk_provider,
+@@ -1368,7 +1380,7 @@ no_identities(SocketEntry *e)
+ 
+ #ifdef ENABLE_PKCS11
+ static char *
+-sanitize_pkcs11_provider(const char *provider)
++sanitize_pkcs11_provider(SocketEntry *e, const char *provider)
+ {
+ 	struct pkcs11_uri *uri = NULL;
+ 	char *sane_uri, *module_path = NULL; /* default path */
+@@ -1399,6 +1411,11 @@ sanitize_pkcs11_provider(const char *pro
+ 		module_path = strdup(provider); /* simple path */
+ 
+ 	if (module_path != NULL) { /* do not validate default NULL path in URI */
++		if (e->nsession_ids != 0 && !remote_add_provider) {
++			verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
++			    "providers is disabled", provider);
++			return NULL;
++		}
+ 		if (realpath(module_path, canonical_provider) == NULL) {
+ 			verbose("failed PKCS#11 provider \"%.100s\": realpath: %s",
+ 			    module_path, strerror(errno));
+@@ -1455,7 +1472,7 @@ process_add_smartcard_key(SocketEntry *e
+ 		goto send;
+ 	}
+ 
+-	sane_uri = sanitize_pkcs11_provider(provider);
++	sane_uri = sanitize_pkcs11_provider(e, provider);
+ 	if (sane_uri == NULL)
+ 		goto send;
+ 
+@@ -1516,7 +1533,7 @@ process_remove_smartcard_key(SocketEntry
+ 	}
+ 	free(pin);
+ 
+-	sane_uri = sanitize_pkcs11_provider(provider);
++	sane_uri = sanitize_pkcs11_provider(e, provider);
+ 	if (sane_uri == NULL)
+ 		goto send;
+ 
+@@ -2108,7 +2125,9 @@ main(int ac, char **av)
+ 			break;
+ 		case 'O':
+ 			if (strcmp(optarg, "no-restrict-websafe") == 0)
+-				restrict_websafe  = 0;
++				restrict_websafe = 0;
++			else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
++				remote_add_provider = 1;
+ 			else
+ 				fatal("Unknown -O option");
+ 			break;
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index 6be647ec..ebddf6c3 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
+ 		error("dlopen %s failed: %s", provider_module, dlerror());
+ 		goto fail;
+ 	}
+-	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+-		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+-		goto fail;
+-	}
++	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+ 
+ 	p->module->handle = handle;
+ 	/* setup the pkcs11 callbacks */
diff --git a/openssh.spec b/openssh.spec
index 8449b18..1784ab4 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -1,4 +1,4 @@
-%define anolis_release 8
+%define anolis_release 9
 %global _hardened_build 1
 %global sysconfig_anaconda /etc/sysconfig/sshd-permitrootlogin
 
@@ -87,6 +87,8 @@ Patch346: openssh-8.7p1-gssapi-auth.patch
 Patch347: openssh-8.7p1-negotiate-supported-algs.patch
 Patch348: openssh-6.7p1-coverity.patch
 Patch349: add-loongarch64-support-for-openssh.patch
+Patch350: openssh-8.7p1-CVE-2023-25136.patch
+Patch351: openssh-9.3p1-upstream-cve-2023-38408.patch
 
 BuildRequires: autoconf automake make gcc
 BuildRequires: perl-interpreter perl-generators perl-podlators
@@ -443,6 +445,9 @@ test -f %{sysconfig_anaconda} && \
 %doc CREDITS ChangeLog OVERVIEW PROTOCOL*  TODO
 
 %changelog
+* Wed Oct 25 2023 Funda Wang <fundawang@yeah.net> - 9.0p1-9
+- Fix CVE-2023-25136 & CVE-2023-38408
+
 * Mon Aug 28 2023 Wenlong Zhang <zhangwenlong@loongson.cn> - 9.0p1-8
 - fix build error for patch 349
 
-- 
Gitee