diff --git a/openssh-8.7p1-scp-kill-switch.patch b/openssh-8.7p1-scp-kill-switch.patch new file mode 100644 index 0000000000000000000000000000000000000000..cbfbf5617842f612f0a7676628039442dcec02d8 --- /dev/null +++ b/openssh-8.7p1-scp-kill-switch.patch @@ -0,0 +1,46 @@ +diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h +--- openssh-8.7p1/pathnames.h.kill-scp 2021-09-16 11:37:57.240171687 +0200 ++++ openssh-8.7p1/pathnames.h 2021-09-16 11:42:29.183427917 +0200 +@@ -42,6 +42,7 @@ + #define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key" + #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" + #define _PATH_DH_MODULI SSHDIR "/moduli" ++#define _PATH_SCP_KILL_SWITCH SSHDIR "/disable_scp" + + #ifndef _PATH_SSH_PROGRAM + #define _PATH_SSH_PROGRAM "/usr/bin/ssh" +diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1 +--- openssh-8.7p1/scp.1.kill-scp 2021-09-16 12:09:02.646714578 +0200 ++++ openssh-8.7p1/scp.1 2021-09-16 12:26:49.978628226 +0200 +@@ -278,6 +278,13 @@ to print debugging messages about their + This is helpful in + debugging connection, authentication, and configuration problems. + .El ++.Pp ++Usage of SCP protocol can be blocked by creating a world-readable ++.Ar /etc/ssh/disable_scp ++file. If this file exists, when SCP protocol is in use (either remotely or ++via the ++.Fl O ++option), the program will exit. + .Sh EXIT STATUS + .Ex -std scp + .Sh SEE ALSO +diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c +--- openssh-8.7p1/scp.c.kill-scp 2021-09-16 11:42:56.013650519 +0200 ++++ openssh-8.7p1/scp.c 2021-09-16 11:53:03.249713836 +0200 +@@ -596,6 +596,14 @@ main(int argc, char **argv) + argc -= optind; + argv += optind; + ++ { ++ FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r"); ++ if (f != NULL) { ++ fclose(f); ++ fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH); ++ } ++ } ++ + if ((pwd = getpwuid(userid = getuid())) == NULL) + fatal("unknown user %u", (u_int) userid); + diff --git a/openssh.spec b/openssh.spec index c5c2b2fd349ee75911f75a7733688566e8bf8dc2..f22529cf6522fbaf3de32ab6cd3406b80efe77dc 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.3 +%define anolis_release .0.4 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -288,6 +288,8 @@ Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch Patch1004: openssh-8.3p1-fix-desynchronised-utimes-failed.patch Patch1005: 1005-terminate-pkcs11-process-for-bad-libraries.patch Patch1006: openssh-8.0p1-CVE-2023-51385.patch +#Fix CVE-2020-15778 +Patch1007: openssh-8.7p1-scp-kill-switch.patch Patch2000: openssh-8.0p1-sw.patch @@ -535,6 +537,7 @@ popd %patch1004 -p1 %patch1005 -p1 %patch1006 -p1 +%patch1007 -p1 %patch2000 -p1 autoreconf @@ -821,6 +824,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Fri Jun 07 2024 Kai Song - 8.0p1-20.0.4 +- Fix CVE-2020-15778 + * Wed Mar 20 2024 Weisson - 8.0p1-20.0.3 - adapt macro `seccomp_audit_arch` to kernel-headers.