From ab3c587fb594f773a3bcef8027b08d2a91dfea28 Mon Sep 17 00:00:00 2001 From: renmingshuai Date: Mon, 6 Feb 2023 14:35:55 +0800 Subject: [PATCH] fix CVE-2023-25136 --- 1q | 85 +++++++++++++++++++ ...5136-Always-return-allocated-strings.patch | 85 +++++++++++++++++++ openssh.spec | 10 ++- 3 files changed, 179 insertions(+), 1 deletion(-) create mode 100644 1q create mode 100644 backport-upstream-CVE-2023-25136-Always-return-allocated-strings.patch diff --git a/1q b/1q new file mode 100644 index 0000000..4e84d0c --- /dev/null +++ b/1q @@ -0,0 +1,85 @@ +From 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Fri, 1 Jul 2022 03:35:45 +0000 +Subject: [PATCH] upstream: Always return allocated strings from the kex + filtering so + +that we can free them later. Fix one leak in compat_kex_proposal. Based on +github PR#324 from ZoltanFridrich with some simplications by me. ok djm@ + +OpenBSD-Commit-ID: 9171616da3307612d0ede086fd511142f91246e4 + +Reference: +https://anongit.mindrot.org/openssh.git/patch/?id=486c4dc3b83b4b67d663fb0fa62bc24138ec3946 +Conflict: Contxt modification which remove global varibale used to stash +compat flags and use ssh->compat instead that is not related to fix the CVE +--- +diff --git a/compat.c b/compat.c +index 0624dc6..e5be5b4 100644 +--- a/compat.c ++++ b/compat.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: compat.c,v 1.113 2018/08/13 02:41:05 djm Exp $ */ ++/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */ + /* + * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. + * +@@ -183,11 +183,12 @@ proto_spec(const char *spec) + return ret; + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_cipher_proposal(char *cipher_prop) + { + if (!(datafellows & SSH_BUG_BIGENDIANAES)) +- return cipher_prop; ++ return xstrdup(cipher_prop); + debug2("%s: original cipher proposal: %s", __func__, cipher_prop); + if ((cipher_prop = match_filter_blacklist(cipher_prop, "aes*")) == NULL) + fatal("match_filter_blacklist failed"); +@@ -197,11 +198,12 @@ compat_cipher_proposal(char *cipher_prop) + return cipher_prop; + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_pkalg_proposal(char *pkalg_prop) + { + if (!(datafellows & SSH_BUG_RSASIGMD5)) +- return pkalg_prop; ++ return xstrdup(pkalg_prop); + debug2("%s: original public key proposal: %s", __func__, pkalg_prop); + if ((pkalg_prop = match_filter_blacklist(pkalg_prop, "ssh-rsa")) == NULL) + fatal("match_filter_blacklist failed"); +@@ -211,21 +213,25 @@ compat_pkalg_proposal(char *pkalg_prop) + return pkalg_prop; + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_kex_proposal(char *p) + { +- if ((datafellows & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) +- return p; ++ char *cp = NULL; ++ if ((datafellows & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) ++ return xstrdup(p); + debug2("%s: original KEX proposal: %s", __func__, p); + if ((datafellows & SSH_BUG_CURVE25519PAD) != 0) + if ((p = match_filter_blacklist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_blacklist failed"); + if ((datafellows & SSH_OLD_DHGEX) != 0) { ++ cp = p; + if ((p = match_filter_blacklist(p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_blacklist failed"); ++ free(cp); + } + debug2("%s: compat KEX proposal: %s", __func__, p); + if (*p == '\0') +-- +2.23.0 + diff --git a/backport-upstream-CVE-2023-25136-Always-return-allocated-strings.patch b/backport-upstream-CVE-2023-25136-Always-return-allocated-strings.patch new file mode 100644 index 0000000..4e84d0c --- /dev/null +++ b/backport-upstream-CVE-2023-25136-Always-return-allocated-strings.patch @@ -0,0 +1,85 @@ +From 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Fri, 1 Jul 2022 03:35:45 +0000 +Subject: [PATCH] upstream: Always return allocated strings from the kex + filtering so + +that we can free them later. Fix one leak in compat_kex_proposal. Based on +github PR#324 from ZoltanFridrich with some simplications by me. ok djm@ + +OpenBSD-Commit-ID: 9171616da3307612d0ede086fd511142f91246e4 + +Reference: +https://anongit.mindrot.org/openssh.git/patch/?id=486c4dc3b83b4b67d663fb0fa62bc24138ec3946 +Conflict: Contxt modification which remove global varibale used to stash +compat flags and use ssh->compat instead that is not related to fix the CVE +--- +diff --git a/compat.c b/compat.c +index 0624dc6..e5be5b4 100644 +--- a/compat.c ++++ b/compat.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: compat.c,v 1.113 2018/08/13 02:41:05 djm Exp $ */ ++/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */ + /* + * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. + * +@@ -183,11 +183,12 @@ proto_spec(const char *spec) + return ret; + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_cipher_proposal(char *cipher_prop) + { + if (!(datafellows & SSH_BUG_BIGENDIANAES)) +- return cipher_prop; ++ return xstrdup(cipher_prop); + debug2("%s: original cipher proposal: %s", __func__, cipher_prop); + if ((cipher_prop = match_filter_blacklist(cipher_prop, "aes*")) == NULL) + fatal("match_filter_blacklist failed"); +@@ -197,11 +198,12 @@ compat_cipher_proposal(char *cipher_prop) + return cipher_prop; + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_pkalg_proposal(char *pkalg_prop) + { + if (!(datafellows & SSH_BUG_RSASIGMD5)) +- return pkalg_prop; ++ return xstrdup(pkalg_prop); + debug2("%s: original public key proposal: %s", __func__, pkalg_prop); + if ((pkalg_prop = match_filter_blacklist(pkalg_prop, "ssh-rsa")) == NULL) + fatal("match_filter_blacklist failed"); +@@ -211,21 +213,25 @@ compat_pkalg_proposal(char *pkalg_prop) + return pkalg_prop; + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_kex_proposal(char *p) + { +- if ((datafellows & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) +- return p; ++ char *cp = NULL; ++ if ((datafellows & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) ++ return xstrdup(p); + debug2("%s: original KEX proposal: %s", __func__, p); + if ((datafellows & SSH_BUG_CURVE25519PAD) != 0) + if ((p = match_filter_blacklist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_blacklist failed"); + if ((datafellows & SSH_OLD_DHGEX) != 0) { ++ cp = p; + if ((p = match_filter_blacklist(p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_blacklist failed"); ++ free(cp); + } + debug2("%s: compat KEX proposal: %s", __func__, p); + if (*p == '\0') +-- +2.23.0 + diff --git a/openssh.spec b/openssh.spec index 2ee94e1..68df8b5 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 18 +%global openssh_release 19 Name: openssh Version: 8.2p1 @@ -98,6 +98,7 @@ Patch65: backport-CVE-2021-28041.patch Patch66: backport-change-convtime-form-returning-long-to-returning-int.patch Patch67: backport-change-types-in-convtime-unit-test-to-int-to-match.patch Patch68: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch +Patch69: backport-upstream-CVE-2023-25136-Always-return-allocated-strings.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -268,6 +269,7 @@ popd %patch66 -p1 %patch67 -p1 %patch68 -p1 +%patch69 -p1 autoreconf pushd pam_ssh_agent_auth-0.10.3 @@ -476,6 +478,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Mon Feb 06 2023 renmingshuai - 8.2p1-19 +- Type:CVE +- CVE:CVE-2023-25136 +- SUG:NA +- DESC:fix CVE-2023-25136 + * Mon Jan 09 2023 renmingshuai - 8.2p1-18 - Type:bugfix - CVE: -- Gitee