From 5821e3c56bea33ed3822297fcb533198dcf66cfa Mon Sep 17 00:00:00 2001 From: renmingshuai Date: Mon, 6 Feb 2023 21:20:42 +0800 Subject: [PATCH] fix CVE-2023-25136 --- ...VE-2023-25136-fix-double-free-caused.patch | 67 +++++++++++++++++++ openssh.spec | 10 ++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 backport-upstream-CVE-2023-25136-fix-double-free-caused.patch diff --git a/backport-upstream-CVE-2023-25136-fix-double-free-caused.patch b/backport-upstream-CVE-2023-25136-fix-double-free-caused.patch new file mode 100644 index 0000000..ee6d98d --- /dev/null +++ b/backport-upstream-CVE-2023-25136-fix-double-free-caused.patch @@ -0,0 +1,67 @@ +From 12da7823336434a403f25c7cc0c2c6aed0737a35 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 2 Feb 2023 12:10:05 +0000 +Subject: [PATCH] upstream: fix double-free caused by +compat_kex_proposal(); + bz3522 + +by dtucker@, ok me + +OpenBSD-Commit-ID: 2bfc37cd2d41f67dad64c17a64cf2cd3806a5c80 + +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=12da7823336434a403f25c7cc0c2c6aed0737a35 +Conflict:NA +--- + compat.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/compat.c b/compat.c +index 1d50349..4fbb6f0 100644 +--- a/compat.c ++++ b/compat.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */ ++/* $OpenBSD: compat.c,v 1.121 2023/02/02 12:10:05 djm Exp $ */ + /* + * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. + * +@@ -190,29 +190,28 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) + char * + compat_kex_proposal(struct ssh *ssh, char *p) + { +- char *cp = NULL; +- ++ char *cp = NULL, *cp2 = NULL; + + if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) + return xstrdup(p); + debug2_f("original KEX proposal: %s", p); + if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) + /* coverity[overwrite_var : FALSE] */ +- if ((p = match_filter_denylist(p, ++ if ((cp = match_filter_denylist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_denylist failed"); + if ((ssh->compat & SSH_OLD_DHGEX) != 0) { +- cp = p; + /* coverity[overwrite_var : FALSE] */ +- if ((p = match_filter_denylist(p, ++ if ((cp2 = match_filter_denylist(cp ? cp : p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_denylist failed"); + free(cp); ++ cp = cp2; + } +- debug2_f("compat KEX proposal: %s", p); +- if (*p == '\0') ++ if (cp == NULL || *cp == '\0') + fatal("No supported key exchange algorithms found"); +- return p; ++ debug2_f("compat KEX proposal: %s", cp); ++ return cp; + } + +-- +2.23.0 + diff --git a/openssh.spec b/openssh.spec index 8e74f92..f87577d 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 17 +%global openssh_release 18 Name: openssh Version: 8.8p1 @@ -108,6 +108,7 @@ Patch75: backport-upstream-avoid-integer-overflow-of-auth-attempts-har.pa Patch76: backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch Patch77: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch Patch78: skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch +Patch79: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -265,6 +266,7 @@ popd %patch76 -p1 %patch77 -p1 %patch78 -p1 +%patch79 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -463,6 +465,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Mon Feb 06 2023 renmingshuai - 8.8p1-18 +- Type:CVE +- CVE:CVE-2023-25136 +- SUG:NA +- DESC:fix CVE-2023-25136 + * Fri Jan 06 2023 renmingshuai - 8.8p1-17 - Type:bugfix - CVE:NA -- Gitee