From f59c584e7e279598928cac1a8dba529c00edc804 Mon Sep 17 00:00:00 2001 From: renmingshuai Date: Thu, 27 Jul 2023 20:18:46 +0800 Subject: [PATCH] fix CVE-2023-38408 --- ...023-38408-upstream-terminate-process.patch | 43 +++++++++++++++++++ openssh.spec | 10 ++++- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 backport-fix-CVE-2023-38408-upstream-terminate-process.patch diff --git a/backport-fix-CVE-2023-38408-upstream-terminate-process.patch b/backport-fix-CVE-2023-38408-upstream-terminate-process.patch new file mode 100644 index 0000000..7e72dd4 --- /dev/null +++ b/backport-fix-CVE-2023-38408-upstream-terminate-process.patch @@ -0,0 +1,43 @@ +From 892506b13654301f69f9545f48213fc210e5c5cc Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 19 Jul 2023 13:55:53 +0000 +Subject: [PATCH] upstream: terminate process if requested to load a +PKCS#11 + provider + +that isn't a PKCS#11 provider; from / ok markus@ + +OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c + +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=892506b1365 +Conflict:pkcs11_initialize_provider +--- + ssh-pkcs11.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 995841f..b96021f 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-pkcs11.c,v 1.47 2020/01/25 00:03:36 djm Exp $ */ ++/* $OpenBSD: ssh-pkcs11.c,v 1.57 2023/07/19 13:55:53 djm Exp $ */ + /* + * Copyright (c) 2010 Markus Friedl. All rights reserved. + * Copyright (c) 2014 Pedro Martelletto. All rights reserved. +@@ -1743,10 +1743,8 @@ pkcs11_initialize_provider(struct pkcs11_uri *uri, struct pkcs11_provider **prov + error("dlopen %s failed: %s", provider_module, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + + p->module->handle = handle; + /* setup the pkcs11 callbacks */ +-- +2.23.0 + diff --git a/openssh.spec b/openssh.spec index 541b393..f9ecf69 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 19 +%global openssh_release 20 Name: openssh Version: 8.2p1 @@ -99,6 +99,7 @@ Patch66: backport-change-convtime-form-returning-long-to-returning-int.pa Patch67: backport-change-types-in-convtime-unit-test-to-int-to-match.patch Patch68: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch Patch69: set-ssh-config.patch +Patch70: backport-fix-CVE-2023-38408-upstream-terminate-process.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -270,6 +271,7 @@ popd %patch67 -p1 %patch68 -p1 %patch69 -p1 +#%patch70 -p1 autoreconf pushd pam_ssh_agent_auth-0.10.3 @@ -476,6 +478,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Thu Jul 27 2023 renmingshuai - 8.2p1-20 +- Type:CVE +- CVE:CVE-2023-38408 +- SUG:NA +- DESC:fix CVE-2023-38408 + * Tue Feb 28 2023 renmingshuai - 8.2p1-19 - Type:bugfix - CVE:NA -- Gitee