From 02ed620177d377a272adf264065bd864dd0a4734 Mon Sep 17 00:00:00 2001 From: bitianyuan Date: Fri, 7 Feb 2025 15:44:14 +0800 Subject: [PATCH] Fix CVE-2024-39894 (cherry picked from commit a92e8b17c170af924e8b77125e238a6df7d5e752) --- backport-fix-CVE-2024-39894.patch | 33 +++++++++++++++++++++++++++++++ openssh.spec | 10 +++++++++- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 backport-fix-CVE-2024-39894.patch diff --git a/backport-fix-CVE-2024-39894.patch b/backport-fix-CVE-2024-39894.patch new file mode 100644 index 0000000..70fdcfb --- /dev/null +++ b/backport-fix-CVE-2024-39894.patch @@ -0,0 +1,33 @@ +From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Mon, 1 Jul 2024 04:31:17 +0000 +Subject: upstream: when sending ObscureKeystrokeTiming chaff packets, we + +can't rely on channel_did_enqueue to tell that there is data to send. This +flag indicates that the channels code enqueued a packet on _this_ ppoll() +iteration, not that data was enqueued in _any_ ppoll() iteration in the +timeslice. ok markus@ + +OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136 +--- + clientloop.c | 5 ++++--- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/clientloop.c b/clientloop.c +index 0b6f3c9b..8ed8b1c3 100644 +--- a/clientloop.c ++++ b/clientloop.c +@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout, + if (timespeccmp(&now, &chaff_until, >=)) { + /* Stop if there have been no keystrokes for a while */ + stop_reason = "chaff time expired"; +- } else if (timespeccmp(&now, &next_interval, >=)) { +- /* Otherwise if we were due to send, then send chaff */ ++ } else if (timespeccmp(&now, &next_interval, >=) && ++ !ssh_packet_have_data_to_write(ssh)) { ++ /* If due to send but have no data, then send chaff */ + if (send_chaff(ssh)) + nchaff++; + } +-- +cgit v1.2.3 diff --git a/openssh.spec b/openssh.spec index f35ad5a..7dbfe8c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 3 +%global openssh_release 4 Name: openssh Version: 9.6p1 @@ -110,6 +110,7 @@ Patch69: backport-upstream-Fix-proxy-multiplexing-O-proxy-bug.patch Patch70: backport-upstream-make-parsing-user-host-consistently-look-for-the-last-in.patch Patch71: backport-upstream-Do-not-apply-authorized_keys-options-when-signature.patch Patch72: backport-upstream-some-extra-paranoia.patch +Patch73: backport-fix-CVE-2024-39894.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -266,6 +267,7 @@ popd %patch -P 70 -p1 %patch -P 71 -p1 %patch -P 72 -p1 +%patch -P 73 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -497,6 +499,12 @@ fi %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Fri Feb 7 2025 bitianyuan - 9.6p1-4 +- Type:CVE +- CVE:CVE-2024-39894 +- SUG:NA +- DESC:Fix CVE-2024-39894 + * Mon Dec 23 2024 bitianyuan - 9.6p1-3 - Type:bugfix - CVE:NA -- Gitee