| Message ID | 20230321190501.19240-1-ps.report@gmx.net |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v1] package/openssh: security bump to version 9.3p1 | expand |
>>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes: > From [1]: > * sshd(8): fix a pre-authentication double-free memory fault > introduced in OpenSSH 9.1. This is not believed to be exploitable, > and it occurs in the unprivileged pre-auth process that is > subject to chroot(2) and is further sandboxed on most major > platforms. > * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option > would ignore its first argument unless it was one of the special > keywords "any" or "none", causing the permission list to fail open > if only one permission was specified. bz3515 > * ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs > options were enabled, and the system/libc resolver did not check > that names in DNS responses were valid, then use of these options > could allow an attacker with control of DNS to include invalid > characters (possibly including wildcards) in names added to > known_hosts files when they were updated. These names would still > have to match the CanonicalizePermittedCNAMEs allow-list, so > practical exploitation appears unlikely. > From [2]: > * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the > per-hop destination constraints (ssh-add -h ...) added in OpenSSH > 8.9, a logic error prevented the constraints from being > communicated to the agent. This resulted in the keys being added > without constraints. The common cases of non-smartcard keys and > keys without destination constraints are unaffected. This problem > was reported by Luci Stanescu. > * ssh(1): Portable OpenSSH provides an implementation of the > getrrsetbyname(3) function if the standard library does not > provide it, for use by the VerifyHostKeyDNS feature. A > specifically crafted DNS response could cause this function to > perform an out-of-bounds read of adjacent stack data, but this > condition does not appear to be exploitable beyond denial-of- > service to the ssh(1) client. > The getrrsetbyname(3) replacement is only included if the system's > standard library lacks this function and portable OpenSSH was not > compiled with the ldns library (--with-ldns). getrrsetbyname(3) is > only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This > problem was found by the Coverity static analyzer. > [1] https://www.openssh.com/txt/release-9.2 > [2] https://www.openssh.com/txt/release-9.3 > Signed-off-by: Peter Seiderer <ps.report@gmx.net> Committed, thanks.
>>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes: > From [1]: > * sshd(8): fix a pre-authentication double-free memory fault > introduced in OpenSSH 9.1. This is not believed to be exploitable, > and it occurs in the unprivileged pre-auth process that is > subject to chroot(2) and is further sandboxed on most major > platforms. Committed to 2023.02.x, thanks. 2022.02.x has 8.9p1, so I will not backport this there.
diff --git a/package/openssh/openssh.hash b/package/openssh/openssh.hash index eefb11ec15..2be54431ec 100644 --- a/package/openssh/openssh.hash +++ b/package/openssh/openssh.hash @@ -1,4 +1,4 @@ -# From https://www.openssh.com/txt/release-9.1 (base64 encoded) -sha256 19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288 openssh-9.1p1.tar.gz +# From https://www.openssh.com/txt/release-9.3 (base64 encoded) +sha256 e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8 openssh-9.3p1.tar.gz # Locally calculated sha256 05c30446ba738934b3f1efa965b454c122ca26cc4b268e5ae6843f58ccd1b16d LICENCE diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk index b70e327620..26d6bd504d 100644 --- a/package/openssh/openssh.mk +++ b/package/openssh/openssh.mk @@ -4,7 +4,7 @@ # ################################################################################ -OPENSSH_VERSION_MAJOR = 9.1 +OPENSSH_VERSION_MAJOR = 9.3 OPENSSH_VERSION_MINOR = p1 OPENSSH_VERSION = $(OPENSSH_VERSION_MAJOR)$(OPENSSH_VERSION_MINOR) OPENSSH_CPE_ID_VERSION = $(OPENSSH_VERSION_MAJOR)
From [1]: * sshd(8): fix a pre-authentication double-free memory fault introduced in OpenSSH 9.1. This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms. * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option would ignore its first argument unless it was one of the special keywords "any" or "none", causing the permission list to fail open if only one permission was specified. bz3515 * ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs options were enabled, and the system/libc resolver did not check that names in DNS responses were valid, then use of these options could allow an attacker with control of DNS to include invalid characters (possibly including wildcards) in names added to known_hosts files when they were updated. These names would still have to match the CanonicalizePermittedCNAMEs allow-list, so practical exploitation appears unlikely. From [2]: * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. [1] https://www.openssh.com/txt/release-9.2 [2] https://www.openssh.com/txt/release-9.3 Signed-off-by: Peter Seiderer <ps.report@gmx.net> --- package/openssh/openssh.hash | 4 ++-- package/openssh/openssh.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)