summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2014-05-13 15:46:27 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-05-29 13:42:10 +0100
commit6a8a9903de24cc7e1f27b1f7202bd4157719327c (patch)
treed0c43347c3b2030111cac14804130d60ea6af0fa
parente5786afbfa79e1288d1df2401684c4c151c60406 (diff)
downloadopenembedded-core-contrib-6a8a9903de24cc7e1f27b1f7202bd4157719327c.tar.gz
openembedded-core-contrib-6a8a9903de24cc7e1f27b1f7202bd4157719327c.tar.bz2
openembedded-core-contrib-6a8a9903de24cc7e1f27b1f7202bd4157719327c.zip
openssh: fix for CVE-2014-2653
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. (From OE-Core rev: 7b2fff61b3d1c0566429793ee348fa8978ef0cba) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-connectivity/openssh/openssh_6.5p1.bb
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch114
-rw-r--r--meta/recipes-connectivity/openssh/openssh_6.5p1.bb3
2 files changed, 116 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
new file mode 100644
index 0000000000..674d186044
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch
@@ -0,0 +1,114 @@
+Upstream-Status: Backport
+
+This CVE could be removed if openssh is upgrade to 6.6 or higher.
+Below are some details.
+
+Attempt SSHFP lookup even if server presents a certificate
+
+Reference:
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
+
+If an ssh server presents a certificate to the client, then the client
+does not check the DNS for SSHFP records. This means that a malicious
+server can essentially disable DNS-host-key-checking, which means the
+client will fall back to asking the user (who will just say "yes" to
+the fingerprint, sadly).
+
+This patch means that the ssh client will, if necessary, extract the
+server key from the proffered certificate, and attempt to verify it
+against the DNS. The patch was written by Mark Wooding
+<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
+it, and tested it.
+
+Signed-off-by: Matthew Vernon <matthew@debian.org>
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -1210,36 +1210,63 @@ fail:
+ return -1;
+ }
+
++static int
++check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
++{
++ int rc = -1;
++ int flags = 0;
++ Key *raw_key = NULL;
++
++ if (!options.verify_host_key_dns)
++ goto done;
++
++ /* XXX certs are not yet supported for DNS; try looking the raw key
++ * up in the DNS anyway.
++ */
++ if (key_is_cert(host_key)) {
++ debug2("Extracting key from cert for SSHFP lookup");
++ raw_key = key_from_private(host_key);
++ if (key_drop_cert(raw_key))
++ fatal("Couldn't drop certificate");
++ host_key = raw_key;
++ }
++
++ if (verify_host_key_dns(host, hostaddr, host_key, &flags))
++ goto done;
++
++ if (flags & DNS_VERIFY_FOUND) {
++
++ if (options.verify_host_key_dns == 1 &&
++ flags & DNS_VERIFY_MATCH &&
++ flags & DNS_VERIFY_SECURE) {
++ rc = 0;
++ } else if (flags & DNS_VERIFY_MATCH) {
++ matching_host_key_dns = 1;
++ } else {
++ warn_changed_key(host_key);
++ error("Update the SSHFP RR in DNS with the new "
++ "host key to get rid of this message.");
++ }
++ }
++
++done:
++ if (raw_key)
++ key_free(raw_key);
++ return rc;
++}
++
+ /* returns 0 if key verifies or -1 if key does NOT verify */
+ int
+ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+ {
+- int flags = 0;
+ char *fp;
+
+ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ debug("Server host key: %s %s", key_type(host_key), fp);
+ free(fp);
+
+- /* XXX certs are not yet supported for DNS */
+- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+- if (flags & DNS_VERIFY_FOUND) {
+-
+- if (options.verify_host_key_dns == 1 &&
+- flags & DNS_VERIFY_MATCH &&
+- flags & DNS_VERIFY_SECURE)
+- return 0;
+-
+- if (flags & DNS_VERIFY_MATCH) {
+- matching_host_key_dns = 1;
+- } else {
+- warn_changed_key(host_key);
+- error("Update the SSHFP RR in DNS with the new "
+- "host key to get rid of this message.");
+- }
+- }
+- }
++ if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
++ return 0;
+
+ return check_host_key(host, hostaddr, options.port, host_key, RDRW,
+ options.user_hostfiles, options.num_user_hostfiles,
+--
+1.7.9.5
+
diff --git a/meta/recipes-connectivity/openssh/openssh_6.5p1.bb b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
index 5e6c03c4a5..cf83fb4202 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
@@ -28,7 +28,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
file://sshd@.service \
file://sshdgenkeys.service \
file://volatiles.99_sshd \
- file://openssh-CVE-2014-2532.patch"
+ file://openssh-CVE-2014-2532.patch \
+ file://openssh-CVE-2014-2653.patch"
PAM_SRC_URI = "file://sshd"