diff options
Diffstat (limited to 'meta/recipes-connectivity')
68 files changed, 4961 insertions, 119 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index 9bb5e5861e..5d1c86978a 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -26,6 +26,15 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV} file://0001-Fix-opening-etc-resolv.conf-error.patch \ file://handle-hup.patch \ file://local-ping.patch \ + file://CVE-2023-1981.patch \ + file://CVE-2023-38469-1.patch \ + file://CVE-2023-38469-2.patch \ + file://CVE-2023-38470-1.patch \ + file://CVE-2023-38470-2.patch \ + file://CVE-2023-38471-1.patch \ + file://CVE-2023-38471-2.patch \ + file://CVE-2023-38472.patch \ + file://CVE-2023-38473.patch \ " UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" @@ -83,7 +92,6 @@ RRECOMMENDS:${PN}:append:libc-glibc = " libnss-mdns" do_install() { autotools_do_install rm -rf ${D}/run - rm -rf ${D}${datadir}/dbus-1/interfaces test -d ${D}${datadir}/dbus-1 && rmdir --ignore-fail-on-non-empty ${D}${datadir}/dbus-1 rm -rf ${D}${libdir}/avahi @@ -135,7 +143,7 @@ FILES:avahi-daemon = "${sbindir}/avahi-daemon \ ${sysconfdir}/avahi/services \ ${sysconfdir}/dbus-1 \ ${sysconfdir}/init.d/avahi-daemon \ - ${datadir}/avahi/introspection/*.introspect \ + ${datadir}/dbus-1/interfaces \ ${datadir}/avahi/avahi-service.dtd \ ${datadir}/avahi/service-types \ ${datadir}/dbus-1/system-services" diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch new file mode 100644 index 0000000000..4d7924d13a --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch @@ -0,0 +1,58 @@ +From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Thu, 17 Nov 2022 01:51:53 +0100 +Subject: [PATCH] Emit error if requested service is not found + +It currently just crashes instead of replying with error. Check return +value and emit error instead of passing NULL pointer to reply. + +Fixes #375 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f] +CVE: CVE-2023-1981 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c +index 70d7687bc..406d0b441 100644 +--- a/avahi-daemon/dbus-protocol.c ++++ b/avahi-daemon/dbus-protocol.c +@@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM + } + + t = avahi_alternative_host_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); + +- return DBUS_HANDLER_RESULT_HANDLED; ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found"); ++ } + } + + static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) { +@@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB + } + + t = avahi_alternative_service_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); + +- return DBUS_HANDLER_RESULT_HANDLED; ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found"); ++ } + } + + static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) { diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch new file mode 100644 index 0000000000..f0f6c4bf7b --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch @@ -0,0 +1,47 @@ +From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin <evvers@ya.ru> +Date: Mon, 23 Oct 2023 20:29:31 +0000 +Subject: [PATCH]core: reject overly long TXT resource records +Closes https://github.com/lathiat/avahi/issues/455 + +Upstream-Status: Backport [https://github.com/lathiat/avahi/pull/500/commits/a337a1ba7d15853fb56deef1f464529af6e3a1cf] +CVE: CVE-2023-38469 + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + avahi-core/rr.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/avahi-core/rr.c b/avahi-core/rr.c +index 7fa0bee..b03a24c 100644 +--- a/avahi-core/rr.c ++++ b/avahi-core/rr.c +@@ -32,6 +32,7 @@ + #include <avahi-common/malloc.h> + #include <avahi-common/defs.h> + ++#include "dns.h" + #include "rr.h" + #include "log.h" + #include "util.h" +@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r) { + case AVAHI_DNS_TYPE_TXT: { + + AvahiStringList *strlst; ++ size_t used = 0; + +- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) ++ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) { + if (strlst->size > 255 || strlst->size <= 0) + return 0; + ++ used += 1+strlst->size; ++ if (used > AVAHI_DNS_RDATA_MAX) ++ return 0; ++ } ++ + return 1; + } + } +-- +2.40.0 diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch new file mode 100644 index 0000000000..f8f60ddca1 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch @@ -0,0 +1,65 @@ +From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin <evvers@ya.ru> +Date: Wed, 25 Oct 2023 18:15:42 +0000 +Subject: [PATCH] tests: pass overly long TXT resource records + +to make sure they don't crash avahi any more. +It reproduces https://github.com/lathiat/avahi/issues/455 + +Canonical notes: +nickgalanis> removed first hunk since there is no .github dir in this release + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237] +CVE: CVE-2023-38469 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + avahi-client/client-test.c | 14 ++++++++++++++ + 1 files changed, 14 insertions(+) + +Index: avahi-0.8/avahi-client/client-test.c +=================================================================== +--- avahi-0.8.orig/avahi-client/client-test.c ++++ avahi-0.8/avahi-client/client-test.c +@@ -22,6 +22,7 @@ + #endif + + #include <stdio.h> ++#include <string.h> + #include <assert.h> + + #include <avahi-client/client.h> +@@ -33,6 +34,8 @@ + #include <avahi-common/malloc.h> + #include <avahi-common/timeval.h> + ++#include <avahi-core/dns.h> ++ + static const AvahiPoll *poll_api = NULL; + static AvahiSimplePoll *simple_poll = NULL; + +@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA + uint32_t cookie; + struct timeval tv; + AvahiAddress a; ++ uint8_t rdata[AVAHI_DNS_RDATA_MAX+1]; ++ AvahiStringList *txt = NULL; ++ int r; + + simple_poll = avahi_simple_poll_new(); + poll_api = avahi_simple_poll_get(simple_poll); +@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA + printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL))); + printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6)); + ++ memset(rdata, 1, sizeof(rdata)); ++ r = avahi_string_list_parse(rdata, sizeof(rdata), &txt); ++ assert(r >= 0); ++ assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata)); ++ error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt); ++ assert(error == AVAHI_ERR_INVALID_RECORD); ++ avahi_string_list_free(txt); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch new file mode 100644 index 0000000000..5cf9af6fd6 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch @@ -0,0 +1,59 @@ +From 26806dbde54c5b40a2bf108d334ba59ec9d242d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Tue, 11 Apr 2023 15:29:59 +0200 +Subject: [PATCH]Ensure each label is at least one byte long + +The only allowed exception is single dot, where it should return empty +string. + +Fixes #454. + +Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c] +CVE: CVE-2023-38470 + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + avahi-common/domain-test.c | 14 ++++++++++++++ + avahi-common/domain.c | 2 +- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c +index cf763ec..3acc1c1 100644 +--- a/avahi-common/domain-test.c ++++ b/avahi-common/domain-test.c +@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo.")); + avahi_free(s); + ++ printf("%s\n", s = avahi_normalize_name_strdup(".")); ++ avahi_free(s); ++ ++ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." ++ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" ++ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" ++ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." ++ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." ++ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" ++ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." ++ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." ++ "}.?.?.?.}.=.?.?.}"); ++ assert(s == NULL); ++ + printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); + printf("%i\n", avahi_domain_equal("A", "a")); + +diff --git a/avahi-common/domain.c b/avahi-common/domain.c +index 3b1ab68..e66d241 100644 +--- a/avahi-common/domain.c ++++ b/avahi-common/domain.c +@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) { + } + + if (!empty) { +- if (size < 1) ++ if (size < 2) + return NULL; + + *(r++) = '.'; +-- +2.40.0 diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch new file mode 100644 index 0000000000..e0736bf210 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch @@ -0,0 +1,52 @@ +From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin <evvers@ya.ru> +Date: Tue, 19 Sep 2023 03:21:25 +0000 +Subject: [PATCH] [common] bail out when escaped labels can't fit into ret + +Fixes: +``` +==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8 +READ of size 1110 at 0x7f9e76f14c16 thread T0 + #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba) + #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12 + #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12 +``` +and +``` +fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed. +==101571== ERROR: libFuzzer: deadly signal + #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) + #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) + #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) + #3 0x7f1581d7ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9 +``` + +It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-2.patch?h=ubuntu/jammy-security +CVE: CVE-2023-38470 #Follow-up patch +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + avahi-common/domain.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: avahi-0.8/avahi-common/domain.c +=================================================================== +--- avahi-0.8.orig/avahi-common/domain.c ++++ avahi-0.8/avahi-common/domain.c +@@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s + } else + empty = 0; + +- avahi_escape_label(label, strlen(label), &r, &size); ++ if (!(avahi_escape_label(label, strlen(label), &r, &size))) ++ return NULL; + } + + return ret_s; diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch new file mode 100644 index 0000000000..40b61b71dd --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch @@ -0,0 +1,73 @@ +From 9cd4ea89b3ac89b7bb0196fda1aa88cd51b106b6 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <msekleta@redhat.com> +Date: Mon, 23 Oct 2023 13:38:35 +0200 +Subject: [PATCH] core: extract host name using avahi_unescape_label() + +Previously we could create invalid escape sequence when we split the +string on dot. For example, from valid host name "foo\\.bar" we have +created invalid name "foo\\" and tried to set that as the host name +which crashed the daemon. + +Fixes #453 + +Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09] +CVE: CVE-2023-38471 + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + avahi-core/server.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index e507750..40f1d68 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { + } + + int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { +- char *hn = NULL; ++ char label_escaped[AVAHI_LABEL_MAX*4+1]; ++ char label[AVAHI_LABEL_MAX]; ++ char *hn = NULL, *h; ++ size_t len; ++ + assert(s); + + AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); +@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { + else + hn = avahi_normalize_name_strdup(host_name); + +- hn[strcspn(hn, ".")] = 0; ++ h = hn; ++ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { ++ avahi_free(h); ++ return AVAHI_ERR_INVALID_HOST_NAME; ++ } ++ ++ avahi_free(h); ++ ++ h = label_escaped; ++ len = sizeof(label_escaped); ++ if (!avahi_escape_label(label, strlen(label), &h, &len)) ++ return AVAHI_ERR_INVALID_HOST_NAME; + +- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { +- avahi_free(hn); ++ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); +- } + + withdraw_host_rrs(s); + + avahi_free(s->host_name); +- s->host_name = hn; ++ s->host_name = avahi_strdup(label_escaped); ++ if (!s->host_name) ++ return AVAHI_ERR_NO_MEMORY; + + update_fqdn(s); + +-- +2.40.0 diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch new file mode 100644 index 0000000000..44737bfc2e --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch @@ -0,0 +1,52 @@ +From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin <evvers@ya.ru> +Date: Tue, 24 Oct 2023 22:04:51 +0000 +Subject: [PATCH] core: return errors from avahi_server_set_host_name properly + +It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460] +CVE: CVE-2023-38471 #Follow-up Patch +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + avahi-core/server.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +Index: avahi-0.8/avahi-core/server.c +=================================================================== +--- avahi-0.8.orig/avahi-core/server.c ++++ avahi-0.8/avahi-core/server.c +@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServ + else + hn = avahi_normalize_name_strdup(host_name); + ++ if (!hn) ++ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); ++ + h = hn; + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { + avahi_free(h); +- return AVAHI_ERR_INVALID_HOST_NAME; ++ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); + } + + avahi_free(h); +@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServ + h = label_escaped; + len = sizeof(label_escaped); + if (!avahi_escape_label(label, strlen(label), &h, &len)) +- return AVAHI_ERR_INVALID_HOST_NAME; ++ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); + + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); +@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServ + avahi_free(s->host_name); + s->host_name = avahi_strdup(label_escaped); + if (!s->host_name) +- return AVAHI_ERR_NO_MEMORY; ++ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); + + update_fqdn(s); + diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch new file mode 100644 index 0000000000..85dbded73b --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch @@ -0,0 +1,46 @@ +From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <msekleta@redhat.com> +Date: Thu, 19 Oct 2023 17:36:44 +0200 +Subject: [PATCH] core: make sure there is rdata to process before parsing it + +Fixes #452 + +CVE-2023-38472 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40] +CVE: CVE-2023-38472 +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + avahi-client/client-test.c | 3 +++ + avahi-daemon/dbus-entry-group.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +Index: avahi-0.8/avahi-client/client-test.c +=================================================================== +--- avahi-0.8.orig/avahi-client/client-test.c ++++ avahi-0.8/avahi-client/client-test.c +@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA + assert(error == AVAHI_ERR_INVALID_RECORD); + avahi_string_list_free(txt); + ++ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); ++ assert(error != AVAHI_OK); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); +Index: avahi-0.8/avahi-daemon/dbus-entry-group.c +=================================================================== +--- avahi-0.8.orig/avahi-daemon/dbus-entry-group.c ++++ avahi-0.8/avahi-daemon/dbus-entry-group.c +@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g + if (!(r = avahi_record_new_full (name, clazz, type, ttl))) + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL); + +- if (avahi_rdata_parse (r, rdata, size) < 0) { ++ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { + avahi_record_unref (r); + return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL); + } diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch new file mode 100644 index 0000000000..8a372a072a --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch @@ -0,0 +1,108 @@ +From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <msekleta@redhat.com> +Date: Wed, 11 Oct 2023 17:45:44 +0200 +Subject: [PATCH]common: derive alternative host name from its + unescaped version + +Normalization of input makes sure we don't have to deal with special +cases like unescaped dot at the end of label. + +Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797] +CVE: CVE-2023-38473 + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + avahi-common/alternative-test.c | 3 +++ + avahi-common/alternative.c | 27 +++++++++++++++++++-------- + 2 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c +index 9255435..681fc15 100644 +--- a/avahi-common/alternative-test.c ++++ b/avahi-common/alternative-test.c +@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + const char* const test_strings[] = { + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", ++ ").", ++ "\\.", ++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", + "gurke", + "-", + " #", +diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c +index b3d39f0..a094e6d 100644 +--- a/avahi-common/alternative.c ++++ b/avahi-common/alternative.c +@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { + } + + char *avahi_alternative_host_name(const char *s) { ++ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; ++ char *alt, *r, *ret; + const char *e; +- char *r; ++ size_t len; + + assert(s); + + if (!avahi_is_valid_host_name(s)) + return NULL; + +- if ((e = strrchr(s, '-'))) { ++ if (!avahi_unescape_label(&s, label, sizeof(label))) ++ return NULL; ++ ++ if ((e = strrchr(label, '-'))) { + const char *p; + + e++; +@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { + + if (e) { + char *c, *m; +- size_t l; + int n; + + n = atoi(e)+1; + if (!(m = avahi_strdup_printf("%i", n))) + return NULL; + +- l = e-s-1; ++ len = e-label-1; + +- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) +- l = AVAHI_LABEL_MAX-1-strlen(m)-1; ++ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) ++ len = AVAHI_LABEL_MAX-1-strlen(m)-1; + +- if (!(c = avahi_strndup(s, l))) { ++ if (!(c = avahi_strndup(label, len))) { + avahi_free(m); + return NULL; + } +@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { + } else { + char *c; + +- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) ++ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) + return NULL; + + drop_incomplete_utf8(c); +@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { + avahi_free(c); + } + ++ alt = alternative; ++ len = sizeof(alternative); ++ ret = avahi_escape_label(r, strlen(r), &alt, &len); ++ ++ avahi_free(r); ++ r = avahi_strdup(ret); ++ + assert(avahi_is_valid_host_name(r)); + + return r; +-- +2.40.0 diff --git a/meta/recipes-connectivity/bind/bind-9.18.2/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch index ec1bc7b567..ec1bc7b567 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.2/0001-avoid-start-failure-with-bind-user.patch +++ b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch diff --git a/meta/recipes-connectivity/bind/bind-9.18.2/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch index 4c10f33f04..4c10f33f04 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.2/0001-named-lwresd-V-and-start-log-hide-build-options.patch +++ b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch diff --git a/meta/recipes-connectivity/bind/bind-9.18.2/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch index f1abd179e8..f1abd179e8 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.2/bind-ensure-searching-for-json-headers-searches-sysr.patch +++ b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch diff --git a/meta/recipes-connectivity/bind/bind-9.18.2/bind9 b/meta/recipes-connectivity/bind/bind/bind9 index 968679ff7f..968679ff7f 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.2/bind9 +++ b/meta/recipes-connectivity/bind/bind/bind9 diff --git a/meta/recipes-connectivity/bind/bind-9.18.2/conf.patch b/meta/recipes-connectivity/bind/bind/conf.patch index aa3642acec..aa3642acec 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.2/conf.patch +++ b/meta/recipes-connectivity/bind/bind/conf.patch diff --git a/meta/recipes-connectivity/bind/bind-9.18.2/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh index 633e29c0e6..633e29c0e6 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.2/generate-rndc-key.sh +++ b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh diff --git a/meta/recipes-connectivity/bind/bind-9.18.2/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch index 11db95ede1..11db95ede1 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.2/init.d-add-support-for-read-only-rootfs.patch +++ b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch diff --git a/meta/recipes-connectivity/bind/bind-9.18.2/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch index 146f3e35db..146f3e35db 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.2/make-etc-initd-bind-stop-work.patch +++ b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch diff --git a/meta/recipes-connectivity/bind/bind-9.18.2/named.service b/meta/recipes-connectivity/bind/bind/named.service index cda56ef015..cda56ef015 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.2/named.service +++ b/meta/recipes-connectivity/bind/bind/named.service diff --git a/meta/recipes-connectivity/bind/bind_9.18.2.bb b/meta/recipes-connectivity/bind/bind_9.18.24.bb index 1c77aceb9f..fbbebe89ad 100644 --- a/meta/recipes-connectivity/bind/bind_9.18.2.bb +++ b/meta/recipes-connectivity/bind/bind_9.18.24.bb @@ -4,7 +4,7 @@ DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system" SECTION = "console/network" LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=9a4a897f202c0710e07f2f2836bc2b62" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c7a0b6d9a1b692a5da9af9d503671f43" DEPENDS = "openssl libcap zlib libuv" @@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "2e4b38779bba0a23ee634fdf7c525fd9794c41d692bfd83cda25823a2a3ed969" +SRC_URI[sha256sum] = "709d73023c9115ddad3bab65b6c8c79a590196d0d114f5d0ca2533dbd52ddf66" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # follow the ESV versions divisible by 2 @@ -39,15 +39,13 @@ PACKAGECONFIG[readline] = "--with-readline=readline,,readline" PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit" PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2" -EXTRA_OECONF = " --disable-devpoll --disable-auto-validation --enable-epoll \ +EXTRA_OECONF = " --disable-auto-validation \ --with-gssapi=no --with-lmdb=no --with-zlib \ --sysconfdir=${sysconfdir}/bind \ --with-openssl=${STAGING_DIR_HOST}${prefix} \ " LDFLAGS:append = " -lz" -inherit ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native setuptools3-base', '', d)} - # dhcp needs .la so keep them REMOVE_LIBTOOL_LA = "0" @@ -67,12 +65,6 @@ do_install:append() { install -d "${D}${sysconfdir}/init.d" install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/" install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind" - if ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'true', 'false', d)}; then - sed -i -e '1s,#!.*python3,#! /usr/bin/python3,' \ - ${D}${sbindir}/dnssec-coverage \ - ${D}${sbindir}/dnssec-checkds \ - ${D}${sbindir}/dnssec-keymgr - fi # Install systemd related files install -d ${D}${sbindir} @@ -119,9 +111,4 @@ FILES_SOLIBSDEV = "${libdir}/*[!0-9].so ${libdir}/libbind9.so" FILES:${PN}-libs = "${libdir}/named/*.so* ${libdir}/*-${PV}.so" FILES:${PN}-staticdev += "${libdir}/*.la" -PACKAGE_BEFORE_PN += "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3-bind', '', d)}" -FILES:python3-bind = "${sbindir}/dnssec-coverage ${sbindir}/dnssec-checkds \ - ${sbindir}/dnssec-keymgr ${PYTHON_SITEPACKAGES_DIR}" - RDEPENDS:${PN}-dev = "" -RDEPENDS:python3-bind = "python3-core python3-ply" diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index 22dd07b348..7786b65670 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \ file://src/main.c;beginline=1;endline=24;md5=0ad83ca0dc37ab08af448777c581e7ac" DEPENDS = "dbus glib-2.0" +RDEPENDS:${PN} += "dbus" PROVIDES += "bluez-hcidump" RPROVIDES:${PN} += "bluez-hcidump" @@ -53,7 +54,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ file://0001-test-gatt-Fix-hung-issue.patch \ - file://fix_service.patch \ + file://CVE-2023-45866.patch \ " S = "${WORKDIR}/bluez-${PV}" @@ -68,6 +69,8 @@ EXTRA_OECONF = "\ --without-zsh-completion-dir \ " +CFLAGS += "-DFIRMWARE_DIR=\\"${nonarch_base_libdir}/firmware\\"" + # bluez5 builds a large number of useful utilities but does not # install them. Specify which ones we want put into ${PN}-noinst-tools. NOINST_TOOLS_READLINE ??= "" diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch new file mode 100644 index 0000000000..5bb31d866a --- /dev/null +++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch @@ -0,0 +1,56 @@ +From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Date: Tue, 10 Oct 2023 13:03:12 -0700 +Subject: [PATCH] input.conf: Change default of ClassicBondedOnly + +This changes the default of ClassicBondedOnly since defaulting to false +is not inline with HID specification which mandates the of Security Mode +4: + +BLUETOOTH SPECIFICATION Page 84 of 123 +Human Interface Device (HID) Profile: + + 5.4.3.4.2 Security Modes + Bluetooth HID Hosts shall use Security Mode 4 when interoperating with + Bluetooth HID devices that are compliant to the Bluetooth Core + Specification v2.1+EDR[6]. + +Upstream-Status: Backport +[https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675] + +CVE: CVE-2023-45866 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + profiles/input/device.c | 2 +- + profiles/input/input.conf | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/profiles/input/device.c b/profiles/input/device.c +index 4a50ea9..4310dd1 100644 +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -81,7 +81,7 @@ struct input_device { + + static int idle_timeout = 0; + static bool uhid_enabled = false; +-static bool classic_bonded_only = false; ++static bool classic_bonded_only = true; + + void input_set_idle_timeout(int timeout) + { +diff --git a/profiles/input/input.conf b/profiles/input/input.conf +index 4c70bc5..d8645f3 100644 +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -17,7 +17,7 @@ + # platforms may want to make sure that input connections only come from bonded + # device connections. Several older mice have been known for not supporting + # pairing/encryption. +-# Defaults to false to maximize device compatibility. ++# Defaults to true for security. + #ClassicBondedOnly=true + + # LE upgrade security +-- +2.40.0 diff --git a/meta/recipes-connectivity/bluez5/bluez5/fix_service.patch b/meta/recipes-connectivity/bluez5/bluez5/fix_service.patch deleted file mode 100644 index 96fdf6b299..0000000000 --- a/meta/recipes-connectivity/bluez5/bluez5/fix_service.patch +++ /dev/null @@ -1,30 +0,0 @@ -The systemd bluetooth service failed to start because the /var/lib/bluetooth -path of ReadWritePaths= is created by the bluetooth daemon itself. - -The commit systemd: Add more filesystem lockdown (442d211) add ReadWritePaths=/etc/bluetooth -and ReadOnlyPaths=/var/lib/bluetooth options to the bluetooth systemd service. -The existing ProtectSystem=full option mounts the /usr, the boot loader -directories and /etc read-only. This means the two option are useless and could be removed. - -Upstream-Status: Submitted [https://github.com/bluez/bluez/issues/329] - -Index: bluez-5.64/src/bluetooth.service.in -=================================================================== ---- bluez-5.64.orig/src/bluetooth.service.in -+++ bluez-5.64/src/bluetooth.service.in -@@ -15,12 +15,12 @@ LimitNPROC=1 - - # Filesystem lockdown - ProtectHome=true --ProtectSystem=full -+ProtectSystem=strict - PrivateTmp=true - ProtectKernelTunables=true - ProtectControlGroups=true --ReadWritePaths=@statedir@ --ReadOnlyPaths=@confdir@ -+ConfigurationDirectory=bluetooth -+StateDirectory=bluetooth - - # Execute Mappings - MemoryDenyWriteExecute=true diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.64.bb b/meta/recipes-connectivity/bluez5/bluez5_5.65.bb index 4319f9aae8..4c15aeb46d 100644 --- a/meta/recipes-connectivity/bluez5/bluez5_5.64.bb +++ b/meta/recipes-connectivity/bluez5/bluez5_5.65.bb @@ -1,6 +1,6 @@ require bluez5.inc -SRC_URI[sha256sum] = "ae437e65b6b3070c198bc5b0109fe9cdeb9eaa387380e2072f9de65fe8a1de34" +SRC_URI[sha256sum] = "2565a4d48354b576e6ad92e25b54ed66808296581c8abb80587051f9993d96d4" # These issues have kernel fixes rather than bluez fixes so exclude here CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490" diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc index 5880ecd5d4..0c1dc7e5dd 100644 --- a/meta/recipes-connectivity/connman/connman.inc +++ b/meta/recipes-connectivity/connman/connman.inc @@ -27,6 +27,7 @@ EXTRA_OECONF += "\ --enable-ethernet \ --enable-tools \ --disable-polkit \ + --runstatedir=/run \ " PACKAGECONFIG ??= "wispr iptables client\ diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch new file mode 100644 index 0000000000..182c5ca29c --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch @@ -0,0 +1,37 @@ +From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 +From: Nathan Crandall <ncrandall@tesla.com> +Date: Tue, 12 Jul 2022 08:56:34 +0200 +Subject: gweb: Fix OOB write in received_data() + +There is a mismatch of handling binary vs. C-string data with memchr +and strlen, resulting in pos, count, and bytes_read to become out of +sync and result in a heap overflow. Instead, do not treat the buffer +as an ASCII C-string. We calculate the count based on the return value +of memchr, instead of strlen. + +Fixes: CVE-2022-32292 + +CVE: CVE-2022-32292 + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + gweb/gweb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gweb/gweb.c b/gweb/gweb.c +index 12fcb1d8..13c6c5f2 100644 +--- a/gweb/gweb.c ++++ b/gweb/gweb.c +@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, + } + + *pos = '\0'; +- count = strlen((char *) ptr); ++ count = pos - ptr; + if (count > 0 && ptr[count - 1] == '\r') { + ptr[--count] = '\0'; + bytes_read--; +-- +cgit + diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch new file mode 100644 index 0000000000..b280203594 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch @@ -0,0 +1,141 @@ +From 72343929836de80727a27d6744c869dff045757c Mon Sep 17 00:00:00 2001 +From: Daniel Wagner <wagi@monom.org> +Date: Tue, 5 Jul 2022 08:32:12 +0200 +Subject: wispr: Add reference counter to portal context + +Track the connman_wispr_portal_context live time via a +refcounter. This only adds the infrastructure to do proper reference +counting. + +Fixes: CVE-2022-32293 +CVE: CVE-2022-32293 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/wispr.c | 52 ++++++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 42 insertions(+), 10 deletions(-) + +diff --git a/src/wispr.c b/src/wispr.c +index a07896ca..bde7e63b 100644 +--- a/src/wispr.c ++++ b/src/wispr.c +@@ -56,6 +56,7 @@ struct wispr_route { + }; + + struct connman_wispr_portal_context { ++ int refcount; + struct connman_service *service; + enum connman_ipconfig_type type; + struct connman_wispr_portal *wispr_portal; +@@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL; + static char *online_check_ipv6_url = NULL; + static bool enable_online_to_ready_transition = false; + ++#define wispr_portal_context_ref(wp_context) \ ++ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) ++#define wispr_portal_context_unref(wp_context) \ ++ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) ++ + static void connman_wispr_message_init(struct connman_wispr_message *msg) + { + DBG(""); +@@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context( + { + DBG("context %p", wp_context); + +- if (!wp_context) +- return; +- + if (wp_context->wispr_portal) { + if (wp_context->wispr_portal->ipv4_context == wp_context) + wp_context->wispr_portal->ipv4_context = NULL; +@@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context( + g_free(wp_context); + } + ++static struct connman_wispr_portal_context * ++wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, ++ const char *file, int line, const char *caller) ++{ ++ DBG("%p ref %d by %s:%d:%s()", wp_context, ++ wp_context->refcount + 1, file, line, caller); ++ ++ __sync_fetch_and_add(&wp_context->refcount, 1); ++ ++ return wp_context; ++} ++ ++static void wispr_portal_context_unref_debug( ++ struct connman_wispr_portal_context *wp_context, ++ const char *file, int line, const char *caller) ++{ ++ if (!wp_context) ++ return; ++ ++ DBG("%p ref %d by %s:%d:%s()", wp_context, ++ wp_context->refcount - 1, file, line, caller); ++ ++ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) ++ return; ++ ++ free_connman_wispr_portal_context(wp_context); ++} ++ + static struct connman_wispr_portal_context *create_wispr_portal_context(void) + { +- return g_try_new0(struct connman_wispr_portal_context, 1); ++ return wispr_portal_context_ref( ++ g_new0(struct connman_wispr_portal_context, 1)); + } + + static void free_connman_wispr_portal(gpointer data) +@@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data) + if (!wispr_portal) + return; + +- free_connman_wispr_portal_context(wispr_portal->ipv4_context); +- free_connman_wispr_portal_context(wispr_portal->ipv6_context); ++ wispr_portal_context_unref(wispr_portal->ipv4_context); ++ wispr_portal_context_unref(wispr_portal->ipv6_context); + + g_free(wispr_portal); + } +@@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result, + connman_info("Client-Timezone: %s", str); + + if (!enable_online_to_ready_transition) +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + + __connman_service_ipconfig_indicate_state(service, + CONNMAN_SERVICE_STATE_ONLINE, type); +@@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, + return; + } + +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + return; + } + +@@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context) + + if (wp_context->token == 0) { + err = -EINVAL; +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + } + } else if (wp_context->timeout == 0) { + wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); +@@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service, + + /* If there is already an existing context, we wipe it */ + if (wp_context) +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + + wp_context = create_wispr_portal_context(); + if (!wp_context) +-- +cgit + diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch new file mode 100644 index 0000000000..56f8fc82de --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch @@ -0,0 +1,174 @@ +From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001 +From: Daniel Wagner <wagi@monom.org> +Date: Tue, 5 Jul 2022 09:11:09 +0200 +Subject: wispr: Update portal context references + +Maintain proper portal context references to avoid UAF. + +Fixes: CVE-2022-32293 +CVE: CVE-2022-32293 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/wispr.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +diff --git a/src/wispr.c b/src/wispr.c +index bde7e63b..84bed33f 100644 +--- a/src/wispr.c ++++ b/src/wispr.c +@@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false; + + static void connman_wispr_message_init(struct connman_wispr_message *msg) + { +- DBG(""); +- + msg->has_error = false; + msg->current_element = NULL; + +@@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context) + static void free_connman_wispr_portal_context( + struct connman_wispr_portal_context *wp_context) + { +- DBG("context %p", wp_context); +- + if (wp_context->wispr_portal) { + if (wp_context->wispr_portal->ipv4_context == wp_context) + wp_context->wispr_portal->ipv4_context = NULL; +@@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result, + &str)) + connman_info("Client-Timezone: %s", str); + +- if (!enable_online_to_ready_transition) +- wispr_portal_context_unref(wp_context); +- + __connman_service_ipconfig_indicate_state(service, + CONNMAN_SERVICE_STATE_ONLINE, type); + +@@ -546,14 +539,17 @@ static void wispr_portal_request_portal( + { + DBG(""); + ++ wispr_portal_context_ref(wp_context); + wp_context->request_id = g_web_request_get(wp_context->web, + wp_context->status_url, + wispr_portal_web_result, + wispr_route_request, + wp_context); + +- if (wp_context->request_id == 0) ++ if (wp_context->request_id == 0) { + wispr_portal_error(wp_context); ++ wispr_portal_context_unref(wp_context); ++ } + } + + static bool wispr_input(const guint8 **data, gsize *length, +@@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service, + return; + + if (!authentication_done) { +- wispr_portal_error(wp_context); + free_wispr_routes(wp_context); ++ wispr_portal_error(wp_context); ++ wispr_portal_context_unref(wp_context); + return; + } + + /* Restarting the test */ + __connman_service_wispr_start(service, wp_context->type); ++ wispr_portal_context_unref(wp_context); + } + + static void wispr_portal_request_wispr_login(struct connman_service *service, +@@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result, + + wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; + ++ wispr_portal_context_ref(wp_context); + if (__connman_agent_request_login_input(wp_context->service, + wispr_portal_request_wispr_login, +- wp_context) != -EINPROGRESS) ++ wp_context) != -EINPROGRESS) { + wispr_portal_error(wp_context); +- else ++ wispr_portal_context_unref(wp_context); ++ } else + return true; + + break; +@@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + if (length > 0) { + g_web_parser_feed_data(wp_context->wispr_parser, + chunk, length); ++ wispr_portal_context_unref(wp_context); + return true; + } + +@@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + + switch (status) { + case 000: ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + if (g_web_result_get_header(result, "X-ConnMan-Status", + &str)) { + portal_manage_status(result, wp_context); ++ wispr_portal_context_unref(wp_context); + return false; +- } else ++ } else { ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->redirect_url, wp_context); ++ } + + break; + case 300: +@@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + !g_web_result_get_header(result, "Location", + &redirect)) { + ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + + wp_context->redirect_url = g_strdup(redirect); + ++ wispr_portal_context_ref(wp_context); + wp_context->request_id = g_web_request_get(wp_context->web, + redirect, wispr_portal_web_result, + wispr_route_request, wp_context); +@@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + + break; + case 505: ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + wp_context->request_id = 0; + done: + wp_context->wispr_msg.message_type = -1; ++ wispr_portal_context_unref(wp_context); + return false; + } + +@@ -890,6 +899,7 @@ static void proxy_callback(const char *proxy, void *user_data) + xml_wispr_parser_callback, wp_context); + + wispr_portal_request_portal(wp_context); ++ wispr_portal_context_unref(wp_context); + } + + static gboolean no_proxy_callback(gpointer user_data) +-- +cgit + diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch new file mode 100644 index 0000000000..a6cabdfb20 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch @@ -0,0 +1,60 @@ +From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001 +From: Daniel Wagner <wagi@monom.org> +Date: Tue, 11 Apr 2023 08:12:56 +0200 +Subject: gdhcp: Verify and sanitize packet length first + +Avoid overwriting the read packet length after the initial test. Thus +move all the length checks which depends on the total length first +and do not use the total lenght from the IP packet afterwards. + +Reported by Polina Smirnova <moe.hwr@gmail.com> + +CVE: CVE-2023-28488 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + gdhcp/client.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/gdhcp/client.c b/gdhcp/client.c +index 3016dfc..28fa606 100644 +--- a/gdhcp/client.c ++++ b/gdhcp/client.c +@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes) + static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, + struct sockaddr_in *dst_addr) + { +- int bytes; + struct ip_udp_dhcp_packet packet; + uint16_t check; ++ int bytes, tot_len; + + memset(&packet, 0, sizeof(packet)); + +@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, + if (bytes < 0) + return -1; + +- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) +- return -1; +- +- if (bytes < ntohs(packet.ip.tot_len)) ++ tot_len = ntohs(packet.ip.tot_len); ++ if (bytes > tot_len) { ++ /* ignore any extra garbage bytes */ ++ bytes = tot_len; ++ } else if (bytes < tot_len) { + /* packet is bigger than sizeof(packet), we did partial read */ + return -1; ++ } + +- /* ignore any extra garbage bytes */ +- bytes = ntohs(packet.ip.tot_len); ++ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) ++ return -1; + + if (!sanity_check(&packet, bytes)) + return -1; +-- +2.25.1 + diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb index 736b78eaeb..27b28be41c 100644 --- a/meta/recipes-connectivity/connman/connman_1.41.bb +++ b/meta/recipes-connectivity/connman/connman_1.41.bb @@ -5,6 +5,10 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \ file://connman \ file://no-version-scripts.patch \ + file://CVE-2022-32293_p1.patch \ + file://CVE-2022-32293_p2.patch \ + file://CVE-2022-32292.patch \ + file://CVE-2023-28488.patch \ " SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb index ab6ffe986c..21b2eebbd8 100644 --- a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb +++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb @@ -9,15 +9,19 @@ HOMEPAGE = "http://roy.marples.name/projects/dhcpcd/" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=d148485768fe85b9f1072b186a7e9b4d" -UPSTREAM_CHECK_URI = "https://roy.marples.name/downloads/dhcpcd/" - -SRC_URI = "https://roy.marples.name/downloads/${BPN}/${BPN}-${PV}.tar.xz \ +SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=dhcpcd-9 \ file://0001-remove-INCLUDEDIR-to-prevent-build-issues.patch \ + file://0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch \ + file://0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch \ + file://0002-privsep-Allow-newfstatat-syscall-as-well.patch \ + file://0001-privsep-linux-fix-SECCOMP_AUDIT_ARCH-missing-ppc64le.patch \ file://dhcpcd.service \ file://dhcpcd@.service \ + file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \ " -SRC_URI[sha256sum] = "819357634efed1ea5cf44ec01b24d3d3f8852fec8b4249925dcc5667c54e376c" +SRCREV = "3c458fc7fa4146029a1e4f9e98cd7e7adf03081a" +S = "${WORKDIR}/git" inherit pkgconfig autotools-brokensep systemd useradd diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch new file mode 100644 index 0000000000..6f90c88249 --- /dev/null +++ b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch @@ -0,0 +1,82 @@ +From 02acc4d875ee81e6fd19ef66d69c9f55b4b4a7e7 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Wed, 9 Nov 2022 16:33:18 +0800 +Subject: [PATCH] 20-resolv.conf: improve the sitation of working with systemd + +systemd's resolvconf implementation ignores the protocol part. +See https://github.com/systemd/systemd/issues/25032. + +When using 'dhcp server + dns server + dhcpcd + systemd', we +get an integration issue, that is dhcpcd runs 'resolvconf -d eth0.ra', +yet systemd's resolvconf treats it as eth0. This will delete the +DNS information set by 'resolvconf -a eth0.dhcp'. + +Fortunately, 20-resolv.conf has the ability to build the resolv.conf +file contents itself. We can just pass the generated contents to +systemd's resolvconf. This way, the DNS information is not incorrectly +deleted. Also, it does not cause behavior regression for dhcpcd +in other cases. + +Upstream-Status: Inappropriate [OE Specific] +This patch has been rejected by dhcpcd upstream. +See details in https://github.com/NetworkConfiguration/dhcpcd/pull/152 + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + hooks/20-resolv.conf | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/hooks/20-resolv.conf b/hooks/20-resolv.conf +index 504a6c53..eb6e5845 100644 +--- a/hooks/20-resolv.conf ++++ b/hooks/20-resolv.conf +@@ -11,8 +11,12 @@ nocarrier_roaming_dir="$state_dir/roaming" + NL=" + " + : ${resolvconf:=resolvconf} ++resolvconf_from_systemd=false + if type "$resolvconf" >/dev/null 2>&1; then + have_resolvconf=true ++ if [ $(basename $(readlink -f $(which $resolvconf))) = resolvectl ]; then ++ resolvconf_from_systemd=true ++ fi + else + have_resolvconf=false + fi +@@ -69,8 +73,13 @@ build_resolv_conf() + else + echo "# /etc/resolv.conf.tail can replace this line" >> "$cf" + fi +- if change_file /etc/resolv.conf "$cf"; then +- chmod 644 /etc/resolv.conf ++ if $resolvconf_from_systemd; then ++ [ -n "$ifmetric" ] && export IF_METRIC="$ifmetric" ++ "$resolvconf" -a "$ifname" <"$cf" ++ else ++ if change_file /etc/resolv.conf "$cf"; then ++ chmod 644 /etc/resolv.conf ++ fi + fi + rm -f "$cf" + } +@@ -170,7 +179,7 @@ add_resolv_conf() + for x in ${new_domain_name_servers}; do + conf="${conf}nameserver $x$NL" + done +- if $have_resolvconf; then ++ if $have_resolvconf && ! $resolvconf_from_systemd; then + [ -n "$ifmetric" ] && export IF_METRIC="$ifmetric" + printf %s "$conf" | "$resolvconf" -a "$ifname" + return $? +@@ -186,7 +195,7 @@ add_resolv_conf() + + remove_resolv_conf() + { +- if $have_resolvconf; then ++ if $have_resolvconf && ($if_down || ! $resolvconf_from_systemd); then + "$resolvconf" -d "$ifname" -f + else + if [ -e "$resolv_conf_dir/$ifname" ]; then +-- +2.17.1 + diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch new file mode 100644 index 0000000000..12998aada4 --- /dev/null +++ b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch @@ -0,0 +1,46 @@ +From 4915a7e52fcea8fe283a842890a1e726b1e26b10 Mon Sep 17 00:00:00 2001 +From: Lei Maohui <leimaohui@fujitsu.com> +Date: Fri, 10 Mar 2023 03:48:46 +0000 +Subject: [PATCH] dhcpcd.8: Fix conflict error when enable multilib. + +Error: Transaction test error: + file /usr/share/man/man8/dhcpcd.8 conflicts between attempted + installs of dhcpcd-doc-9.4.1-r0.cortexa57 and + lib32-dhcpcd-doc-9.4.1-r0.armv7ahf_neon + +The differences between the two files are as follows: +@@ -821,7 +821,7 @@ + If you always use the same options, put them here. + .It Pa /usr/libexec/dhcpcd-run-hooks + Bourne shell script that is run to configure or de-configure an interface. +-.It Pa /usr/lib64/dhcpcd/dev ++.It Pa /usr/lib/dhcpcd/dev + Linux + .Pa /dev + management modules. + +It is just a man file, there is no necessary to manage multiple +versions. + +Upstream-Status: Inappropriate [oe specific] +Signed-off-by: Lei Maohui <leimaohui@fujitsu.com> +--- + src/dhcpcd.8.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dhcpcd.8.in b/src/dhcpcd.8.in +index bc6b3b5..791f2ba 100644 +--- a/src/dhcpcd.8.in ++++ b/src/dhcpcd.8.in +@@ -821,7 +821,7 @@ Configuration file for dhcpcd. + If you always use the same options, put them here. + .It Pa @SCRIPT@ + Bourne shell script that is run to configure or de-configure an interface. +-.It Pa @LIBDIR@/dhcpcd/dev ++.It Pa /usr/<libdir>/dhcpcd/dev + Linux + .Pa /dev + management modules. +-- +2.34.1 + diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch b/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch new file mode 100644 index 0000000000..68ab93416a --- /dev/null +++ b/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch @@ -0,0 +1,30 @@ +From c6cdf0aee71ab4126d36b045f02428ee3c6ec50b Mon Sep 17 00:00:00 2001 +From: Roy Marples <roy@marples.name> +Date: Fri, 26 Aug 2022 09:08:36 +0100 +Subject: [PATCH 1/2] privsep: Allow getrandom sysctl for newer glibc + +Fixes #120 + +Upstream-Status: Backport [c6cdf0aee71ab4126d36b045f02428ee3c6ec50b] +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/privsep-linux.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/privsep-linux.c b/src/privsep-linux.c +index b238644b..479a1d82 100644 +--- a/src/privsep-linux.c ++++ b/src/privsep-linux.c +@@ -300,6 +300,9 @@ static struct sock_filter ps_seccomp_filter[] = { + #ifdef __NR_getpid + SECCOMP_ALLOW(__NR_getpid), + #endif ++#ifdef __NR_getrandom ++ SECCOMP_ALLOW(__NR_getrandom), ++#endif + #ifdef __NR_getsockopt + /* For route socket overflow */ + SECCOMP_ALLOW_ARG(__NR_getsockopt, 1, SOL_SOCKET), +-- +2.17.1 + diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-privsep-linux-fix-SECCOMP_AUDIT_ARCH-missing-ppc64le.patch b/meta/recipes-connectivity/dhcpcd/files/0001-privsep-linux-fix-SECCOMP_AUDIT_ARCH-missing-ppc64le.patch new file mode 100644 index 0000000000..1c514f9b8c --- /dev/null +++ b/meta/recipes-connectivity/dhcpcd/files/0001-privsep-linux-fix-SECCOMP_AUDIT_ARCH-missing-ppc64le.patch @@ -0,0 +1,34 @@ +From 7a2d9767585ed2c407d4985bd2d81552034fb90a Mon Sep 17 00:00:00 2001 +From: CHEN Xiangyu <xiangyu.chen@aol.com> +Date: Thu, 9 Feb 2023 18:41:52 +0800 +Subject: [PATCH] privsep-linux: fix SECCOMP_AUDIT_ARCH missing ppc64le (#181) + +when dhcpcd running on ppc64le platform, it would be killed by SIGSYS. + +Upstream-Status: Backport [7a2d9767585ed2c407d4985bd2d81552034fb90a] + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + src/privsep-linux.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/privsep-linux.c b/src/privsep-linux.c +index 7372d26b..6a301950 100644 +--- a/src/privsep-linux.c ++++ b/src/privsep-linux.c +@@ -232,7 +232,11 @@ ps_root_sendnetlink(struct dhcpcd_ctx *ctx, int protocol, struct msghdr *msg) + #elif defined(__or1k__) + # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC + #elif defined(__powerpc64__) +-# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64 ++# if (BYTE_ORDER == LITTLE_ENDIAN) ++# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE ++# else ++# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64 ++# endif + #elif defined(__powerpc__) + # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC + #elif defined(__riscv) +-- +2.34.1 + diff --git a/meta/recipes-connectivity/dhcpcd/files/0002-privsep-Allow-newfstatat-syscall-as-well.patch b/meta/recipes-connectivity/dhcpcd/files/0002-privsep-Allow-newfstatat-syscall-as-well.patch new file mode 100644 index 0000000000..c5d2cba305 --- /dev/null +++ b/meta/recipes-connectivity/dhcpcd/files/0002-privsep-Allow-newfstatat-syscall-as-well.patch @@ -0,0 +1,31 @@ +From 7625a555797f587a89dc2447fd9d621024d5165c Mon Sep 17 00:00:00 2001 +From: Roy Marples <roy@marples.name> +Date: Fri, 26 Aug 2022 09:24:50 +0100 +Subject: [PATCH 2/2] privsep: Allow newfstatat syscall as well + +Allows newer glibc variants to work apparently. +As reported in #84 and #89. + +Upstream-Status: Backport [7625a555797f587a89dc2447fd9d621024d5165c] +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/privsep-linux.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/privsep-linux.c b/src/privsep-linux.c +index 479a1d82..6327b1bc 100644 +--- a/src/privsep-linux.c ++++ b/src/privsep-linux.c +@@ -328,6 +328,9 @@ static struct sock_filter ps_seccomp_filter[] = { + #ifdef __NR_nanosleep + SECCOMP_ALLOW(__NR_nanosleep), /* XXX should use ppoll instead */ + #endif ++#ifdef __NR_newfstatat ++ SECCOMP_ALLOW(__NR_newfstatat), ++#endif + #ifdef __NR_ppoll + SECCOMP_ALLOW(__NR_ppoll), + #endif +-- +2.17.1 + diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch new file mode 100644 index 0000000000..7f5baf3637 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch @@ -0,0 +1,280 @@ +From 703418fe9d2e3b1e8d594df5788d8001a8116265 Mon Sep 17 00:00:00 2001 +From: Jeffrey Bencteux <jeffbencteux@gmail.com> +Date: Fri, 30 Jun 2023 19:02:45 +0200 +Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check + set*id() return values + +Several setuid(), setgid(), seteuid() and setguid() return values +were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially +leading to potential security issues. + +CVE: CVE-2023-40303 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6] +Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com> +Signed-off-by: Simon Josefsson <simon@josefsson.org> +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + ftpd/ftpd.c | 10 +++++++--- + src/rcp.c | 39 +++++++++++++++++++++++++++++++++------ + src/rlogin.c | 11 +++++++++-- + src/rsh.c | 25 +++++++++++++++++++++---- + src/rshd.c | 20 +++++++++++++++++--- + src/uucpd.c | 15 +++++++++++++-- + 6 files changed, 100 insertions(+), 20 deletions(-) + +diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c +index 92b2cca5..28dd523f 100644 +--- a/ftpd/ftpd.c ++++ b/ftpd/ftpd.c +@@ -862,7 +862,9 @@ end_login (struct credentials *pcred) + char *remotehost = pcred->remotehost; + int atype = pcred->auth_type; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); ++ + if (pcred->logged_in) + { + logwtmp_keep_open (ttyline, "", ""); +@@ -1151,7 +1153,8 @@ getdatasock (const char *mode) + + if (data >= 0) + return fdopen (data, mode); +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); + s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0); + if (s < 0) + goto bad; +@@ -1978,7 +1981,8 @@ passive (int epsv, int af) + else /* !AF_INET6 */ + ((struct sockaddr_in *) &pasv_addr)->sin_port = 0; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); + if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0) + { + if (seteuid ((uid_t) cred.uid)) +diff --git a/src/rcp.c b/src/rcp.c +index 75adb253..cdcf8500 100644 +--- a/src/rcp.c ++++ b/src/rcp.c +@@ -345,14 +345,23 @@ main (int argc, char *argv[]) + if (from_option) + { /* Follow "protocol", send data. */ + response (); +- setuid (userid); ++ ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + source (argc, argv); + exit (errs); + } + + if (to_option) + { /* Receive data. */ +- setuid (userid); ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + sink (argc, argv); + exit (errs); + } +@@ -537,7 +546,11 @@ toremote (char *targ, int argc, char *argv[]) + if (response () < 0) + exit (EXIT_FAILURE); + free (bp); +- setuid (userid); ++ ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + } + source (1, argv + i); + close (rem); +@@ -630,7 +643,12 @@ tolocal (int argc, char *argv[]) + ++errs; + continue; + } +- seteuid (userid); ++ ++ if (seteuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT + sslen = sizeof (ss); + (void) getpeername (rem, (struct sockaddr *) &ss, &sslen); +@@ -643,7 +661,12 @@ tolocal (int argc, char *argv[]) + #endif + vect[0] = target; + sink (1, vect); +- seteuid (effuid); ++ ++ if (seteuid (effuid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + close (rem); + rem = -1; + #ifdef SHISHI +@@ -1441,7 +1464,11 @@ susystem (char *s, int userid) + return (127); + + case 0: +- setuid (userid); ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + execl (PATH_BSHELL, "sh", "-c", s, NULL); + _exit (127); + } +diff --git a/src/rlogin.c b/src/rlogin.c +index aa6426fb..c543de0c 100644 +--- a/src/rlogin.c ++++ b/src/rlogin.c +@@ -647,8 +647,15 @@ try_connect: + /* Now change to the real user ID. We have to be set-user-ID root + to get the privileged port that rcmd () uses. We now want, however, + to run as the real user who invoked us. */ +- seteuid (uid); +- setuid (uid); ++ if (seteuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ ++ if (setuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + + doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */ + +diff --git a/src/rsh.c b/src/rsh.c +index 2d622ca4..6f60667d 100644 +--- a/src/rsh.c ++++ b/src/rsh.c +@@ -276,8 +276,17 @@ main (int argc, char **argv) + { + if (asrsh) + *argv = (char *) "rlogin"; +- seteuid (getuid ()); +- setuid (getuid ()); ++ ++ if (seteuid (getuid ()) == -1) ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } ++ ++ if (setuid (getuid ()) == -1) ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } ++ + execv (PATH_RLOGIN, argv); + error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN); + } +@@ -541,8 +550,16 @@ try_connect: + error (0, errno, "setsockopt DEBUG (ignored)"); + } + +- seteuid (uid); +- setuid (uid); ++ if (seteuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } ++ ++ if (setuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } ++ + #ifdef HAVE_SIGACTION + sigemptyset (&sigs); + sigaddset (&sigs, SIGINT); +diff --git a/src/rshd.c b/src/rshd.c +index d1c0d0cd..707790e7 100644 +--- a/src/rshd.c ++++ b/src/rshd.c +@@ -1847,8 +1847,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + pwd->pw_shell = PATH_BSHELL; + + /* Set the gid, then uid to become the user specified by "locuser" */ +- setegid ((gid_t) pwd->pw_gid); +- setgid ((gid_t) pwd->pw_gid); ++ if (setegid ((gid_t) pwd->pw_gid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setegid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } ++ ++ if (setgid ((gid_t) pwd->pw_gid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setgid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } ++ + #ifdef HAVE_INITGROUPS + initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */ + #endif +@@ -1870,7 +1880,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + } + #endif /* WITH_PAM */ + +- setuid ((uid_t) pwd->pw_uid); ++ if (setuid ((uid_t) pwd->pw_uid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setuid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + /* We'll execute the client's command in the home directory + * of locuser. Note, that the chdir must be executed after +diff --git a/src/uucpd.c b/src/uucpd.c +index 107589e1..29cfce35 100644 +--- a/src/uucpd.c ++++ b/src/uucpd.c +@@ -252,7 +252,12 @@ doit (struct sockaddr *sap, socklen_t salen) + snprintf (Username, sizeof (Username), "USER=%s", user); + snprintf (Logname, sizeof (Logname), "LOGNAME=%s", user); + dologin (pw, sap, salen); +- setgid (pw->pw_gid); ++ ++ if (setgid (pw->pw_gid) == -1) ++ { ++ fprintf (stderr, "setgid() failed"); ++ return; ++ } + #ifdef HAVE_INITGROUPS + initgroups (pw->pw_name, pw->pw_gid); + #endif +@@ -261,7 +266,13 @@ doit (struct sockaddr *sap, socklen_t salen) + fprintf (stderr, "Login incorrect."); + return; + } +- setuid (pw->pw_uid); ++ ++ if (setuid (pw->pw_uid) == -1) ++ { ++ fprintf (stderr, "setuid() failed"); ++ return; ++ } ++ + execl (uucico_location, "uucico", NULL); + perror ("uucico server: execl"); + } diff --git a/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch new file mode 100644 index 0000000000..4bc354d256 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch @@ -0,0 +1,254 @@ +From 70fe022f9dac760eaece0228cad17e3d29a57fb8 Mon Sep 17 00:00:00 2001 +From: Simon Josefsson <simon@josefsson.org> +Date: Mon, 31 Jul 2023 13:59:05 +0200 +Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit. + +CVE: CVE-2023-40303 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/rcp.c | 42 ++++++++++++++++++++++++------------------ + src/rlogin.c | 12 ++++++------ + src/rsh.c | 24 ++++++++++++------------ + src/rshd.c | 24 ++++++++++++------------ + src/uucpd.c | 16 ++++++++-------- + 5 files changed, 62 insertions(+), 56 deletions(-) + +diff --git a/src/rcp.c b/src/rcp.c +index cdcf8500..652f22e6 100644 +--- a/src/rcp.c ++++ b/src/rcp.c +@@ -347,9 +347,10 @@ main (int argc, char *argv[]) + response (); + + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + source (argc, argv); + exit (errs); +@@ -358,9 +359,10 @@ main (int argc, char *argv[]) + if (to_option) + { /* Receive data. */ + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + sink (argc, argv); + exit (errs); +@@ -548,9 +550,10 @@ toremote (char *targ, int argc, char *argv[]) + free (bp); + + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + } + source (1, argv + i); + close (rem); +@@ -645,9 +648,10 @@ tolocal (int argc, char *argv[]) + } + + if (seteuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (seteuid() failed)"); ++ } + + #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT + sslen = sizeof (ss); +@@ -663,9 +667,10 @@ tolocal (int argc, char *argv[]) + sink (1, vect); + + if (seteuid (effuid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (seteuid() failed)"); ++ } + + close (rem); + rem = -1; +@@ -1465,9 +1470,10 @@ susystem (char *s, int userid) + + case 0: + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + execl (PATH_BSHELL, "sh", "-c", s, NULL); + _exit (127); +diff --git a/src/rlogin.c b/src/rlogin.c +index c543de0c..4360202f 100644 +--- a/src/rlogin.c ++++ b/src/rlogin.c +@@ -648,14 +648,14 @@ try_connect: + to get the privileged port that rcmd () uses. We now want, however, + to run as the real user who invoked us. */ + if (seteuid (uid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } + + if (setuid (uid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + + doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */ + +diff --git a/src/rsh.c b/src/rsh.c +index 6f60667d..179b47cd 100644 +--- a/src/rsh.c ++++ b/src/rsh.c +@@ -278,14 +278,14 @@ main (int argc, char **argv) + *argv = (char *) "rlogin"; + + if (seteuid (getuid ()) == -1) +- { +- error (EXIT_FAILURE, errno, "seteuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } + + if (setuid (getuid ()) == -1) +- { +- error (EXIT_FAILURE, errno, "setuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } + + execv (PATH_RLOGIN, argv); + error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN); +@@ -551,14 +551,14 @@ try_connect: + } + + if (seteuid (uid) == -1) +- { +- error (EXIT_FAILURE, errno, "seteuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } + + if (setuid (uid) == -1) +- { +- error (EXIT_FAILURE, errno, "setuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } + + #ifdef HAVE_SIGACTION + sigemptyset (&sigs); +diff --git a/src/rshd.c b/src/rshd.c +index 707790e7..3a153a18 100644 +--- a/src/rshd.c ++++ b/src/rshd.c +@@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + + /* Set the gid, then uid to become the user specified by "locuser" */ + if (setegid ((gid_t) pwd->pw_gid) == -1) +- { +- rshd_error ("Cannot drop privileges (setegid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setegid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + if (setgid ((gid_t) pwd->pw_gid) == -1) +- { +- rshd_error ("Cannot drop privileges (setgid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setgid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + #ifdef HAVE_INITGROUPS + initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */ +@@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + #endif /* WITH_PAM */ + + if (setuid ((uid_t) pwd->pw_uid) == -1) +- { +- rshd_error ("Cannot drop privileges (setuid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setuid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + /* We'll execute the client's command in the home directory + * of locuser. Note, that the chdir must be executed after +diff --git a/src/uucpd.c b/src/uucpd.c +index 29cfce35..fde7b9c9 100644 +--- a/src/uucpd.c ++++ b/src/uucpd.c +@@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen) + dologin (pw, sap, salen); + + if (setgid (pw->pw_gid) == -1) +- { +- fprintf (stderr, "setgid() failed"); +- return; +- } ++ { ++ fprintf (stderr, "setgid() failed"); ++ return; ++ } + #ifdef HAVE_INITGROUPS + initgroups (pw->pw_name, pw->pw_gid); + #endif +@@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen) + } + + if (setuid (pw->pw_uid) == -1) +- { +- fprintf (stderr, "setuid() failed"); +- return; +- } ++ { ++ fprintf (stderr, "setuid() failed"); ++ return; ++ } + + execl (uucico_location, "uucico", NULL); + perror ("uucico server: execl"); diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch new file mode 100644 index 0000000000..54040ad74c --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch @@ -0,0 +1,54 @@ +From d52349fa1b6baac77ffa2c74769636aa2ece2ec5 Mon Sep 17 00:00:00 2001 +From: Erik Auerswald <auerswal@unix-ag.uni-kl.de> +Date: Sat, 3 Sep 2022 16:58:16 +0200 +Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt + +Fix telnetd crash if the first two bytes of a new connection +are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). + +The problem was reported in: +<https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>. + +* NEWS: Mention fix. +* telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and +zero slctab[SLC_EL].sptr. + +CVE: CVE-2022-39028 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f] +Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com> +--- + telnetd/state.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/telnetd/state.c b/telnetd/state.c +index ffc6cba..c2d760f 100644 +--- a/telnetd/state.c ++++ b/telnetd/state.c +@@ -312,15 +312,21 @@ telrcv (void) + case EC: + case EL: + { +- cc_t ch; ++ cc_t ch = (cc_t) (_POSIX_VDISABLE); + + DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); + ptyflush (); /* half-hearted */ + init_termbuf (); + if (c == EC) +- ch = *slctab[SLC_EC].sptr; ++ { ++ if (slctab[SLC_EC].sptr) ++ ch = *slctab[SLC_EC].sptr; ++ } + else +- ch = *slctab[SLC_EL].sptr; ++ { ++ if (slctab[SLC_EL].sptr) ++ ch = *slctab[SLC_EL].sptr; ++ } + if (ch != (cc_t) (_POSIX_VDISABLE)) + pty_output_byte ((unsigned char) ch); + break; +-- +2.37.3 + diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.2.bb b/meta/recipes-connectivity/inetutils/inetutils_2.2.bb index 6c9a299b71..6f9173dbc1 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_2.2.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_2.2.bb @@ -21,6 +21,9 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \ file://tftpd.xinetd.inetutils \ file://inetutils-1.9-PATH_PROCNET_DEV.patch \ file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \ + file://CVE-2022-39028.patch \ + file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \ + file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \ " inherit autotools gettext update-alternatives texinfo diff --git a/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch index 78f475a495..451b409c88 100644 --- a/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch +++ b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch @@ -12,7 +12,7 @@ Subject: [PATCH] There are conflict of config files between kea and lib32-kea: Because they are all commented out, replace the expanded libdir path with '$libdir' in the config files to avoid conflict. -Upstream-Status: Pending +Upstream-Status: Submitted [https://gitlab.isc.org/isc-projects/kea/-/issues/2602] Signed-off-by: Kai Kang <kai.kang@windriver.com> --- diff --git a/meta/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch b/meta/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch new file mode 100644 index 0000000000..d263cced8d --- /dev/null +++ b/meta/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch @@ -0,0 +1,56 @@ +From b8ee33667d265b936d60ee7f0ba0b22463ccb019 Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis <info@bnoordhuis.nl> +Date: Thu, 18 Jan 2024 14:51:40 +0100 +Subject: [PATCH] fix: always zero-terminate idna output + +Upstream-Status: Backport [https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629] +CVE: CVE-2024-24806 + +Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 +Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> +--- + src/idna.c | 5 +++-- + test/test-idna.c | 4 ++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/idna.c b/src/idna.c +index 93d982ca..ce7f2746 100644 +--- a/src/idna.c ++++ b/src/idna.c +@@ -308,8 +308,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) { + return rc; + } + +- if (d < de) +- *d++ = '\0'; ++ if (d >= de) ++ return UV_EINVAL; + ++ *d++ = '\0'; + return d - ds; /* Number of bytes written. */ + } +diff --git a/test/test-idna.c b/test/test-idna.c +index f4fad965..d079be55 100644 +--- a/test/test-idna.c ++++ b/test/test-idna.c +@@ -99,6 +99,7 @@ TEST_IMPL(utf8_decode1) { + TEST_IMPL(utf8_decode1_overrun) { + const char* p; + char b[1]; ++ char c[1]; + + /* Single byte. */ + p = b; +@@ -112,6 +113,9 @@ TEST_IMPL(utf8_decode1_overrun) { + ASSERT_EQ((unsigned) -1, uv__utf8_decode1(&p, b + 1)); + ASSERT_EQ(p, b + 1); + ++ b[0] = 0x7F; ++ ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 1, c, c + 1)); ++ + return 0; + } + +-- +2.43.0 + diff --git a/meta/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch b/meta/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch new file mode 100644 index 0000000000..b0ed5f0ea2 --- /dev/null +++ b/meta/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch @@ -0,0 +1,44 @@ +From 96f881c8f600da33ec4ecec450ec491990ce613b Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis <info@bnoordhuis.nl> +Date: Thu, 18 Jan 2024 14:52:38 +0100 +Subject: [PATCH] fix: reject zero-length idna inputs + +Upstream-Status: Backport [https://github.com/libuv/libuv/commit/3530bcc30350d4a6ccf35d2f7b33e23292b9de70] +CVE: CVE-2024-24806 + +Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 +Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> +--- + src/idna.c | 3 +++ + test/test-idna.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/src/idna.c b/src/idna.c +index ce7f2746..858b19d0 100644 +--- a/src/idna.c ++++ b/src/idna.c +@@ -274,6 +274,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) { + char* ds; + int rc; + ++ if (s == se) ++ return UV_EINVAL; ++ + ds = d; + + si = s; +diff --git a/test/test-idna.c b/test/test-idna.c +index d079be55..d59b521e 100644 +--- a/test/test-idna.c ++++ b/test/test-idna.c +@@ -114,6 +114,7 @@ TEST_IMPL(utf8_decode1_overrun) { + ASSERT_EQ(p, b + 1); + + b[0] = 0x7F; ++ ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 0, c, c + 1)); + ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 1, c, c + 1)); + + return 0; +-- +2.43.0 + diff --git a/meta/recipes-connectivity/libuv/libuv/CVE-2024-24806-3.patch b/meta/recipes-connectivity/libuv/libuv/CVE-2024-24806-3.patch new file mode 100644 index 0000000000..733660cf05 --- /dev/null +++ b/meta/recipes-connectivity/libuv/libuv/CVE-2024-24806-3.patch @@ -0,0 +1,31 @@ +From a7443ee6b3b3c6a12708148aa9bb001b7782905c Mon Sep 17 00:00:00 2001 +From: Santiago Gimeno <santiago.gimeno@gmail.com> +Date: Wed, 7 Feb 2024 20:27:58 +0100 +Subject: [PATCH] test: empty strings are not valid IDNA + +Upstream-Status: Backport [https://github.com/libuv/libuv/commit/e0327e1d508b8207c9150b6e582f0adf26213c39] +CVE: CVE-2024-24806 + +Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 +Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> +--- + test/test-idna.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/test-idna.c b/test/test-idna.c +index d59b521e..37da38de 100644 +--- a/test/test-idna.c ++++ b/test/test-idna.c +@@ -150,8 +150,8 @@ TEST_IMPL(idna_toascii) { + /* Illegal inputs. */ + F("\xC0\x80\xC1\x80", UV_EINVAL); /* Overlong UTF-8 sequence. */ + F("\xC0\x80\xC1\x80.com", UV_EINVAL); /* Overlong UTF-8 sequence. */ ++ F("", UV_EINVAL); + /* No conversion. */ +- T("", ""); + T(".", "."); + T(".com", ".com"); + T("example", "example"); +-- +2.43.0 + diff --git a/meta/recipes-connectivity/libuv/libuv_1.44.1.bb b/meta/recipes-connectivity/libuv/libuv_1.44.2.bb index 4c96d80a65..e2cd3c3247 100644 --- a/meta/recipes-connectivity/libuv/libuv_1.44.1.bb +++ b/meta/recipes-connectivity/libuv/libuv_1.44.2.bb @@ -5,8 +5,12 @@ BUGTRACKER = "https://github.com/libuv/libuv/issues" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=ad93ca1fffe931537fcf64f6fcce084d" -SRCREV = "e8b7eb6908a847ffbe6ab2eec7428e43a0aa53a2" -SRC_URI = "git://github.com/libuv/libuv;branch=v1.x;protocol=https" +SRCREV = "0c1fa696aa502eb749c2c4735005f41ba00a27b8" +SRC_URI = "git://github.com/libuv/libuv.git;branch=v1.x;protocol=https \ + file://CVE-2024-24806-1.patch \ + file://CVE-2024-24806-2.patch \ + file://CVE-2024-24806-3.patch \ + " UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" S = "${WORKDIR}/git" diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb index e6f216e5cb..a4030b7b32 100644 --- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb +++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb @@ -5,8 +5,8 @@ SECTION = "network" LICENSE = "PD" LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04" -SRCREV = "3d5c8d0f7e0264768a2c000d0fd4b4d4a991e041" -PV = "20220511" +SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe" +PV = "20230416" PE = "1" SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main" diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch new file mode 100644 index 0000000000..b4e7ce7ef6 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-include-destination-constraints-for-smartca.patch @@ -0,0 +1,35 @@ +From 91889b5a3e7554af474a21ce8e1ffd3eb1542f06 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 9 Mar 2023 06:58:26 +0000 +Subject: [PATCH] upstream: include destination constraints for smartcard keys + too. + +Spotted by Luci Stanescu; ok deraadt@ markus@ + +OpenBSD-Commit-ID: add879fac6903a1cb1d1e42c4309e5359c3d870f + +CVE: CVE-2023-28531 + +Upstream-Status: Backport [54ac4ab2b53ce9fcb66b8250dee91c070e4167ed] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + authfd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/authfd.c b/authfd.c +index 76e48aab..dca8e55b 100644 +--- a/authfd.c ++++ b/authfd.c +@@ -665,7 +665,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin, + struct dest_constraint **dest_constraints, size_t ndest_constraints) + { + struct sshbuf *msg; +- int r, constrained = (life || confirm); ++ int r, constrained = (life || confirm || dest_constraints); + u_char type; + + if (add) { +-- +2.37.1 + diff --git a/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch b/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch new file mode 100644 index 0000000000..ebdff1ffe4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch @@ -0,0 +1,984 @@ +From 7280401bdd77ca54be6867a154cc01e0d72612e0 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Fri, 24 Mar 2023 13:56:25 +1100 +Subject: [PATCH] remove support for old libcrypto + +OpenSSH now requires LibreSSL 3.1.0 or greater or +OpenSSL 1.1.1 or greater + +with/ok dtucker@ + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7280401bdd77ca54be6867a154cc01e0d72612e0] +Comment: Hunk are refreshed, removed couple of hunks from configure.ac as hunk code is not prasent +and backported to the existing code. +Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com> + +--- + .github/workflows/c-cpp.yml | 7 - + INSTALL | 8 +- + cipher-aes.c | 2 +- + configure.ac | 96 ++--- + openbsd-compat/libressl-api-compat.c | 556 +-------------------------- + openbsd-compat/openssl-compat.h | 151 +------- + 6 files changed, 40 insertions(+), 780 deletions(-) + +diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml +index 3d9aa22dba5..d299a32468d 100644 +--- a/.github/workflows/c-cpp.yml ++++ b/.github/workflows/c-cpp.yml +@@ -40,18 +40,11 @@ + - { os: ubuntu-20.04, configs: tcmalloc } + - { os: ubuntu-20.04, configs: musl } + - { os: ubuntu-latest, configs: libressl-master } +- - { os: ubuntu-latest, configs: libressl-2.2.9 } +- - { os: ubuntu-latest, configs: libressl-2.8.3 } +- - { os: ubuntu-latest, configs: libressl-3.0.2 } + - { os: ubuntu-latest, configs: libressl-3.2.6 } + - { os: ubuntu-latest, configs: libressl-3.3.4 } + - { os: ubuntu-latest, configs: libressl-3.4.1 } + - { os: ubuntu-latest, configs: openssl-master } + - { os: ubuntu-latest, configs: openssl-noec } +- - { os: ubuntu-latest, configs: openssl-1.0.1 } +- - { os: ubuntu-latest, configs: openssl-1.0.1u } +- - { os: ubuntu-latest, configs: openssl-1.0.2u } +- - { os: ubuntu-latest, configs: openssl-1.1.0h } + - { os: ubuntu-latest, configs: openssl-1.1.1 } + - { os: ubuntu-latest, configs: openssl-1.1.1k } + - { os: ubuntu-latest, configs: openssl-3.0.0 } +diff --git a/INSTALL b/INSTALL +index 68b15e13190..f99d1e2a809 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -21,12 +21,8 @@ https://zlib.net/ + + libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto + is supported but severely restricts the available ciphers and algorithms. +- - LibreSSL (https://www.libressl.org/) +- - OpenSSL (https://www.openssl.org) with any of the following versions: +- - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 +- +-Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to +-1.1.0g can't be used. ++ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater ++ - OpenSSL (https://www.openssl.org) 1.1.1 or greater + + LibreSSL/OpenSSL should be compiled as a position-independent library + (i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC" +diff --git a/cipher-aes.c b/cipher-aes.c +index 8b101727284..87c763353d8 100644 +--- a/cipher-aes.c ++++ b/cipher-aes.c +@@ -69,7 +69,7 @@ ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + + static int + ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, +- LIBCRYPTO_EVP_INL_TYPE len) ++ size_t len) + { + struct ssh_rijndael_ctx *c; + u_char buf[RIJNDAEL_BLOCKSIZE]; +diff --git a/configure.ac b/configure.ac +index 22fee70f604..1c0ccdf19c5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2744,42 +2744,40 @@ + #include <openssl/crypto.h> + #define DATA "conftest.ssllibver" + ]], [[ +- FILE *fd; +- int rc; ++ FILE *f; + +- fd = fopen(DATA,"w"); +- if(fd == NULL) ++ if ((f = fopen(DATA, "w")) == NULL) + exit(1); +-#ifndef OPENSSL_VERSION +-# define OPENSSL_VERSION SSLEAY_VERSION +-#endif +-#ifndef HAVE_OPENSSL_VERSION +-# define OpenSSL_version SSLeay_version +-#endif +-#ifndef HAVE_OPENSSL_VERSION_NUM +-# define OpenSSL_version_num SSLeay +-#endif +- if ((rc = fprintf(fd, "%08lx (%s)\n", ++ if (fprintf(f, "%08lx (%s)", + (unsigned long)OpenSSL_version_num(), +- OpenSSL_version(OPENSSL_VERSION))) < 0) ++ OpenSSL_version(OPENSSL_VERSION)) < 0) ++ exit(1); ++#ifdef LIBRESSL_VERSION_NUMBER ++ if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0) ++ exit(1); ++#endif ++ if (fputc('\n', f) == EOF || fclose(f) == EOF) + exit(1); +- + exit(0); + ]])], + [ +- ssl_library_ver=`cat conftest.ssllibver` ++ sslver=`cat conftest.ssllibver` ++ ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'` + # Check version is supported. +- case "$ssl_library_ver" in +- 10000*|0*) +- AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")]) +- ;; +- 100*) ;; # 1.0.x +- 101000[[0123456]]*) +- # https://github.com/openssl/openssl/pull/4613 +- AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")]) ++ case "$sslver" in ++ 100*|10100*) # 1.0.x, 1.1.0x ++ AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")]) + ;; + 101*) ;; # 1.1.x +- 200*) ;; # LibreSSL ++ 200*) # LibreSSL ++ lver=`echo "$sslver" | sed 's/.*libressl-//'` ++ case "$lver" in ++ 2*|300*) # 2.x, 3.0.0 ++ AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")]) ++ ;; ++ *) ;; # Assume all other versions are good. ++ esac ++ ;; + 300*) ;; # OpenSSL 3 + 301*) ;; # OpenSSL development branch. + *) +@@ -2781,10 +2781,10 @@ + 300*) ;; # OpenSSL 3 + 301*) ;; # OpenSSL development branch. + *) +- AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")]) ++ AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")]) + ;; + esac +- AC_MSG_RESULT([$ssl_library_ver]) ++ AC_MSG_RESULT([$ssl_showver]) + ], + [ + AC_MSG_RESULT([not found]) +@@ -2804,9 +2804,6 @@ + #include <openssl/opensslv.h> + #include <openssl/crypto.h> + ]], [[ +-#ifndef HAVE_OPENSSL_VERSION_NUM +-# define OpenSSL_version_num SSLeay +-#endif + exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1); + ]])], + [ +@@ -2881,44 +2878,13 @@ + ) + ) + +- # LibreSSL/OpenSSL 1.1x API ++ # LibreSSL/OpenSSL API differences + AC_CHECK_FUNCS([ \ +- OPENSSL_init_crypto \ +- DH_get0_key \ +- DH_get0_pqg \ +- DH_set0_key \ +- DH_set_length \ +- DH_set0_pqg \ +- DSA_get0_key \ +- DSA_get0_pqg \ +- DSA_set0_key \ +- DSA_set0_pqg \ +- DSA_SIG_get0 \ +- DSA_SIG_set0 \ +- ECDSA_SIG_get0 \ +- ECDSA_SIG_set0 \ + EVP_CIPHER_CTX_iv \ + EVP_CIPHER_CTX_iv_noconst \ + EVP_CIPHER_CTX_get_iv \ + EVP_CIPHER_CTX_get_updated_iv \ + EVP_CIPHER_CTX_set_iv \ +- RSA_get0_crt_params \ +- RSA_get0_factors \ +- RSA_get0_key \ +- RSA_set0_crt_params \ +- RSA_set0_factors \ +- RSA_set0_key \ +- RSA_meth_free \ +- RSA_meth_dup \ +- RSA_meth_set1_name \ +- RSA_meth_get_finish \ +- RSA_meth_set_priv_enc \ +- RSA_meth_set_priv_dec \ +- RSA_meth_set_finish \ +- EVP_PKEY_get0_RSA \ +- EVP_MD_CTX_new \ +- EVP_MD_CTX_free \ +- EVP_chacha20 \ + ]) + + if test "x$openssl_engine" = "xyes" ; then +@@ -3040,8 +3006,8 @@ + fi + AC_CHECK_FUNCS([crypt DES_crypt]) + +- # Check for SHA256, SHA384 and SHA512 support in OpenSSL +- AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512]) ++ # Check for various EVP support in OpenSSL ++ AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20]) + + # Check complete ECC support in OpenSSL + AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) +diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c +index 498180dc894..59be17397c5 100644 +--- a/openbsd-compat/libressl-api-compat.c ++++ b/openbsd-compat/libressl-api-compat.c +@@ -1,129 +1,5 @@ +-/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */ +-/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */ +-/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */ +-/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */ +-/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */ +-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ +-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) +- * All rights reserved. +- * +- * This package is an SSL implementation written +- * by Eric Young (eay@cryptsoft.com). +- * The implementation was written so as to conform with Netscapes SSL. +- * +- * This library is free for commercial and non-commercial use as long as +- * the following conditions are aheared to. The following conditions +- * apply to all code found in this distribution, be it the RC4, RSA, +- * lhash, DES, etc., code; not just the SSL code. The SSL documentation +- * included with this distribution is covered by the same copyright terms +- * except that the holder is Tim Hudson (tjh@cryptsoft.com). +- * +- * Copyright remains Eric Young's, and as such any Copyright notices in +- * the code are not to be removed. +- * If this package is used in a product, Eric Young should be given attribution +- * as the author of the parts of the library used. +- * This can be in the form of a textual message at program startup or +- * in documentation (online or textual) provided with the package. +- * +- * Redistribution and use in source and binary forms, with or without +- * modification, are permitted provided that the following conditions +- * are met: +- * 1. Redistributions of source code must retain the copyright +- * notice, this list of conditions and the following disclaimer. +- * 2. Redistributions in binary form must reproduce the above copyright +- * notice, this list of conditions and the following disclaimer in the +- * documentation and/or other materials provided with the distribution. +- * 3. All advertising materials mentioning features or use of this software +- * must display the following acknowledgement: +- * "This product includes cryptographic software written by +- * Eric Young (eay@cryptsoft.com)" +- * The word 'cryptographic' can be left out if the rouines from the library +- * being used are not cryptographic related :-). +- * 4. If you include any Windows specific code (or a derivative thereof) from +- * the apps directory (application code) you must include an acknowledgement: +- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" +- * +- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND +- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +- * SUCH DAMAGE. +- * +- * The licence and distribution terms for any publically available version or +- * derivative of this code cannot be changed. i.e. this code cannot simply be +- * copied and put under another distribution licence +- * [including the GNU Public Licence.] +- */ +- +-/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */ +-/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */ +-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ +-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL +- * project 2000. +- */ +-/* ==================================================================== +- * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. +- * +- * Redistribution and use in source and binary forms, with or without +- * modification, are permitted provided that the following conditions +- * are met: +- * +- * 1. Redistributions of source code must retain the above copyright +- * notice, this list of conditions and the following disclaimer. +- * +- * 2. Redistributions in binary form must reproduce the above copyright +- * notice, this list of conditions and the following disclaimer in +- * the documentation and/or other materials provided with the +- * distribution. +- * +- * 3. All advertising materials mentioning features or use of this +- * software must display the following acknowledgment: +- * "This product includes software developed by the OpenSSL Project +- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" +- * +- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +- * endorse or promote products derived from this software without +- * prior written permission. For written permission, please contact +- * licensing@OpenSSL.org. +- * +- * 5. Products derived from this software may not be called "OpenSSL" +- * nor may "OpenSSL" appear in their names without prior written +- * permission of the OpenSSL Project. +- * +- * 6. Redistributions of any form whatsoever must retain the following +- * acknowledgment: +- * "This product includes software developed by the OpenSSL Project +- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" +- * +- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +- * OF THE POSSIBILITY OF SUCH DAMAGE. +- * ==================================================================== +- * +- * This product includes cryptographic software written by Eric Young +- * (eay@cryptsoft.com). This product includes software written by Tim +- * Hudson (tjh@cryptsoft.com). +- * +- */ +- +-/* $OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $ */ + /* +- * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> ++ * Copyright (c) 2018 Damien Miller <djm@mindrot.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -147,192 +23,7 @@ + #include <stdlib.h> + #include <string.h> + +-#include <openssl/err.h> +-#include <openssl/bn.h> +-#include <openssl/dsa.h> +-#include <openssl/rsa.h> + #include <openssl/evp.h> +-#ifdef OPENSSL_HAS_ECC +-#include <openssl/ecdsa.h> +-#endif +-#include <openssl/dh.h> +- +-#ifndef HAVE_DSA_GET0_PQG +-void +-DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +-{ +- if (p != NULL) +- *p = d->p; +- if (q != NULL) +- *q = d->q; +- if (g != NULL) +- *g = d->g; +-} +-#endif /* HAVE_DSA_GET0_PQG */ +- +-#ifndef HAVE_DSA_SET0_PQG +-int +-DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) +-{ +- if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) || +- (d->g == NULL && g == NULL)) +- return 0; +- +- if (p != NULL) { +- BN_free(d->p); +- d->p = p; +- } +- if (q != NULL) { +- BN_free(d->q); +- d->q = q; +- } +- if (g != NULL) { +- BN_free(d->g); +- d->g = g; +- } +- +- return 1; +-} +-#endif /* HAVE_DSA_SET0_PQG */ +- +-#ifndef HAVE_DSA_GET0_KEY +-void +-DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) +-{ +- if (pub_key != NULL) +- *pub_key = d->pub_key; +- if (priv_key != NULL) +- *priv_key = d->priv_key; +-} +-#endif /* HAVE_DSA_GET0_KEY */ +- +-#ifndef HAVE_DSA_SET0_KEY +-int +-DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) +-{ +- if (d->pub_key == NULL && pub_key == NULL) +- return 0; +- +- if (pub_key != NULL) { +- BN_free(d->pub_key); +- d->pub_key = pub_key; +- } +- if (priv_key != NULL) { +- BN_free(d->priv_key); +- d->priv_key = priv_key; +- } +- +- return 1; +-} +-#endif /* HAVE_DSA_SET0_KEY */ +- +-#ifndef HAVE_RSA_GET0_KEY +-void +-RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) +-{ +- if (n != NULL) +- *n = r->n; +- if (e != NULL) +- *e = r->e; +- if (d != NULL) +- *d = r->d; +-} +-#endif /* HAVE_RSA_GET0_KEY */ +- +-#ifndef HAVE_RSA_SET0_KEY +-int +-RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) +-{ +- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) +- return 0; +- +- if (n != NULL) { +- BN_free(r->n); +- r->n = n; +- } +- if (e != NULL) { +- BN_free(r->e); +- r->e = e; +- } +- if (d != NULL) { +- BN_free(r->d); +- r->d = d; +- } +- +- return 1; +-} +-#endif /* HAVE_RSA_SET0_KEY */ +- +-#ifndef HAVE_RSA_GET0_CRT_PARAMS +-void +-RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, +- const BIGNUM **iqmp) +-{ +- if (dmp1 != NULL) +- *dmp1 = r->dmp1; +- if (dmq1 != NULL) +- *dmq1 = r->dmq1; +- if (iqmp != NULL) +- *iqmp = r->iqmp; +-} +-#endif /* HAVE_RSA_GET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_SET0_CRT_PARAMS +-int +-RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) +-{ +- if ((r->dmp1 == NULL && dmp1 == NULL) || +- (r->dmq1 == NULL && dmq1 == NULL) || +- (r->iqmp == NULL && iqmp == NULL)) +- return 0; +- +- if (dmp1 != NULL) { +- BN_free(r->dmp1); +- r->dmp1 = dmp1; +- } +- if (dmq1 != NULL) { +- BN_free(r->dmq1); +- r->dmq1 = dmq1; +- } +- if (iqmp != NULL) { +- BN_free(r->iqmp); +- r->iqmp = iqmp; +- } +- +- return 1; +-} +-#endif /* HAVE_RSA_SET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_GET0_FACTORS +-void +-RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) +-{ +- if (p != NULL) +- *p = r->p; +- if (q != NULL) +- *q = r->q; +-} +-#endif /* HAVE_RSA_GET0_FACTORS */ +- +-#ifndef HAVE_RSA_SET0_FACTORS +-int +-RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) +-{ +- if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) +- return 0; +- +- if (p != NULL) { +- BN_free(r->p); +- r->p = p; +- } +- if (q != NULL) { +- BN_free(r->q); +- r->q = q; +- } +- +- return 1; +-} +-#endif /* HAVE_RSA_SET0_FACTORS */ + + #ifndef HAVE_EVP_CIPHER_CTX_GET_IV + int +@@ -392,249 +83,4 @@ EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len) + } + #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ + +-#ifndef HAVE_DSA_SIG_GET0 +-void +-DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) +-{ +- if (pr != NULL) +- *pr = sig->r; +- if (ps != NULL) +- *ps = sig->s; +-} +-#endif /* HAVE_DSA_SIG_GET0 */ +- +-#ifndef HAVE_DSA_SIG_SET0 +-int +-DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) +-{ +- if (r == NULL || s == NULL) +- return 0; +- +- BN_clear_free(sig->r); +- sig->r = r; +- BN_clear_free(sig->s); +- sig->s = s; +- +- return 1; +-} +-#endif /* HAVE_DSA_SIG_SET0 */ +- +-#ifdef OPENSSL_HAS_ECC +-#ifndef HAVE_ECDSA_SIG_GET0 +-void +-ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) +-{ +- if (pr != NULL) +- *pr = sig->r; +- if (ps != NULL) +- *ps = sig->s; +-} +-#endif /* HAVE_ECDSA_SIG_GET0 */ +- +-#ifndef HAVE_ECDSA_SIG_SET0 +-int +-ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) +-{ +- if (r == NULL || s == NULL) +- return 0; +- +- BN_clear_free(sig->r); +- BN_clear_free(sig->s); +- sig->r = r; +- sig->s = s; +- return 1; +-} +-#endif /* HAVE_ECDSA_SIG_SET0 */ +-#endif /* OPENSSL_HAS_ECC */ +- +-#ifndef HAVE_DH_GET0_PQG +-void +-DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +-{ +- if (p != NULL) +- *p = dh->p; +- if (q != NULL) +- *q = dh->q; +- if (g != NULL) +- *g = dh->g; +-} +-#endif /* HAVE_DH_GET0_PQG */ +- +-#ifndef HAVE_DH_SET0_PQG +-int +-DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +-{ +- if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) +- return 0; +- +- if (p != NULL) { +- BN_free(dh->p); +- dh->p = p; +- } +- if (q != NULL) { +- BN_free(dh->q); +- dh->q = q; +- } +- if (g != NULL) { +- BN_free(dh->g); +- dh->g = g; +- } +- +- return 1; +-} +-#endif /* HAVE_DH_SET0_PQG */ +- +-#ifndef HAVE_DH_GET0_KEY +-void +-DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) +-{ +- if (pub_key != NULL) +- *pub_key = dh->pub_key; +- if (priv_key != NULL) +- *priv_key = dh->priv_key; +-} +-#endif /* HAVE_DH_GET0_KEY */ +- +-#ifndef HAVE_DH_SET0_KEY +-int +-DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) +-{ +- if (pub_key != NULL) { +- BN_free(dh->pub_key); +- dh->pub_key = pub_key; +- } +- if (priv_key != NULL) { +- BN_free(dh->priv_key); +- dh->priv_key = priv_key; +- } +- +- return 1; +-} +-#endif /* HAVE_DH_SET0_KEY */ +- +-#ifndef HAVE_DH_SET_LENGTH +-int +-DH_set_length(DH *dh, long length) +-{ +- if (length < 0 || length > INT_MAX) +- return 0; +- +- dh->length = length; +- return 1; +-} +-#endif /* HAVE_DH_SET_LENGTH */ +- +-#ifndef HAVE_RSA_METH_FREE +-void +-RSA_meth_free(RSA_METHOD *meth) +-{ +- if (meth != NULL) { +- free((char *)meth->name); +- free(meth); +- } +-} +-#endif /* HAVE_RSA_METH_FREE */ +- +-#ifndef HAVE_RSA_METH_DUP +-RSA_METHOD * +-RSA_meth_dup(const RSA_METHOD *meth) +-{ +- RSA_METHOD *copy; +- +- if ((copy = calloc(1, sizeof(*copy))) == NULL) +- return NULL; +- memcpy(copy, meth, sizeof(*copy)); +- if ((copy->name = strdup(meth->name)) == NULL) { +- free(copy); +- return NULL; +- } +- +- return copy; +-} +-#endif /* HAVE_RSA_METH_DUP */ +- +-#ifndef HAVE_RSA_METH_SET1_NAME +-int +-RSA_meth_set1_name(RSA_METHOD *meth, const char *name) +-{ +- char *copy; +- +- if ((copy = strdup(name)) == NULL) +- return 0; +- free((char *)meth->name); +- meth->name = copy; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET1_NAME */ +- +-#ifndef HAVE_RSA_METH_GET_FINISH +-int +-(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa) +-{ +- return meth->finish; +-} +-#endif /* HAVE_RSA_METH_GET_FINISH */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_ENC +-int +-RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) +-{ +- meth->rsa_priv_enc = priv_enc; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_DEC +-int +-RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) +-{ +- meth->rsa_priv_dec = priv_dec; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ +- +-#ifndef HAVE_RSA_METH_SET_FINISH +-int +-RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)) +-{ +- meth->finish = finish; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET_FINISH */ +- +-#ifndef HAVE_EVP_PKEY_GET0_RSA +-RSA * +-EVP_PKEY_get0_RSA(EVP_PKEY *pkey) +-{ +- if (pkey->type != EVP_PKEY_RSA) { +- /* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */ +- return NULL; +- } +- return pkey->pkey.rsa; +-} +-#endif /* HAVE_EVP_PKEY_GET0_RSA */ +- +-#ifndef HAVE_EVP_MD_CTX_NEW +-EVP_MD_CTX * +-EVP_MD_CTX_new(void) +-{ +- return calloc(1, sizeof(EVP_MD_CTX)); +-} +-#endif /* HAVE_EVP_MD_CTX_NEW */ +- +-#ifndef HAVE_EVP_MD_CTX_FREE +-void +-EVP_MD_CTX_free(EVP_MD_CTX *ctx) +-{ +- if (ctx == NULL) +- return; +- +- EVP_MD_CTX_cleanup(ctx); +- +- free(ctx); +-} +-#endif /* HAVE_EVP_MD_CTX_FREE */ +- + #endif /* WITH_OPENSSL */ +diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h +index 61a69dd56eb..d0dd2c3450d 100644 +--- a/openbsd-compat/openssl-compat.h ++++ b/openbsd-compat/openssl-compat.h +@@ -33,26 +33,13 @@ + int ssh_compatible_openssl(long, long); + void ssh_libcrypto_init(void); + +-#if (OPENSSL_VERSION_NUMBER < 0x1000100fL) +-# error OpenSSL 1.0.1 or greater is required ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) ++# error OpenSSL 1.1.0 or greater is required + #endif +- +-#ifndef OPENSSL_VERSION +-# define OPENSSL_VERSION SSLEAY_VERSION +-#endif +- +-#ifndef HAVE_OPENSSL_VERSION +-# define OpenSSL_version(x) SSLeay_version(x) +-#endif +- +-#ifndef HAVE_OPENSSL_VERSION_NUM +-# define OpenSSL_version_num SSLeay +-#endif +- +-#if OPENSSL_VERSION_NUMBER < 0x10000001L +-# define LIBCRYPTO_EVP_INL_TYPE unsigned int +-#else +-# define LIBCRYPTO_EVP_INL_TYPE size_t ++#ifdef LIBRESSL_VERSION_NUMBER ++# if LIBRESSL_VERSION_NUMBER < 0x3010000fL ++# error LibreSSL 3.1.0 or greater is required ++# endif + #endif + + #ifndef OPENSSL_RSA_MAX_MODULUS_BITS +@@ -68,25 +55,6 @@ void ssh_libcrypto_init(void); + # endif + #endif + +-/* LibreSSL/OpenSSL 1.1x API compat */ +-#ifndef HAVE_DSA_GET0_PQG +-void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, +- const BIGNUM **g); +-#endif /* HAVE_DSA_GET0_PQG */ +- +-#ifndef HAVE_DSA_SET0_PQG +-int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); +-#endif /* HAVE_DSA_SET0_PQG */ +- +-#ifndef HAVE_DSA_GET0_KEY +-void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, +- const BIGNUM **priv_key); +-#endif /* HAVE_DSA_GET0_KEY */ +- +-#ifndef HAVE_DSA_SET0_KEY +-int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); +-#endif /* HAVE_DSA_SET0_KEY */ +- + #ifndef HAVE_EVP_CIPHER_CTX_GET_IV + # ifdef HAVE_EVP_CIPHER_CTX_GET_UPDATED_IV + # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv +@@ -101,112 +69,5 @@ int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, + const unsigned char *iv, size_t len); + #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ + +-#ifndef HAVE_RSA_GET0_KEY +-void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, +- const BIGNUM **d); +-#endif /* HAVE_RSA_GET0_KEY */ +- +-#ifndef HAVE_RSA_SET0_KEY +-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); +-#endif /* HAVE_RSA_SET0_KEY */ +- +-#ifndef HAVE_RSA_GET0_CRT_PARAMS +-void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, +- const BIGNUM **iqmp); +-#endif /* HAVE_RSA_GET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_SET0_CRT_PARAMS +-int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); +-#endif /* HAVE_RSA_SET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_GET0_FACTORS +-void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); +-#endif /* HAVE_RSA_GET0_FACTORS */ +- +-#ifndef HAVE_RSA_SET0_FACTORS +-int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); +-#endif /* HAVE_RSA_SET0_FACTORS */ +- +-#ifndef DSA_SIG_GET0 +-void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); +-#endif /* DSA_SIG_GET0 */ +- +-#ifndef DSA_SIG_SET0 +-int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); +-#endif /* DSA_SIG_SET0 */ +- +-#ifdef OPENSSL_HAS_ECC +-#ifndef HAVE_ECDSA_SIG_GET0 +-void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); +-#endif /* HAVE_ECDSA_SIG_GET0 */ +- +-#ifndef HAVE_ECDSA_SIG_SET0 +-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); +-#endif /* HAVE_ECDSA_SIG_SET0 */ +-#endif /* OPENSSL_HAS_ECC */ +- +-#ifndef HAVE_DH_GET0_PQG +-void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, +- const BIGNUM **g); +-#endif /* HAVE_DH_GET0_PQG */ +- +-#ifndef HAVE_DH_SET0_PQG +-int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); +-#endif /* HAVE_DH_SET0_PQG */ +- +-#ifndef HAVE_DH_GET0_KEY +-void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); +-#endif /* HAVE_DH_GET0_KEY */ +- +-#ifndef HAVE_DH_SET0_KEY +-int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); +-#endif /* HAVE_DH_SET0_KEY */ +- +-#ifndef HAVE_DH_SET_LENGTH +-int DH_set_length(DH *dh, long length); +-#endif /* HAVE_DH_SET_LENGTH */ +- +-#ifndef HAVE_RSA_METH_FREE +-void RSA_meth_free(RSA_METHOD *meth); +-#endif /* HAVE_RSA_METH_FREE */ +- +-#ifndef HAVE_RSA_METH_DUP +-RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); +-#endif /* HAVE_RSA_METH_DUP */ +- +-#ifndef HAVE_RSA_METH_SET1_NAME +-int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); +-#endif /* HAVE_RSA_METH_SET1_NAME */ +- +-#ifndef HAVE_RSA_METH_GET_FINISH +-int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa); +-#endif /* HAVE_RSA_METH_GET_FINISH */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_ENC +-int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); +-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_DEC +-int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); +-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ +- +-#ifndef HAVE_RSA_METH_SET_FINISH +-int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)); +-#endif /* HAVE_RSA_METH_SET_FINISH */ +- +-#ifndef HAVE_EVP_PKEY_GET0_RSA +-RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); +-#endif /* HAVE_EVP_PKEY_GET0_RSA */ +- +-#ifndef HAVE_EVP_MD_CTX_new +-EVP_MD_CTX *EVP_MD_CTX_new(void); +-#endif /* HAVE_EVP_MD_CTX_new */ +- +-#ifndef HAVE_EVP_MD_CTX_free +-void EVP_MD_CTX_free(EVP_MD_CTX *ctx); +-#endif /* HAVE_EVP_MD_CTX_free */ +- + #endif /* WITH_OPENSSL */ + #endif /* _OPENSSL_COMPAT_H */ diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0001.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0001.patch new file mode 100644 index 0000000000..2ee344cb27 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0001.patch @@ -0,0 +1,585 @@ +From 099cdf59ce1e72f55d421c8445bf6321b3004755 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 14:03:45 +0000 +Subject: [PATCH 1/4] upstream: Separate ssh-pkcs11-helpers for each p11 module + +Make ssh-pkcs11-client start an independent helper for each provider, +providing better isolation between modules and reliability if a single +module misbehaves. + +This also implements reference counting of PKCS#11-hosted keys, +allowing ssh-pkcs11-helper subprocesses to be automatically reaped +when no remaining keys reference them. This fixes some bugs we have +that make PKCS11 keys unusable after they have been deleted, e.g. +https://bugzilla.mindrot.org/show_bug.cgi?id=3125 + +ok markus@ + +OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755] + +CVE: CVE-2023-38408 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + ssh-pkcs11-client.c | 378 +++++++++++++++++++++++++++++++++----------- + 1 file changed, 285 insertions(+), 93 deletions(-) + +diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c +index cfd833d..7db6c6c 100644 +--- a/ssh-pkcs11-client.c ++++ b/ssh-pkcs11-client.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-pkcs11-client.c,v 1.17 2020/10/18 11:32:02 djm Exp $ */ ++/* $OpenBSD: ssh-pkcs11-client.c,v 1.18 2023/07/19 14:03:45 djm Exp $ */ + /* + * Copyright (c) 2010 Markus Friedl. All rights reserved. + * Copyright (c) 2014 Pedro Martelletto. All rights reserved. +@@ -30,12 +30,11 @@ + #include <string.h> + #include <unistd.h> + #include <errno.h> ++#include <limits.h> + + #include <openssl/ecdsa.h> + #include <openssl/rsa.h> + +-#include "openbsd-compat/openssl-compat.h" +- + #include "pathnames.h" + #include "xmalloc.h" + #include "sshbuf.h" +@@ -47,18 +46,140 @@ + #include "ssh-pkcs11.h" + #include "ssherr.h" + ++#include "openbsd-compat/openssl-compat.h" ++ + /* borrows code from sftp-server and ssh-agent */ + +-static int fd = -1; +-static pid_t pid = -1; ++/* ++ * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up ++ * by provider path or their unique EC/RSA METHOD pointers. ++ */ ++struct helper { ++ char *path; ++ pid_t pid; ++ int fd; ++ RSA_METHOD *rsa_meth; ++ EC_KEY_METHOD *ec_meth; ++ int (*rsa_finish)(RSA *rsa); ++ void (*ec_finish)(EC_KEY *key); ++ size_t nrsa, nec; /* number of active keys of each type */ ++}; ++static struct helper **helpers; ++static size_t nhelpers; ++ ++static struct helper * ++helper_by_provider(const char *path) ++{ ++ size_t i; ++ ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] == NULL || helpers[i]->path == NULL || ++ helpers[i]->fd == -1) ++ continue; ++ if (strcmp(helpers[i]->path, path) == 0) ++ return helpers[i]; ++ } ++ return NULL; ++} ++ ++static struct helper * ++helper_by_rsa(const RSA *rsa) ++{ ++ size_t i; ++ const RSA_METHOD *meth; ++ ++ if ((meth = RSA_get_method(rsa)) == NULL) ++ return NULL; ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] != NULL && helpers[i]->rsa_meth == meth) ++ return helpers[i]; ++ } ++ return NULL; ++ ++} ++ ++static struct helper * ++helper_by_ec(const EC_KEY *ec) ++{ ++ size_t i; ++ const EC_KEY_METHOD *meth; ++ ++ if ((meth = EC_KEY_get_method(ec)) == NULL) ++ return NULL; ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] != NULL && helpers[i]->ec_meth == meth) ++ return helpers[i]; ++ } ++ return NULL; ++ ++} ++ ++static void ++helper_free(struct helper *helper) ++{ ++ size_t i; ++ int found = 0; ++ ++ if (helper == NULL) ++ return; ++ if (helper->path == NULL || helper->ec_meth == NULL || ++ helper->rsa_meth == NULL) ++ fatal_f("inconsistent helper"); ++ debug3_f("free helper for provider %s", helper->path); ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] == helper) { ++ if (found) ++ fatal_f("helper recorded more than once"); ++ found = 1; ++ } ++ else if (found) ++ helpers[i - 1] = helpers[i]; ++ } ++ if (found) { ++ helpers = xrecallocarray(helpers, nhelpers, ++ nhelpers - 1, sizeof(*helpers)); ++ nhelpers--; ++ } ++ free(helper->path); ++ EC_KEY_METHOD_free(helper->ec_meth); ++ RSA_meth_free(helper->rsa_meth); ++ free(helper); ++} ++ ++static void ++helper_terminate(struct helper *helper) ++{ ++ if (helper == NULL) { ++ return; ++ } else if (helper->fd == -1) { ++ debug3_f("already terminated"); ++ } else { ++ debug3_f("terminating helper for %s; " ++ "remaining %zu RSA %zu ECDSA", ++ helper->path, helper->nrsa, helper->nec); ++ close(helper->fd); ++ /* XXX waitpid() */ ++ helper->fd = -1; ++ helper->pid = -1; ++ } ++ /* ++ * Don't delete the helper entry until there are no remaining keys ++ * that reference it. Otherwise, any signing operation would call ++ * a free'd METHOD pointer and that would be bad. ++ */ ++ if (helper->nrsa == 0 && helper->nec == 0) ++ helper_free(helper); ++} + + static void +-send_msg(struct sshbuf *m) ++send_msg(int fd, struct sshbuf *m) + { + u_char buf[4]; + size_t mlen = sshbuf_len(m); + int r; + ++ if (fd == -1) ++ return; + POKE_U32(buf, mlen); + if (atomicio(vwrite, fd, buf, 4) != 4 || + atomicio(vwrite, fd, sshbuf_mutable_ptr(m), +@@ -69,12 +190,15 @@ send_msg(struct sshbuf *m) + } + + static int +-recv_msg(struct sshbuf *m) ++recv_msg(int fd, struct sshbuf *m) + { + u_int l, len; + u_char c, buf[1024]; + int r; + ++ sshbuf_reset(m); ++ if (fd == -1) ++ return 0; /* XXX */ + if ((len = atomicio(read, fd, buf, 4)) != 4) { + error("read from helper failed: %u", len); + return (0); /* XXX */ +@@ -83,7 +207,6 @@ recv_msg(struct sshbuf *m) + if (len > 256 * 1024) + fatal("response too long: %u", len); + /* read len bytes into m */ +- sshbuf_reset(m); + while (len > 0) { + l = len; + if (l > sizeof(buf)) +@@ -104,14 +227,17 @@ recv_msg(struct sshbuf *m) + int + pkcs11_init(int interactive) + { +- return (0); ++ return 0; + } + + void + pkcs11_terminate(void) + { +- if (fd >= 0) +- close(fd); ++ size_t i; ++ ++ debug3_f("terminating %zu helpers", nhelpers); ++ for (i = 0; i < nhelpers; i++) ++ helper_terminate(helpers[i]); + } + + static int +@@ -122,7 +248,11 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + u_char *blob = NULL, *signature = NULL; + size_t blen, slen = 0; + int r, ret = -1; ++ struct helper *helper; + ++ if ((helper = helper_by_rsa(rsa)) == NULL || helper->fd == -1) ++ fatal_f("no helper for PKCS11 key"); ++ debug3_f("signing with PKCS11 provider %s", helper->path); + if (padding != RSA_PKCS1_PADDING) + goto fail; + key = sshkey_new(KEY_UNSPEC); +@@ -144,10 +274,10 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + (r = sshbuf_put_string(msg, from, flen)) != 0 || + (r = sshbuf_put_u32(msg, 0)) != 0) + fatal_fr(r, "compose"); +- send_msg(msg); ++ send_msg(helper->fd, msg); + sshbuf_reset(msg); + +- if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) { ++ if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) { + if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0) + fatal_fr(r, "parse"); + if (slen <= (size_t)RSA_size(rsa)) { +@@ -163,7 +293,26 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + return (ret); + } + +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) ++static int ++rsa_finish(RSA *rsa) ++{ ++ struct helper *helper; ++ ++ if ((helper = helper_by_rsa(rsa)) == NULL) ++ fatal_f("no helper for PKCS11 key"); ++ debug3_f("free PKCS11 RSA key for provider %s", helper->path); ++ if (helper->rsa_finish != NULL) ++ helper->rsa_finish(rsa); ++ if (helper->nrsa == 0) ++ fatal_f("RSA refcount error"); ++ helper->nrsa--; ++ debug3_f("provider %s remaining keys: %zu RSA %zu ECDSA", ++ helper->path, helper->nrsa, helper->nec); ++ if (helper->nrsa == 0 && helper->nec == 0) ++ helper_terminate(helper); ++ return 1; ++} ++ + static ECDSA_SIG * + ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + const BIGNUM *rp, EC_KEY *ec) +@@ -175,7 +324,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + u_char *blob = NULL, *signature = NULL; + size_t blen, slen = 0; + int r, nid; ++ struct helper *helper; + ++ if ((helper = helper_by_ec(ec)) == NULL || helper->fd == -1) ++ fatal_f("no helper for PKCS11 key"); ++ debug3_f("signing with PKCS11 provider %s", helper->path); + nid = sshkey_ecdsa_key_to_nid(ec); + if (nid < 0) { + error_f("couldn't get curve nid"); +@@ -203,10 +356,10 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + (r = sshbuf_put_string(msg, dgst, dgst_len)) != 0 || + (r = sshbuf_put_u32(msg, 0)) != 0) + fatal_fr(r, "compose"); +- send_msg(msg); ++ send_msg(helper->fd, msg); + sshbuf_reset(msg); + +- if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) { ++ if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) { + if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0) + fatal_fr(r, "parse"); + cp = signature; +@@ -220,75 +373,110 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + sshbuf_free(msg); + return (ret); + } +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + +-static RSA_METHOD *helper_rsa; +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) +-static EC_KEY_METHOD *helper_ecdsa; +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ ++static void ++ecdsa_do_finish(EC_KEY *ec) ++{ ++ struct helper *helper; ++ ++ if ((helper = helper_by_ec(ec)) == NULL) ++ fatal_f("no helper for PKCS11 key"); ++ debug3_f("free PKCS11 ECDSA key for provider %s", helper->path); ++ if (helper->ec_finish != NULL) ++ helper->ec_finish(ec); ++ if (helper->nec == 0) ++ fatal_f("ECDSA refcount error"); ++ helper->nec--; ++ debug3_f("provider %s remaining keys: %zu RSA %zu ECDSA", ++ helper->path, helper->nrsa, helper->nec); ++ if (helper->nrsa == 0 && helper->nec == 0) ++ helper_terminate(helper); ++} + + /* redirect private key crypto operations to the ssh-pkcs11-helper */ + static void +-wrap_key(struct sshkey *k) ++wrap_key(struct helper *helper, struct sshkey *k) + { +- if (k->type == KEY_RSA) +- RSA_set_method(k->rsa, helper_rsa); +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) +- else if (k->type == KEY_ECDSA) +- EC_KEY_set_method(k->ecdsa, helper_ecdsa); +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ +- else ++ debug3_f("wrap %s for provider %s", sshkey_type(k), helper->path); ++ if (k->type == KEY_RSA) { ++ RSA_set_method(k->rsa, helper->rsa_meth); ++ if (helper->nrsa++ >= INT_MAX) ++ fatal_f("RSA refcount error"); ++ } else if (k->type == KEY_ECDSA) { ++ EC_KEY_set_method(k->ecdsa, helper->ec_meth); ++ if (helper->nec++ >= INT_MAX) ++ fatal_f("EC refcount error"); ++ } else + fatal_f("unknown key type"); ++ k->flags |= SSHKEY_FLAG_EXT; ++ debug3_f("provider %s remaining keys: %zu RSA %zu ECDSA", ++ helper->path, helper->nrsa, helper->nec); + } + + static int +-pkcs11_start_helper_methods(void) ++pkcs11_start_helper_methods(struct helper *helper) + { +- if (helper_rsa != NULL) +- return (0); +- +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) +- int (*orig_sign)(int, const unsigned char *, int, unsigned char *, ++ int (*ec_init)(EC_KEY *key); ++ int (*ec_copy)(EC_KEY *dest, const EC_KEY *src); ++ int (*ec_set_group)(EC_KEY *key, const EC_GROUP *grp); ++ int (*ec_set_private)(EC_KEY *key, const BIGNUM *priv_key); ++ int (*ec_set_public)(EC_KEY *key, const EC_POINT *pub_key); ++ int (*ec_sign)(int, const unsigned char *, int, unsigned char *, + unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; +- if (helper_ecdsa != NULL) +- return (0); +- helper_ecdsa = EC_KEY_METHOD_new(EC_KEY_OpenSSL()); +- if (helper_ecdsa == NULL) +- return (-1); +- EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); +- EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ +- +- if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) ++ RSA_METHOD *rsa_meth; ++ EC_KEY_METHOD *ec_meth; ++ ++ if ((ec_meth = EC_KEY_METHOD_new(EC_KEY_OpenSSL())) == NULL) ++ return -1; ++ EC_KEY_METHOD_get_sign(ec_meth, &ec_sign, NULL, NULL); ++ EC_KEY_METHOD_set_sign(ec_meth, ec_sign, NULL, ecdsa_do_sign); ++ EC_KEY_METHOD_get_init(ec_meth, &ec_init, &helper->ec_finish, ++ &ec_copy, &ec_set_group, &ec_set_private, &ec_set_public); ++ EC_KEY_METHOD_set_init(ec_meth, ec_init, ecdsa_do_finish, ++ ec_copy, ec_set_group, ec_set_private, ec_set_public); ++ ++ if ((rsa_meth = RSA_meth_dup(RSA_get_default_method())) == NULL) + fatal_f("RSA_meth_dup failed"); +- if (!RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper") || +- !RSA_meth_set_priv_enc(helper_rsa, rsa_encrypt)) ++ helper->rsa_finish = RSA_meth_get_finish(rsa_meth); ++ if (!RSA_meth_set1_name(rsa_meth, "ssh-pkcs11-helper") || ++ !RSA_meth_set_priv_enc(rsa_meth, rsa_encrypt) || ++ !RSA_meth_set_finish(rsa_meth, rsa_finish)) + fatal_f("failed to prepare method"); + +- return (0); ++ helper->ec_meth = ec_meth; ++ helper->rsa_meth = rsa_meth; ++ return 0; + } + +-static int +-pkcs11_start_helper(void) ++static struct helper * ++pkcs11_start_helper(const char *path) + { + int pair[2]; +- char *helper, *verbosity = NULL; +- +- if (log_level_get() >= SYSLOG_LEVEL_DEBUG1) +- verbosity = "-vvv"; +- +- if (pkcs11_start_helper_methods() == -1) { +- error("pkcs11_start_helper_methods failed"); +- return (-1); +- } ++ char *prog, *verbosity = NULL; ++ struct helper *helper; ++ pid_t pid; + ++ if (nhelpers >= INT_MAX) ++ fatal_f("too many helpers"); ++ debug3_f("start helper for %s", path); + if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) { +- error("socketpair: %s", strerror(errno)); +- return (-1); ++ error_f("socketpair: %s", strerror(errno)); ++ return NULL; ++ } ++ helper = xcalloc(1, sizeof(*helper)); ++ if (pkcs11_start_helper_methods(helper) == -1) { ++ error_f("pkcs11_start_helper_methods failed"); ++ goto fail; + } + if ((pid = fork()) == -1) { +- error("fork: %s", strerror(errno)); +- return (-1); ++ error_f("fork: %s", strerror(errno)); ++ fail: ++ close(pair[0]); ++ close(pair[1]); ++ RSA_meth_free(helper->rsa_meth); ++ EC_KEY_METHOD_free(helper->ec_meth); ++ free(helper); ++ return NULL; + } else if (pid == 0) { + if ((dup2(pair[1], STDIN_FILENO) == -1) || + (dup2(pair[1], STDOUT_FILENO) == -1)) { +@@ -297,18 +485,27 @@ pkcs11_start_helper(void) + } + close(pair[0]); + close(pair[1]); +- helper = getenv("SSH_PKCS11_HELPER"); +- if (helper == NULL || strlen(helper) == 0) +- helper = _PATH_SSH_PKCS11_HELPER; +- debug_f("starting %s %s", helper, ++ prog = getenv("SSH_PKCS11_HELPER"); ++ if (prog == NULL || strlen(prog) == 0) ++ prog = _PATH_SSH_PKCS11_HELPER; ++ if (log_level_get() >= SYSLOG_LEVEL_DEBUG1) ++ verbosity = "-vvv"; ++ debug_f("starting %s %s", prog, + verbosity == NULL ? "" : verbosity); +- execlp(helper, helper, verbosity, (char *)NULL); +- fprintf(stderr, "exec: %s: %s\n", helper, strerror(errno)); ++ execlp(prog, prog, verbosity, (char *)NULL); ++ fprintf(stderr, "exec: %s: %s\n", prog, strerror(errno)); + _exit(1); + } + close(pair[1]); +- fd = pair[0]; +- return (0); ++ helper->fd = pair[0]; ++ helper->path = xstrdup(path); ++ helper->pid = pid; ++ debug3_f("helper %zu for \"%s\" on fd %d pid %ld", nhelpers, ++ helper->path, helper->fd, (long)helper->pid); ++ helpers = xrecallocarray(helpers, nhelpers, ++ nhelpers + 1, sizeof(*helpers)); ++ helpers[nhelpers++] = helper; ++ return helper; + } + + int +@@ -322,9 +519,11 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + size_t blen; + u_int nkeys, i; + struct sshbuf *msg; ++ struct helper *helper; + +- if (fd < 0 && pkcs11_start_helper() < 0) +- return (-1); ++ if ((helper = helper_by_provider(name)) == NULL && ++ (helper = pkcs11_start_helper(name)) == NULL) ++ return -1; + + if ((msg = sshbuf_new()) == NULL) + fatal_f("sshbuf_new failed"); +@@ -332,10 +531,10 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + (r = sshbuf_put_cstring(msg, name)) != 0 || + (r = sshbuf_put_cstring(msg, pin)) != 0) + fatal_fr(r, "compose"); +- send_msg(msg); ++ send_msg(helper->fd, msg); + sshbuf_reset(msg); + +- type = recv_msg(msg); ++ type = recv_msg(helper->fd, msg); + if (type == SSH2_AGENT_IDENTITIES_ANSWER) { + if ((r = sshbuf_get_u32(msg, &nkeys)) != 0) + fatal_fr(r, "parse nkeys"); +@@ -349,7 +548,7 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + fatal_fr(r, "parse key"); + if ((r = sshkey_from_blob(blob, blen, &k)) != 0) + fatal_fr(r, "decode key"); +- wrap_key(k); ++ wrap_key(helper, k); + (*keysp)[i] = k; + if (labelsp) + (*labelsp)[i] = label; +@@ -370,22 +569,15 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + int + pkcs11_del_provider(char *name) + { +- int r, ret = -1; +- struct sshbuf *msg; +- +- if ((msg = sshbuf_new()) == NULL) +- fatal_f("sshbuf_new failed"); +- if ((r = sshbuf_put_u8(msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY)) != 0 || +- (r = sshbuf_put_cstring(msg, name)) != 0 || +- (r = sshbuf_put_cstring(msg, "")) != 0) +- fatal_fr(r, "compose"); +- send_msg(msg); +- sshbuf_reset(msg); +- +- if (recv_msg(msg) == SSH_AGENT_SUCCESS) +- ret = 0; +- sshbuf_free(msg); +- return (ret); ++ struct helper *helper; ++ ++ /* ++ * ssh-agent deletes keys before calling this, so the helper entry ++ * should be gone before we get here. ++ */ ++ debug3_f("delete %s", name); ++ if ((helper = helper_by_provider(name)) != NULL) ++ helper_terminate(helper); ++ return 0; + } +- + #endif /* ENABLE_PKCS11 */ +-- +2.40.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0002.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0002.patch new file mode 100644 index 0000000000..81f4cc5fba --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0002.patch @@ -0,0 +1,173 @@ +From 29ef8a04866ca14688d5b7fed7b8b9deab851f77 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 14:02:27 +0000 +Subject: [PATCH 2/4] upstream: Ensure FIDO/PKCS11 libraries contain expected + symbols + +This checks via nlist(3) that candidate provider libraries contain one +of the symbols that we will require prior to dlopen(), which can cause +a number of side effects, including execution of constructors. + +Feedback deraadt; ok markus + +OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77] + +CVE: CVE-2023-38408 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + misc.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + misc.h | 1 + + ssh-pkcs11.c | 4 +++ + ssh-sk.c | 6 ++-- + 4 files changed, 86 insertions(+), 2 deletions(-) + +diff --git a/misc.c b/misc.c +index 417498d..d0270e7 100644 +--- a/misc.c ++++ b/misc.c +@@ -22,6 +22,7 @@ + + #include <sys/types.h> + #include <sys/ioctl.h> ++#include <sys/mman.h> + #include <sys/socket.h> + #include <sys/stat.h> + #include <sys/time.h> +@@ -35,6 +36,9 @@ + #ifdef HAVE_POLL_H + #include <poll.h> + #endif ++#ifdef HAVE_NLIST_H ++#include <nlist.h> ++#endif + #include <signal.h> + #include <stdarg.h> + #include <stdio.h> +@@ -2784,3 +2788,76 @@ lookup_env_in_list(const char *env, char * const *envs, size_t nenvs) + } + return NULL; + } ++ ++ ++/* ++ * Returns zero if the library at 'path' contains symbol 's', nonzero ++ * otherwise. ++ */ ++int ++lib_contains_symbol(const char *path, const char *s) ++{ ++#ifdef HAVE_NLIST_H ++ struct nlist nl[2]; ++ int ret = -1, r; ++ ++ memset(nl, 0, sizeof(nl)); ++ nl[0].n_name = xstrdup(s); ++ nl[1].n_name = NULL; ++ if ((r = nlist(path, nl)) == -1) { ++ error_f("nlist failed for %s", path); ++ goto out; ++ } ++ if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) { ++ error_f("library %s does not contain symbol %s", path, s); ++ goto out; ++ } ++ /* success */ ++ ret = 0; ++ out: ++ free(nl[0].n_name); ++ return ret; ++#else /* HAVE_NLIST_H */ ++ int fd, ret = -1; ++ struct stat st; ++ void *m = NULL; ++ size_t sz = 0; ++ ++ memset(&st, 0, sizeof(st)); ++ if ((fd = open(path, O_RDONLY)) < 0) { ++ error_f("open %s: %s", path, strerror(errno)); ++ return -1; ++ } ++ if (fstat(fd, &st) != 0) { ++ error_f("fstat %s: %s", path, strerror(errno)); ++ goto out; ++ } ++ if (!S_ISREG(st.st_mode)) { ++ error_f("%s is not a regular file", path); ++ goto out; ++ } ++ if (st.st_size < 0 || ++ (size_t)st.st_size < strlen(s) || ++ st.st_size >= INT_MAX/2) { ++ error_f("%s bad size %lld", path, (long long)st.st_size); ++ goto out; ++ } ++ sz = (size_t)st.st_size; ++ if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED || ++ m == NULL) { ++ error_f("mmap %s: %s", path, strerror(errno)); ++ goto out; ++ } ++ if (memmem(m, sz, s, strlen(s)) == NULL) { ++ error_f("%s does not contain expected string %s", path, s); ++ goto out; ++ } ++ /* success */ ++ ret = 0; ++ out: ++ if (m != NULL && m != MAP_FAILED) ++ munmap(m, sz); ++ close(fd); ++ return ret; ++#endif /* HAVE_NLIST_H */ ++} +diff --git a/misc.h b/misc.h +index 2e1b5fe..3f48315 100644 +--- a/misc.h ++++ b/misc.h +@@ -96,6 +96,7 @@ int parse_absolute_time(const char *, uint64_t *); + void format_absolute_time(uint64_t, char *, size_t); + int path_absolute(const char *); + int stdfd_devnull(int, int, int); ++int lib_contains_symbol(const char *, const char *); + + void sock_set_v6only(int); + +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index b2e2b32..5eb28e9 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1532,6 +1532,10 @@ pkcs11_register_provider(char *provider_id, char *pin, + debug_f("provider already registered: %s", provider_id); + goto fail; + } ++ if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) { ++ error("provider %s is not a PKCS11 library", provider_id); ++ goto fail; ++ } + /* open shared pkcs11-library */ + if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) { + error("dlopen %s failed: %s", provider_id, dlerror()); +diff --git a/ssh-sk.c b/ssh-sk.c +index a1ff5cc..1042bf6 100644 +--- a/ssh-sk.c ++++ b/ssh-sk.c +@@ -132,10 +132,12 @@ sshsk_open(const char *path) + #endif + return ret; + } +- if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { +- error("Provider \"%s\" dlopen failed: %s", path, dlerror()); ++ if (lib_contains_symbol(path, "sk_api_version") != 0) { ++ error("provider %s is not an OpenSSH FIDO library", path); + goto fail; + } ++ if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) ++ fatal("Provider \"%s\" dlopen failed: %s", path, dlerror()); + if ((ret->sk_api_version = dlsym(ret->dlhandle, + "sk_api_version")) == NULL) { + error("Provider \"%s\" dlsym(sk_api_version) failed: %s", +-- +2.40.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0003.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0003.patch new file mode 100644 index 0000000000..f226f12edc --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0003.patch @@ -0,0 +1,36 @@ +From 892506b13654301f69f9545f48213fc210e5c5cc Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 13:55:53 +0000 +Subject: [PATCH 3/4] upstream: terminate process if requested to load a + PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@ + +OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc] + +CVE: CVE-2023-38408 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + ssh-pkcs11.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 5eb28e9..0aef379 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1541,10 +1541,8 @@ pkcs11_register_provider(char *provider_id, char *pin, + error("dlopen %s failed: %s", provider_id, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + p = xcalloc(1, sizeof(*p)); + p->name = xstrdup(provider_id); + p->handle = handle; +-- +2.40.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0004.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0004.patch new file mode 100644 index 0000000000..1ff8505938 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0004.patch @@ -0,0 +1,114 @@ +From 1f2731f5d7a8f8a8385c6031667ed29072c0d92a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 13:56:33 +0000 +Subject: [PATCH 4/4] upstream: Disallow remote addition of FIDO/PKCS11 + provider libraries to ssh-agent by default. + +The old behaviour of allowing remote clients from loading providers +can be restored using `ssh-agent -O allow-remote-pkcs11`. + +Detection of local/remote clients requires a ssh(1) that supports +the `session-bind@openssh.com` extension. Forwarding access to a +ssh-agent socket using non-OpenSSH tools may circumvent this control. + +ok markus@ + +OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a] + +CVE: CVE-2023-38408 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + ssh-agent.1 | 21 +++++++++++++++++++++ + ssh-agent.c | 21 ++++++++++++++++++++- + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/ssh-agent.1 b/ssh-agent.1 +index ed8c870..15d0a47 100644 +--- a/ssh-agent.1 ++++ b/ssh-agent.1 +@@ -102,6 +102,27 @@ The default is + Kill the current agent (given by the + .Ev SSH_AGENT_PID + environment variable). ++Currently two options are supported: ++.Cm allow-remote-pkcs11 ++and ++.Cm no-restrict-websafe . ++.Pp ++The ++.Cm allow-remote-pkcs11 ++option allows clients of a forwarded ++.Nm ++to load PKCS#11 or FIDO provider libraries. ++By default only local clients may perform this operation. ++Note that signalling that a ++.Nm ++client remote is performed by ++.Xr ssh 1 , ++and use of other tools to forward access to the agent socket may circumvent ++this restriction. ++.Pp ++The ++.Cm no-restrict-websafe , ++instructs + .It Fl P Ar allowed_providers + Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO + authenticator middleware shared libraries that may be used with the +diff --git a/ssh-agent.c b/ssh-agent.c +index 03ae2b0..19eeaae 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -171,6 +171,12 @@ char socket_dir[PATH_MAX]; + /* Pattern-list of allowed PKCS#11/Security key paths */ + static char *allowed_providers; + ++/* ++ * Allows PKCS11 providers or SK keys that use non-internal providers to ++ * be added over a remote connection (identified by session-bind@openssh.com). ++ */ ++static int remote_add_provider; ++ + /* locking */ + #define LOCK_SIZE 32 + #define LOCK_SALT_SIZE 16 +@@ -1239,6 +1245,12 @@ process_add_identity(SocketEntry *e) + if (strcasecmp(sk_provider, "internal") == 0) { + debug_f("internal provider"); + } else { ++ if (e->nsession_ids != 0 && !remote_add_provider) { ++ verbose("failed add of SK provider \"%.100s\": " ++ "remote addition of providers is disabled", ++ sk_provider); ++ goto out; ++ } + if (realpath(sk_provider, canonical_provider) == NULL) { + verbose("failed provider \"%.100s\": " + "realpath: %s", sk_provider, +@@ -1402,6 +1414,11 @@ process_add_smartcard_key(SocketEntry *e) + error_f("failed to parse constraints"); + goto send; + } ++ if (e->nsession_ids != 0 && !remote_add_provider) { ++ verbose("failed PKCS#11 add of \"%.100s\": remote addition of " ++ "providers is disabled", provider); ++ goto send; ++ } + if (realpath(provider, canonical_provider) == NULL) { + verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", + provider, strerror(errno)); +@@ -2061,7 +2078,9 @@ main(int ac, char **av) + break; + case 'O': + if (strcmp(optarg, "no-restrict-websafe") == 0) +- restrict_websafe = 0; ++ restrict_websafe = 0; ++ else if (strcmp(optarg, "allow-remote-pkcs11") == 0) ++ remote_add_provider = 1; + else + fatal("Unknown -O option"); + break; +-- +2.40.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch new file mode 100644 index 0000000000..6b2f927779 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch @@ -0,0 +1,476 @@ +(modified to not remove ssh_packet_read_expect() and to add to +KexAlgorithms in sshd.c and sshconnect2.c as this version pre-dates +kex_proposal_populate_entries()) + +Backport of: + +From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 18 Dec 2023 14:45:17 +0000 +Subject: [PATCH] upstream: implement "strict key exchange" in ssh and sshd + +This adds a protocol extension to improve the integrity of the SSH +transport protocol, particular in and around the initial key exchange +(KEX) phase. + +Full details of the extension are in the PROTOCOL file. + +with markus@ + +OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/CVE-2023-48795.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5] +CVE: CVE-2023-48795 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + PROTOCOL | 26 +++++++++++++++++ + kex.c | 72 +++++++++++++++++++++++++++++++---------------- + kex.h | 1 + + packet.c | 78 ++++++++++++++++++++++++++++++++++++++------------- + sshconnect2.c | 14 +++------ + sshd.c | 7 +++-- + 6 files changed, 142 insertions(+), 56 deletions(-) + +diff --git a/PROTOCOL b/PROTOCOL +index e6a7d60..971f01e 100644 +--- a/PROTOCOL ++++ b/PROTOCOL +@@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curve25519 for key exchange as + described at: + http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519 + ++1.9 transport: strict key exchange extension ++ ++OpenSSH supports a number of transport-layer hardening measures under ++a "strict KEX" feature. This feature is signalled similarly to the ++RFC8308 ext-info feature: by including a additional algorithm in the ++initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append ++"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server ++may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms ++are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored ++if they are present in subsequent SSH2_MSG_KEXINIT packets. ++ ++When an endpoint that supports this extension observes this algorithm ++name in a peer's KEXINIT packet, it MUST make the following changes to ++the the protocol: ++ ++a) During initial KEX, terminate the connection if any unexpected or ++ out-of-sequence packet is received. This includes terminating the ++ connection if the first packet received is not SSH2_MSG_KEXINIT. ++ Unexpected packets for the purpose of strict KEX include messages ++ that are otherwise valid at any time during the connection such as ++ SSH2_MSG_DEBUG and SSH2_MSG_IGNORE. ++b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the ++ packet sequence number to zero. This behaviour persists for the ++ duration of the connection (i.e. not just the first ++ SSH2_MSG_NEWKEYS). ++ + 2. Connection protocol changes + + 2.1. connection: Channel write close extension "eow@openssh.com" +diff --git a/kex.c b/kex.c +index 0bcd27d..e7b2d4d 100644 +--- a/kex.c ++++ b/kex.c +@@ -63,7 +63,7 @@ + #include "digest.h" + + /* prototype */ +-static int kex_choose_conf(struct ssh *); ++static int kex_choose_conf(struct ssh *, uint32_t seq); + static int kex_input_newkeys(int, u_int32_t, struct ssh *); + + static const char * const proposal_names[PROPOSAL_MAX] = { +@@ -175,6 +175,18 @@ kex_names_valid(const char *names) + return 1; + } + ++/* returns non-zero if proposal contains any algorithm from algs */ ++static int ++has_any_alg(const char *proposal, const char *algs) ++{ ++ char *cp; ++ ++ if ((cp = match_list(proposal, algs, NULL)) == NULL) ++ return 0; ++ free(cp); ++ return 1; ++} ++ + /* + * Concatenate algorithm names, avoiding duplicates in the process. + * Caller must free returned string. +@@ -182,7 +194,7 @@ kex_names_valid(const char *names) + char * + kex_names_cat(const char *a, const char *b) + { +- char *ret = NULL, *tmp = NULL, *cp, *p, *m; ++ char *ret = NULL, *tmp = NULL, *cp, *p; + size_t len; + + if (a == NULL || *a == '\0') +@@ -199,10 +211,8 @@ kex_names_cat(const char *a, const char *b) + } + strlcpy(ret, a, len); + for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { +- if ((m = match_list(ret, p, NULL)) != NULL) { +- free(m); ++ if (has_any_alg(ret, p)) + continue; /* Algorithm already present */ +- } + if (strlcat(ret, ",", len) >= len || + strlcat(ret, p, len) >= len) { + free(tmp); +@@ -410,7 +420,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) + { + int r; + +- error("kex protocol error: type %d seq %u", type, seq); ++ /* If in strict mode, any unexpected message is an error */ ++ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) { ++ ssh_packet_disconnect(ssh, "strict KEX violation: " ++ "unexpected packet type %u (seqnr %u)", type, seq); ++ } ++ error_f("type %u seq %u", type, seq); + if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || + (r = sshpkt_put_u32(ssh, seq)) != 0 || + (r = sshpkt_send(ssh)) != 0) +@@ -485,6 +500,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) + ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); + if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) + return r; ++ if (ninfo >= 1024) { ++ error("SSH2_MSG_EXT_INFO with too many entries, expected " ++ "<=1024, received %u", ninfo); ++ return dispatch_protocol_error(type, seq, ssh); ++ } + for (i = 0; i < ninfo; i++) { + if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) + return r; +@@ -600,7 +620,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) + error_f("no kex"); + return SSH_ERR_INTERNAL_ERROR; + } +- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r; +@@ -636,7 +656,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) + if (!(kex->flags & KEX_INIT_SENT)) + if ((r = kex_send_kexinit(ssh)) != 0) + return r; +- if ((r = kex_choose_conf(ssh)) != 0) ++ if ((r = kex_choose_conf(ssh, seq)) != 0) + return r; + + if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) +@@ -900,20 +920,14 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) + return (1); + } + +-/* returns non-zero if proposal contains any algorithm from algs */ + static int +-has_any_alg(const char *proposal, const char *algs) ++kexalgs_contains(char **peer, const char *ext) + { +- char *cp; +- +- if ((cp = match_list(proposal, algs, NULL)) == NULL) +- return 0; +- free(cp); +- return 1; ++ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext); + } + + static int +-kex_choose_conf(struct ssh *ssh) ++kex_choose_conf(struct ssh *ssh, uint32_t seq) + { + struct kex *kex = ssh->kex; + struct newkeys *newkeys; +@@ -938,13 +952,23 @@ kex_choose_conf(struct ssh *ssh) + sprop=peer; + } + +- /* Check whether client supports ext_info_c */ +- if (kex->server && (kex->flags & KEX_INITIAL)) { +- char *ext; +- +- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); +- kex->ext_info_c = (ext != NULL); +- free(ext); ++ /* Check whether peer supports ext_info/kex_strict */ ++ if ((kex->flags & KEX_INITIAL) != 0) { ++ if (kex->server) { ++ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c"); ++ kex->kex_strict = kexalgs_contains(peer, ++ "kex-strict-c-v00@openssh.com"); ++ } else { ++ kex->kex_strict = kexalgs_contains(peer, ++ "kex-strict-s-v00@openssh.com"); ++ } ++ if (kex->kex_strict) { ++ debug3_f("will use strict KEX ordering"); ++ if (seq != 0) ++ ssh_packet_disconnect(ssh, ++ "strict KEX violation: " ++ "KEXINIT was not the first packet"); ++ } + } + + /* Check whether client supports rsa-sha2 algorithms */ +diff --git a/kex.h b/kex.h +index c353295..d97323e 100644 +--- a/kex.h ++++ b/kex.h +@@ -148,6 +148,7 @@ struct kex { + u_int kex_type; + char *server_sig_algs; + int ext_info_c; ++ int kex_strict; + struct sshbuf *my; + struct sshbuf *peer; + struct sshbuf *client_version; +diff --git a/packet.c b/packet.c +index bde6c10..28f3729 100644 +--- a/packet.c ++++ b/packet.c +@@ -1205,8 +1205,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh) + sshbuf_dump(state->output, stderr); + #endif + /* increment sequence number for outgoing packets */ +- if (++state->p_send.seqnr == 0) ++ if (++state->p_send.seqnr == 0) { ++ if ((ssh->kex->flags & KEX_INITIAL) != 0) { ++ ssh_packet_disconnect(ssh, "outgoing sequence number " ++ "wrapped during initial key exchange"); ++ } + logit("outgoing seqnr wraps around"); ++ } + if (++state->p_send.packets == 0) + if (!(ssh->compat & SSH_BUG_NOREKEY)) + return SSH_ERR_NEED_REKEY; +@@ -1214,6 +1219,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh) + state->p_send.bytes += len; + sshbuf_reset(state->outgoing_packet); + ++ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { ++ debug_f("resetting send seqnr %u", state->p_send.seqnr); ++ state->p_send.seqnr = 0; ++ } ++ + if (type == SSH2_MSG_NEWKEYS) + r = ssh_set_newkeys(ssh, MODE_OUT); + else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side) +@@ -1342,8 +1352,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + /* Stay in the loop until we have received a complete packet. */ + for (;;) { + /* Try to read a packet from the buffer. */ +- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p); +- if (r != 0) ++ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0) + break; + /* If we got a packet, return it. */ + if (*typep != SSH_MSG_NONE) +@@ -1627,10 +1636,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0) + goto out; + } ++ + if (seqnr_p != NULL) + *seqnr_p = state->p_read.seqnr; +- if (++state->p_read.seqnr == 0) ++ if (++state->p_read.seqnr == 0) { ++ if ((ssh->kex->flags & KEX_INITIAL) != 0) { ++ ssh_packet_disconnect(ssh, "incoming sequence number " ++ "wrapped during initial key exchange"); ++ } + logit("incoming seqnr wraps around"); ++ } + if (++state->p_read.packets == 0) + if (!(ssh->compat & SSH_BUG_NOREKEY)) + return SSH_ERR_NEED_REKEY; +@@ -1696,6 +1711,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + #endif + /* reset for next packet */ + state->packlen = 0; ++ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { ++ debug_f("resetting read seqnr %u", state->p_read.seqnr); ++ state->p_read.seqnr = 0; ++ } + + if ((r = ssh_packet_check_rekey(ssh)) != 0) + return r; +@@ -1716,10 +1735,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + r = ssh_packet_read_poll2(ssh, typep, seqnr_p); + if (r != 0) + return r; +- if (*typep) { +- state->keep_alive_timeouts = 0; +- DBG(debug("received packet type %d", *typep)); ++ if (*typep == 0) { ++ /* no message ready */ ++ return 0; ++ } ++ state->keep_alive_timeouts = 0; ++ DBG(debug("received packet type %d", *typep)); ++ ++ /* Always process disconnect messages */ ++ if (*typep == SSH2_MSG_DISCONNECT) { ++ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || ++ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) ++ return r; ++ /* Ignore normal client exit notifications */ ++ do_log2(ssh->state->server_side && ++ reason == SSH2_DISCONNECT_BY_APPLICATION ? ++ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, ++ "Received disconnect from %s port %d:" ++ "%u: %.400s", ssh_remote_ipaddr(ssh), ++ ssh_remote_port(ssh), reason, msg); ++ free(msg); ++ return SSH_ERR_DISCONNECTED; + } ++ ++ /* ++ * Do not implicitly handle any messages here during initial ++ * KEX when in strict mode. They will be need to be allowed ++ * explicitly by the KEX dispatch table or they will generate ++ * protocol errors. ++ */ ++ if (ssh->kex != NULL && ++ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) ++ return 0; ++ /* Implicitly handle transport-level messages */ + switch (*typep) { + case SSH2_MSG_IGNORE: + debug3("Received SSH2_MSG_IGNORE"); +@@ -1734,19 +1782,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + debug("Remote: %.900s", msg); + free(msg); + break; +- case SSH2_MSG_DISCONNECT: +- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || +- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) +- return r; +- /* Ignore normal client exit notifications */ +- do_log2(ssh->state->server_side && +- reason == SSH2_DISCONNECT_BY_APPLICATION ? +- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, +- "Received disconnect from %s port %d:" +- "%u: %.400s", ssh_remote_ipaddr(ssh), +- ssh_remote_port(ssh), reason, msg); +- free(msg); +- return SSH_ERR_DISCONNECTED; + case SSH2_MSG_UNIMPLEMENTED: + if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0) + return r; +@@ -2211,6 +2246,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex) + (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 || + (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 || + (r = sshbuf_put_u32(m, kex->kex_type)) != 0 || ++ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 || + (r = sshbuf_put_stringb(m, kex->my)) != 0 || + (r = sshbuf_put_stringb(m, kex->peer)) != 0 || + (r = sshbuf_put_stringb(m, kex->client_version)) != 0 || +@@ -2373,6 +2409,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp) + (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 || + (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 || + (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 || ++ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 || + (r = sshbuf_get_stringb(m, kex->my)) != 0 || + (r = sshbuf_get_stringb(m, kex->peer)) != 0 || + (r = sshbuf_get_stringb(m, kex->client_version)) != 0 || +@@ -2701,6 +2738,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...) + vsnprintf(buf, sizeof(buf), fmt, args); + va_end(args); + ++ debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf); + if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 || + (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 || + (r = sshpkt_put_cstring(ssh, buf)) != 0 || +diff --git a/sshconnect2.c b/sshconnect2.c +index b25225e..83ae4a4 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -241,7 +241,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, + fatal_fr(r, "kex_assemble_namelist"); + free(all_key); + +- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) ++ if ((s = kex_names_cat(options.kex_algorithms, ++ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL) + fatal_f("kex_names_cat"); + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = +@@ -363,7 +364,6 @@ struct cauthmethod { + }; + + static int input_userauth_service_accept(int, u_int32_t, struct ssh *); +-static int input_userauth_ext_info(int, u_int32_t, struct ssh *); + static int input_userauth_success(int, u_int32_t, struct ssh *); + static int input_userauth_failure(int, u_int32_t, struct ssh *); + static int input_userauth_banner(int, u_int32_t, struct ssh *); +@@ -477,7 +477,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, + + ssh->authctxt = &authctxt; + ssh_dispatch_init(ssh, &input_userauth_error); +- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info); ++ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info); + ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept); + ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */ + pubkey_cleanup(ssh); +@@ -529,13 +529,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh) + return r; + } + +-/* ARGSUSED */ +-static int +-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh) +-{ +- return kex_input_ext_info(type, seqnr, ssh); +-} +- + void + userauth(struct ssh *ssh, char *authlist) + { +@@ -617,6 +610,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh) + free(authctxt->methoddata); + authctxt->methoddata = NULL; + authctxt->success = 1; /* break out */ ++ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error); + return 0; + } + +diff --git a/sshd.c b/sshd.c +index ef18ba4..652bdc3 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -2354,11 +2354,13 @@ static void + do_ssh2_kex(struct ssh *ssh) + { + char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; ++ char *s; + struct kex *kex; + int r; + +- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, +- options.kex_algorithms); ++ if ((s = kex_names_cat(options.kex_algorithms, "kex-strict-s-v00@openssh.com")) == NULL) ++ fatal_f("kex_names_cat"); ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh, + options.ciphers); + myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(ssh, +@@ -2411,6 +2413,7 @@ do_ssh2_kex(struct ssh *ssh) + (r = ssh_packet_write_wait(ssh)) != 0) + fatal_fr(r, "send test"); + #endif ++ free(s); + debug("KEX done"); + } + +-- +2.25.1 + diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch new file mode 100644 index 0000000000..ead3256915 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch @@ -0,0 +1,171 @@ +From 881d9c6af9da4257c69c327c4e2f1508b2fa754b Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 18 Dec 2023 14:46:12 +0000 +Subject: [PATCH] upstream: apply destination constraints to all p11 keys + +Previously applied only to the first key returned from each token. + +ok markus@ + +OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d + +CVE: CVE-2023-51384 + +Upstream-Status: Backport +https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + ssh-agent.c | 102 +++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 98 insertions(+), 4 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index 19eeaae..4dbb4f3 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -249,6 +249,90 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs) + free(dcs); + } + ++static void ++dup_dest_constraint_hop(const struct dest_constraint_hop *dch, ++ struct dest_constraint_hop *out) ++{ ++ u_int i; ++ int r; ++ ++ out->user = dch->user == NULL ? NULL : xstrdup(dch->user); ++ out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname); ++ out->is_ca = dch->is_ca; ++ out->nkeys = dch->nkeys; ++ out->keys = out->nkeys == 0 ? NULL : ++ xcalloc(out->nkeys, sizeof(*out->keys)); ++ out->key_is_ca = out->nkeys == 0 ? NULL : ++ xcalloc(out->nkeys, sizeof(*out->key_is_ca)); ++ for (i = 0; i < dch->nkeys; i++) { ++ if (dch->keys[i] != NULL && ++ (r = sshkey_from_private(dch->keys[i], ++ &(out->keys[i]))) != 0) ++ fatal_fr(r, "copy key"); ++ out->key_is_ca[i] = dch->key_is_ca[i]; ++ } ++} ++ ++static struct dest_constraint * ++dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs) ++{ ++ size_t i; ++ struct dest_constraint *ret; ++ ++ if (ndcs == 0) ++ return NULL; ++ ret = xcalloc(ndcs, sizeof(*ret)); ++ for (i = 0; i < ndcs; i++) { ++ dup_dest_constraint_hop(&dcs[i].from, &ret[i].from); ++ dup_dest_constraint_hop(&dcs[i].to, &ret[i].to); ++ } ++ return ret; ++} ++ ++#ifdef DEBUG_CONSTRAINTS ++static void ++dump_dest_constraint_hop(const struct dest_constraint_hop *dch) ++{ ++ u_int i; ++ char *fp; ++ ++ debug_f("user %s hostname %s is_ca %d nkeys %u", ++ dch->user == NULL ? "(null)" : dch->user, ++ dch->hostname == NULL ? "(null)" : dch->hostname, ++ dch->is_ca, dch->nkeys); ++ for (i = 0; i < dch->nkeys; i++) { ++ fp = NULL; ++ if (dch->keys[i] != NULL && ++ (fp = sshkey_fingerprint(dch->keys[i], ++ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) ++ fatal_f("fingerprint failed"); ++ debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys, ++ dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]), ++ dch->keys[i] == NULL ? "" : " ", ++ dch->keys[i] == NULL ? "none" : fp, ++ dch->key_is_ca[i]); ++ free(fp); ++ } ++} ++#endif /* DEBUG_CONSTRAINTS */ ++ ++static void ++dump_dest_constraints(const char *context, ++ const struct dest_constraint *dcs, size_t ndcs) ++{ ++#ifdef DEBUG_CONSTRAINTS ++ size_t i; ++ ++ debug_f("%s: %zu constraints", context, ndcs); ++ for (i = 0; i < ndcs; i++) { ++ debug_f("constraint %zu / %zu: from: ", i, ndcs); ++ dump_dest_constraint_hop(&dcs[i].from); ++ debug_f("constraint %zu / %zu: to: ", i, ndcs); ++ dump_dest_constraint_hop(&dcs[i].to); ++ } ++ debug_f("done for %s", context); ++#endif /* DEBUG_CONSTRAINTS */ ++} + static void + free_identity(Identity *id) + { +@@ -520,13 +604,22 @@ process_request_identities(SocketEntry *e) + Identity *id; + struct sshbuf *msg, *keys; + int r; +- u_int nentries = 0; ++ u_int i = 0, nentries = 0; ++ char *fp; + + debug2_f("entering"); + + if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL) + fatal_f("sshbuf_new failed"); + TAILQ_FOREACH(id, &idtab->idlist, next) { ++ if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT, ++ SSH_FP_DEFAULT)) == NULL) ++ fatal_f("fingerprint failed"); ++ debug_f("key %u / %u: %s %s", i++, idtab->nentries, ++ sshkey_ssh_name(id->key), fp); ++ dump_dest_constraints(__func__, ++ id->dest_constraints, id->ndest_constraints); ++ free(fp); + /* identity not visible, don't include in response */ + if (identity_permitted(id, e, NULL, NULL, NULL) != 0) + continue; +@@ -1235,6 +1328,7 @@ process_add_identity(SocketEntry *e) + sshbuf_reset(e->request); + goto out; + } ++ dump_dest_constraints(__func__, dest_constraints, ndest_constraints); + + if (sk_provider != NULL) { + if (!sshkey_is_sk(k)) { +@@ -1414,6 +1508,7 @@ process_add_smartcard_key(SocketEntry *e) + error_f("failed to parse constraints"); + goto send; + } ++ dump_dest_constraints(__func__, dest_constraints, ndest_constraints); + if (e->nsession_ids != 0 && !remote_add_provider) { + verbose("failed PKCS#11 add of \"%.100s\": remote addition of " + "providers is disabled", provider); +@@ -1449,10 +1544,9 @@ process_add_smartcard_key(SocketEntry *e) + } + id->death = death; + id->confirm = confirm; +- id->dest_constraints = dest_constraints; ++ id->dest_constraints = dup_dest_constraints( ++ dest_constraints, ndest_constraints); + id->ndest_constraints = ndest_constraints; +- dest_constraints = NULL; /* transferred */ +- ndest_constraints = 0; + TAILQ_INSERT_TAIL(&idtab->idlist, id, next); + idtab->nentries++; + success = 1; +-- +2.40.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch new file mode 100644 index 0000000000..b8e6813857 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch @@ -0,0 +1,97 @@ +From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 18 Dec 2023 14:47:44 +0000 +Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters + This makes ssh(1) refuse user or host names provided on the commandline that + contain most shell metacharacters. + +Some programs that invoke ssh(1) using untrusted data do not filter +metacharacters in arguments they supply. This could create +interactions with user-specified ProxyCommand and other directives +that allow shell injection attacks to occur. + +It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, +but getting this stuff right can be tricky, so this should prevent +most obvious ways of creating risky situations. It however is not +and cannot be perfect: ssh(1) has no practical way of interpreting +what shell quoting rules are in use and how they interact with the +user's specified ProxyCommand. + +To allow configurations that use strange user or hostnames to +continue to work, this strictness is applied only to names coming +from the commandline. Names specified using User or Hostname +directives in ssh_config(5) are not affected. + +feedback/ok millert@ markus@ dtucker@ deraadt@ + +OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9 + +CVE: CVE-2023-51385 + +Upstream-Status: Backport +[https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + ssh.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/ssh.c b/ssh.c +index 8ff9788..82ed15f 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -611,6 +611,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo) + free(cinfo); + } + ++static int ++valid_hostname(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL || ++ isspace((u_char)s[i]) || iscntrl((u_char)s[i])) ++ return 0; ++ } ++ return 1; ++} ++ ++static int ++valid_ruser(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (strchr("'`\";&<>|(){}", s[i]) != NULL) ++ return 0; ++ /* Disallow '-' after whitespace */ ++ if (isspace((u_char)s[i]) && s[i + 1] == '-') ++ return 0; ++ /* Disallow \ in last position */ ++ if (s[i] == '\\' && s[i + 1] == '\0') ++ return 0; ++ } ++ return 1; ++} ++ + /* + * Main program for the ssh client. + */ +@@ -1097,6 +1132,10 @@ main(int ac, char **av) + if (!host) + usage(); + ++ if (!valid_hostname(host)) ++ fatal("hostname contains invalid characters"); ++ if (options.user != NULL && !valid_ruser(options.user)) ++ fatal("remote username contains invalid characters"); + host_arg = xstrdup(host); + + /* Initialize the command to execute on remote host. */ +-- +2.40.0 diff --git a/meta/recipes-connectivity/openssh/openssh/fix-authorized-principals-command.patch b/meta/recipes-connectivity/openssh/openssh/fix-authorized-principals-command.patch new file mode 100644 index 0000000000..3790774f15 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/fix-authorized-principals-command.patch @@ -0,0 +1,30 @@ +From fcd78e31cdd45a7e69ccfe6d8a3b1037dc1de290 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 24 May 2023 23:01:06 +0000 +Subject: [PATCH] upstream: fix AuthorizedPrincipalsCommand when + AuthorizedKeysCommand +Description: Fix the wrong code as the Subject suggests + I added that description to mention, that the file header change was + incompatible with the proposed code below and failed to apply, + therefore I dropped that chunk of the code. +Origin: backport, https://github.com/openssh/openssh-portable/commit/fcd78e31cdd45a7e69ccfe6d8a3b1037dc1de290 +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3574 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2031942 +Last-Update: 2023-09-01 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/fix-authorized-principals-command.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/openssh/openssh-portable/commit/fcd78e31cdd45a7e69ccfe6d8a3b1037dc1de290] +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/servconf.c ++++ b/servconf.c +@@ -2372,7 +2372,7 @@ process_server_config_line_depth(ServerO + fatal("%.200s line %d: %s must be an absolute path", + filename, linenum, keyword); + } +- if (*activep && options->authorized_keys_command == NULL) ++ if (*activep && *charptr == NULL) + *charptr = xstrdup(str + len); + argv_consume(&ac); + break; diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest index 8a9b770d59..9a406e9b65 100755 --- a/meta/recipes-connectivity/openssh/openssh/run-ptest +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest @@ -5,7 +5,7 @@ export SKIP_UNIT=1 cd regress sed -i "/\t\tagent-ptrace /d" Makefile -make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \ +make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="" tests \ | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' SSHAGENT=`which ssh-agent` diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb index a3a0016ce5..6411a64eff 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb @@ -26,6 +26,16 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://add-test-support-for-busybox.patch \ file://f107467179428a0e3ea9e4aa9738ac12ff02822d.patch \ file://0001-Default-to-not-using-sandbox-when-cross-compiling.patch \ + file://7280401bdd77ca54be6867a154cc01e0d72612e0.patch \ + file://0001-upstream-include-destination-constraints-for-smartca.patch \ + file://CVE-2023-38408-0001.patch \ + file://CVE-2023-38408-0002.patch \ + file://CVE-2023-38408-0003.patch \ + file://CVE-2023-38408-0004.patch \ + file://fix-authorized-principals-command.patch \ + file://CVE-2023-48795.patch \ + file://CVE-2023-51384.patch \ + file://CVE-2023-51385.patch \ " SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7" @@ -39,6 +49,11 @@ CVE_CHECK_IGNORE += "CVE-2014-9278" # CVE only applies to some distributed RHEL binaries CVE_CHECK_IGNORE += "CVE-2008-3844" +# Upstream does not consider CVE-2023-51767 a bug underlying in OpenSSH and +# does not intent to address it in OpenSSH +# https://security-tracker.debian.org/tracker/CVE-2023-51767 +CVE_CHECK_IGNORE += "CVE-2023-51767" + PAM_SRC_URI = "file://sshd" inherit manpages useradd update-rc.d update-alternatives systemd @@ -54,15 +69,12 @@ SYSTEMD_SERVICE:${PN}-sshd = "sshd.socket" inherit autotools-brokensep ptest -PACKAGECONFIG ??= "rng-tools" +PACKAGECONFIG ??= "" PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" -# Add RRECOMMENDS to rng-tools for sshd package -PACKAGECONFIG[rng-tools] = "" - EXTRA_AUTORECONF += "--exclude=aclocal" # login path is hardcoded in sshd @@ -160,19 +172,14 @@ FILES:${PN}-sftp-server = "${libexecdir}/sftp-server" FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" FILES:${PN}-keygen = "${bindir}/ssh-keygen" -RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" +RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server" RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" -RRECOMMENDS:${PN}-sshd:append:class-target = "\ - ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \ -" - # break dependency on base package for -dev package # otherwise SDK fails to build as the main openssh and dropbear packages # conflict with each other RDEPENDS:${PN}-dev = "" - # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies -RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" +RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed coreutils" RPROVIDES:${PN}-ssh = "ssh" RPROVIDES:${PN}-sshd = "sshd" diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh index b9cc24a7ac..6f23490c87 100644 --- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh +++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh @@ -1 +1,5 @@ export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf" +export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs" +export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt" +export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/" +export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3" diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch index 0b7abc3a11..af435472a5 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -22,7 +22,7 @@ Index: openssl-3.0.4/Configure } -if ($target =~ /linux.*-mips/ && !$disabled{asm} -- && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { +- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { - # minimally required architecture flags for assembly modules - my $value; - $value = '-mips2' if ($target =~ /mips32/); diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch new file mode 100644 index 0000000000..8aea686205 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch @@ -0,0 +1,122 @@ +From b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Tue, 5 Mar 2024 15:43:53 +0000 +Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 + +In TLSv1.3 we create a new session object for each ticket that we send. +We do this by duplicating the original session. If SSL_OP_NO_TICKET is in +use then the new session will be added to the session cache. However, if +early data is not in use (and therefore anti-replay protection is being +used), then multiple threads could be resuming from the same session +simultaneously. If this happens and a problem occurs on one of the threads, +then the original session object could be marked as not_resumable. When we +duplicate the session object this not_resumable status gets copied into the +new session object. The new session object is then added to the session +cache even though it is not_resumable. + +Subsequently, another bug means that the session_id_length is set to 0 for +sessions that are marked as not_resumable - even though that session is +still in the cache. Once this happens the session can never be removed from +the cache. When that object gets to be the session cache tail object the +cache never shrinks again and grows indefinitely. + +CVE-2024-2511 + +Reviewed-by: Neil Horman <nhorman@openssl.org> +Reviewed-by: Tomas Mraz <tomas@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/24044) + +(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce) + +CVE: CVE-2024-2511 +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + ssl/ssl_lib.c | 5 +++-- + ssl/ssl_sess.c | 28 ++++++++++++++++++++++------ + ssl/statem/statem_srvr.c | 5 ++--- + 3 files changed, 27 insertions(+), 11 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 2c8479eb5fc69..eed649c6fdee9 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3736,9 +3736,10 @@ void ssl_update_cache(SSL *s, int mode) + + /* + * If the session_id_length is 0, we are not supposed to cache it, and it +- * would be rather hard to do anyway :-) ++ * would be rather hard to do anyway :-). Also if the session has already ++ * been marked as not_resumable we should not cache it for later reuse. + */ +- if (s->session->session_id_length == 0) ++ if (s->session->session_id_length == 0 || s->session->not_resumable) + return; + + /* +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index d836b33ed0e81..75adbd9e52b40 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -152,16 +152,11 @@ SSL_SESSION *SSL_SESSION_new(void) + return ss; + } + +-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) +-{ +- return ssl_session_dup(src, 1); +-} +- + /* + * Create a new SSL_SESSION and duplicate the contents of |src| into it. If + * ticket == 0 then no ticket information is duplicated, otherwise it is. + */ +-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) ++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) + { + SSL_SESSION *dest; + +@@ -285,6 +280,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) + return NULL; + } + ++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) ++{ ++ return ssl_session_dup_intern(src, 1); ++} ++ ++/* ++ * Used internally when duplicating a session which might be already shared. ++ * We will have resumed the original session. Subsequently we might have marked ++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to ++ * resume from. ++ */ ++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) ++{ ++ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); ++ ++ if (sess != NULL) ++ sess->not_resumable = 0; ++ ++ return sess; ++} ++ + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) + { + if (len) +diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c +index a9e67f9d32a77..6c942e6bcec29 100644 +--- a/ssl/statem/statem_srvr.c ++++ b/ssl/statem/statem_srvr.c +@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) + * so the following won't overwrite an ID that we're supposed + * to send back. + */ +- if (s->session->not_resumable || +- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) +- && !s->hit)) ++ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) ++ && !s->hit) + s->session->session_id_length = 0; + + if (usetls13) { diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.4.bb b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb index d9d17378d4..3b253ddde0 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.4.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb @@ -12,13 +12,14 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ + file://CVE-2024-2511.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "2831843e9a668a0ab478e7020ad63d2d65e51f72977472dc73efcefbafc0c00f" +SRC_URI[sha256sum] = "88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313" inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -77,7 +78,7 @@ do_configure () { esac target="$os-${HOST_ARCH}" case $target in - linux-arc) + linux-arc | linux-microblaze*) target=linux-latomic ;; linux-arm*) @@ -105,7 +106,7 @@ do_configure () { linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) target=linux64-mips64 ;; - linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) + linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) target=linux-generic32 ;; linux-powerpc) @@ -137,7 +138,9 @@ do_configure () { fi # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the # environment variables set by bitbake. Adjust the environment variables instead. - HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ + PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)" + test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!" + HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \ perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target perl ${B}/configdata.pm --dump } @@ -183,6 +186,7 @@ PTEST_BUILD_HOST_PATTERN = "perl_version =" do_install_ptest () { install -d ${D}${PTEST_PATH}/test install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test + install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test # Prune the build tree diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch new file mode 100644 index 0000000000..4325b1d6b0 --- /dev/null +++ b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch @@ -0,0 +1,48 @@ +From a75fb7b198eed50d769c80c36629f38346882cbf Mon Sep 17 00:00:00 2001 +From: Paul Mackerras <paulus@ozlabs.org> +Date: Thu, 4 Aug 2022 12:23:08 +1000 +Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer + +This fixes a potential vulnerability where data is written to spkt.buf +and rpkt.buf without a check on the array index. To fix this, we +check the array index (pkt->cnt) before storing the byte or +incrementing the count. This also means we no longer have a potential +signed integer overflow on the increment of pkt->cnt. + +Fortunately, pppdump is not used in the normal process of setting up a +PPP connection, is not installed setuid-root, and is not invoked +automatically in any scenario that I am aware of. + +Signed-off-by: Paul Mackerras <paulus@ozlabs.org> + +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + pppdump/pppdump.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c +index 2b815fc9..b85a8627 100644 +--- a/pppdump/pppdump.c ++++ b/pppdump/pppdump.c +@@ -297,6 +297,10 @@ dumpppp(f) + printf("%s aborted packet:\n ", dir); + q = " "; + } ++ if (pkt->cnt >= sizeof(pkt->buf)) { ++ printf("%s over-long packet truncated:\n ", dir); ++ q = " "; ++ } + nb = pkt->cnt; + p = pkt->buf; + pkt->cnt = 0; +@@ -400,7 +404,8 @@ dumpppp(f) + c ^= 0x20; + pkt->esc = 0; + } +- pkt->buf[pkt->cnt++] = c; ++ if (pkt->cnt < sizeof(pkt->buf)) ++ pkt->buf[pkt->cnt++] = c; + break; + } + } diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb b/meta/recipes-connectivity/ppp/ppp_2.4.9.bb index 700ece61dc..7e3ae43b58 100644 --- a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb +++ b/meta/recipes-connectivity/ppp/ppp_2.4.9.bb @@ -25,6 +25,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \ file://provider \ file://ppp@.service \ file://0001-ppp-fix-build-against-5.15-headers.patch \ + file://CVE-2022-4603.patch \ " SRC_URI[sha256sum] = "f938b35eccde533ea800b15a7445b2f1137da7f88e32a16898d02dee8adc058d" diff --git a/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch b/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch new file mode 100644 index 0000000000..ab32f26754 --- /dev/null +++ b/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch @@ -0,0 +1,37 @@ +From 6bf2bb136a0b3961339369bc08e58b661fba0edb Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Thu, 17 Nov 2022 17:26:30 +0800 +Subject: [PATCH] avoid using -m option for readlink + +Use a more widely used option '-f' instead of '-m' here to +avoid dependency on coreutils. + +Looking at the git history of the resolvconf repo, the '-m' +is deliberately used. And it wants to depend on coreutils. +But in case of OE, the existence of /etc is ensured, and busybox +readlink provides '-f' option, so we can just use '-f'. In this +way, the coreutils dependency is not necessary any more. + +Upstream-Status: Inappropriate [OE Specific] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + etc/resolvconf/update.d/libc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/etc/resolvconf/update.d/libc b/etc/resolvconf/update.d/libc +index 1c4f6bc..f75d22c 100755 +--- a/etc/resolvconf/update.d/libc ++++ b/etc/resolvconf/update.d/libc +@@ -57,7 +57,7 @@ fi + report_warning() { echo "$0: Warning: $*" >&2 ; } + + resolv_conf_is_symlinked_to_dynamic_file() { +- [ -L ${ETC}/resolv.conf ] && [ "$(readlink -m ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ] ++ [ -L ${ETC}/resolv.conf ] && [ "$(readlink -f ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ] + } + + if ! resolv_conf_is_symlinked_to_dynamic_file ; then +-- +2.17.1 + diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb index 94fd2c1a70..3f1b75d07d 100644 --- a/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb +++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb @@ -9,10 +9,11 @@ LICENSE = "GPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b" AUTHOR = "Thomas Hood" HOMEPAGE = "http://packages.debian.org/resolvconf" -RDEPENDS:${PN} = "bash" +RDEPENDS:${PN} = "bash sed util-linux-flock" SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=unstable \ file://99_resolvconf \ + file://0001-avoid-using-m-option-for-readlink.patch \ " SRCREV = "859209d573e7aec0e95d812c6b52444591a628d1" @@ -23,8 +24,6 @@ S = "${WORKDIR}/git" # so we check the latest upstream from a directory that does get updated UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/r/resolvconf/" -inherit allarch - do_compile () { : } @@ -39,12 +38,14 @@ do_install () { fi install -d ${D}${base_libdir}/${BPN} install -d ${D}${sysconfdir}/${BPN} + install -d ${D}${nonarch_base_libdir}/${BPN} ln -snf ${localstatedir}/run/${BPN} ${D}${sysconfdir}/${BPN}/run install -d ${D}${sysconfdir} ${D}${base_sbindir} install -d ${D}${mandir}/man8 ${D}${docdir}/${P} cp -pPR etc/resolvconf ${D}${sysconfdir}/ chown -R root:root ${D}${sysconfdir}/ install -m 0755 bin/resolvconf ${D}${base_sbindir}/ + install -m 0755 bin/normalize-resolvconf ${D}${nonarch_base_libdir}/${BPN} install -m 0755 bin/list-records ${D}${base_libdir}/${BPN} install -d ${D}/${sysconfdir}/network/if-up.d install -m 0755 debian/resolvconf.000resolvconf.if-up ${D}/${sysconfdir}/network/if-up.d/000resolvconf @@ -64,4 +65,4 @@ pkg_postinst:${PN} () { fi } -FILES:${PN} += "${base_libdir}/${BPN}" +FILES:${PN} += "${base_libdir}/${BPN} ${nonarch_base_libdir}/${BPN}" diff --git a/meta/recipes-connectivity/socat/socat/0001-configure.ac-check-getprotobynumber_r-with-AC_TRY_LI.patch b/meta/recipes-connectivity/socat/socat/0001-configure.ac-check-getprotobynumber_r-with-AC_TRY_LI.patch deleted file mode 100644 index fbfb0816dd..0000000000 --- a/meta/recipes-connectivity/socat/socat/0001-configure.ac-check-getprotobynumber_r-with-AC_TRY_LI.patch +++ /dev/null @@ -1,35 +0,0 @@ -From d67d6b4f981db9612d808bd723176a1d2996d53a Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex@linutronix.de> -Date: Mon, 17 Jan 2022 13:21:32 +0100 -Subject: [PATCH] configure.ac: check getprotobynumber_r with AC_TRY_LINK - -AC_TRY_COMPILE won't error out if the function is altogether absent -(e.g. on linux musl C library), the test needs to link all the way. - -Upstream-Status: Submitted [via email to socat@dest-unreach.org] -Signed-off-by: Alexander Kanavin <alex@linutronix.de> ---- - configure.ac | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index d4acc9e..973a7f2 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -137,13 +137,13 @@ AC_MSG_RESULT($sc_cv_have_prototype_hstrerror) - # getprotobynumber_r() is not standardized - AC_MSG_CHECKING(for getprotobynumber_r() variant) - AC_CACHE_VAL(sc_cv_getprotobynumber_r, --[AC_TRY_COMPILE([#include <stddef.h> -+[AC_TRY_LINK([#include <stddef.h> - #include <netdb.h>],[getprotobynumber_r(1,NULL,NULL,1024,NULL);], - [sc_cv_getprotobynumber_r=1; tmp_bynum_variant=Linux], -- [AC_TRY_COMPILE([#include <stddef.h> -+ [AC_TRY_LINK([#include <stddef.h> - #include <netdb.h>],[getprotobynumber_r(1,NULL,NULL,1024);], - [sc_cv_getprotobynumber_r=2; tmp_bynum_variant=Solaris], -- [AC_TRY_COMPILE([#include <stddef.h> -+ [AC_TRY_LINK([#include <stddef.h> - #include <netdb.h>],[getprotobynumber_r(1,NULL,NULL);], - [sc_cv_getprotobynumber_r=3; tmp_bynum_variant=AIX], - diff --git a/meta/recipes-connectivity/socat/socat_1.7.4.3.bb b/meta/recipes-connectivity/socat/socat_1.7.4.4.bb index a4a0a8933e..5a379380d1 100644 --- a/meta/recipes-connectivity/socat/socat_1.7.4.3.bb +++ b/meta/recipes-connectivity/socat/socat_1.7.4.4.bb @@ -9,11 +9,9 @@ LICENSE = "GPL-2.0-with-OpenSSL-exception" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://README;beginline=257;endline=287;md5=82520b052f322ac2b5b3dfdc7c7eea86" -SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \ - file://0001-configure.ac-check-getprotobynumber_r-with-AC_TRY_LI.patch \ - " +SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2" -SRC_URI[sha256sum] = "d47318104415077635119dfee44bcfb41de3497374a9a001b1aff6e2f0858007" +SRC_URI[sha256sum] = "fbd42bd2f0e54a3af6d01bdf15385384ab82dbc0e4f1a5e153b3e0be1b6380ac" inherit autotools |