packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:ba41459911362babedbd7ce66e563328d10d991e
Branches Tags
packages:main
...
compare: packages:c932cd2b334104d1f537c2af21abd4d3f3483281
Branches Tags
packages:main

11 Commits
ba41459911 ... c932cd2b33

Author SHA1 Message Date
openeuler-ci-bot
c932cd2b33
!338 Fix CVE-2025-26465 
From: @bitianyuan 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2025-02-22 02:36:30 +00:00
bitianyuan
1b877bb2b1 Fix CVE-2025-26465 
Signed-off-by: bitianyuan <bitianyuan@huawei.com>
 2025-02-19 11:11:15 +08:00
openeuler-ci-bot
2f0d852e48
!332 [sync] PR-320: 修复无openssl环境上测试用例执行失败 
From: @bitianyuan 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2025-01-15 01:17:49 +00:00
bitianyuan
631079e45e Set OPENSSL_BIN from OpenSSL directory 
remove unused patch  skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch

Signed-off-by: bitianyuan <bitianyuan@huawei.com>
 2025-01-14 12:29:42 +00:00
openeuler-ci-bot
998155e351
!298 [sync] PR-296: 修复CVE-2024-6409 
From: @openeuler-sync-bot 
Reviewed-by: @renmingshuai 
Signed-off-by: @renmingshuai
 2024-07-12 06:25:43 +00:00
Corwin-Song
93c66046c1 fix CVE-2024-6409 
Signed-off-by: Corwin-Song <songjuntao@kylinos.cn>
(cherry picked from commit 7d112ee7f10801f8739d84a43400373e03464709)
 2024-07-11 17:02:56 +08:00
openeuler-ci-bot
a0bd7ac000
!289 修复CVE-2024-6387 
From: @renmingshuai 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-07-02 07:19:49 +00:00
renmingshuai
b20004b32b fix CVE-2024-6387 2024-07-02 03:56:43 +00:00
openeuler-ci-bot
3f32a74123
!280 拼写错误修正 
From: @renmingshuai 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-05-14 06:13:51 +00:00
renmingshuai
793acc4534 spelling correction 2024-05-14 02:17:54 +00:00
openeuler-ci-bot
bc490cc8b9
!271 执行社区用例时临时关闭环境的SElinux功能 
From: @renmingshuai 
Reviewed-by: @zengwefeng 
Signed-off-by: @zengwefeng
 2024-05-09 03:37:09 +00:00
6 changed files with 264 additions and 102 deletions
Show Stats Expand all files Collapse all files

102
backport-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-during-KEX.patch Normal file
View File

@ -0,0 +1,102 @@
From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Tue, 18 Feb 2025 08:02:48 +0000
Subject: upstream: Fix cases where error codes were not correctly set
Reported by the Qualys Security Advisory team. ok markus@
OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit/?id=0832aac79517611dd4de93ad0a83577994d9c907
---
krl.c | 2 ++
ssh-sk-client.c | 1 +
sshconnect2.c | 5 ++++-
sshsig.c | 1 +
4 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/krl.c b/krl.c
index ebeee5c..8e94fea 100644
--- a/krl.c
+++ b/krl.c
@@ -676,6 +676,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
break;
case KRL_SECTION_CERT_SERIAL_BITMAP:
if (rs->lo - bitmap_start > INT_MAX) {
+ r = SSH_ERR_INVALID_FORMAT;
error_f("insane bitmap gap");
goto out;
}
@@ -1010,6 +1011,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
goto out;
if ((krl = ssh_krl_init()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
error_f("alloc failed");
goto out;
}
diff --git a/ssh-sk-client.c b/ssh-sk-client.c
index 3ac16f5..5f463b5 100644
--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
@@ -411,6 +411,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
if ((tmp = recallocarray(keys, nkeys, nkeys + 1,
sizeof(*keys))) == NULL) {
error_f("recallocarray keys failed");
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
debug_f("keys[%zu]: %s %s", nkeys, sshkey_type(key),
diff --git a/sshconnect2.c b/sshconnect2.c
index 414fa2e..d9bfe15 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -97,7 +97,7 @@ static int
verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
{
if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
- xxx_conn_info) == -1)
+ xxx_conn_info) != 0)
fatal("Host key verification failed.");
return 0;
}
@@ -806,6 +806,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
debug_f("server sent unknown pkalg %s", pkalg);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
@@ -816,6 +817,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
error("input_userauth_pk_ok: type mismatch "
"for decoded key (received %d, expected %d)",
key->type, pktype);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
@@ -835,6 +837,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
SSH_FP_DEFAULT);
error_f("server replied with unknown key: %s %s",
sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
ident = format_identity(id);
diff --git a/sshsig.c b/sshsig.c
index 5b3209a..a513138 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -970,6 +970,7 @@ cert_filter_principals(const char *path, u_long linenum,
}
if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
error_f("buffer error");
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* success */
--
2.33.0

28
backport-fix-CVE-2024-6387.patch Normal file
View File

@ -0,0 +1,28 @@
Reference:https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
Conflict:NA
---
log.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/log.c b/log.c
index dca08e4..5ca403a 100644
--- a/log.c
+++ b/log.c
@@ -458,12 +458,14 @@ void
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
+#if 0
va_list args;
va_start(args, fmt);
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
suffix, fmt, args);
va_end(args);
+#endif
_exit(1);
}
--
2.33.0

22
backport-fix-CVE-2024-6409.patch Normal file
View File

@ -0,0 +1,22 @@
Reference:https://www.openwall.com/lists/oss-security/2024/07/08/2
Conflict:NA
---
sshd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sshd.c b/sshd.c
index cf7381e..04b7357 100644
--- a/sshd.c
+++ b/sshd.c
@@ -384,7 +384,7 @@ grace_alarm_handler(int sig)
/* Log error and exit. */
if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0)
- cleanup_exit(255); /* don't log in privsep child */
+ _exit(1); /* don't log in privsep child */
else {
sigdie("Timeout before authentication for %s port %d",
ssh_remote_ipaddr(the_active_state),
--
2.43.0

78
backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch Normal file
View File

@ -0,0 +1,78 @@
From 3c80942727444934fef8e06b2fd6ae51f1025d6d Mon Sep 17 00:00:00 2001
From: bitianyuan <bitianyuan@huawei.com>
Date: Thu, 5 Dec 2024 04:41:40 +0000
Subject: [PATCH] backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory
---
Makefile.in | 1 +
configure.ac | 6 ++++++
regress/test-exec.sh | 3 ++-
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/Makefile.in b/Makefile.in
index 01895a7..b26e3a2 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -736,6 +736,7 @@ tests: file-tests t-exec interop-tests unit
unit: regress-unit-binaries
BUILDDIR=`pwd`; \
cd $(srcdir)/regress || exit $$?; \
+ OPENSSL_BIN='@OPENSSL_BIN' \
$(MAKE) \
.OBJDIR="$${BUILDDIR}/regress" \
.CURDIR="`pwd`" \
diff --git a/configure.ac b/configure.ac
index d5a156c..0b36b5e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -119,10 +119,12 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
])
openssl=yes
+openssl_bin=openssl
AC_ARG_WITH([openssl],
[ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
[ if test "x$withval" = "xno" ; then
openssl=no
+ openssl_bin=""
fi
]
)
@@ -2674,6 +2676,7 @@ AC_CHECK_FUNCS([getpgrp],[
# Search for OpenSSL
saved_CPPFLAGS="$CPPFLAGS"
saved_LDFLAGS="$LDFLAGS"
+openssl_bin_PATH="$PATH"
AC_ARG_WITH([ssl-dir],
[ --with-ssl-dir=PATH Specify path to OpenSSL installation ],
[
@@ -2709,9 +2712,12 @@ AC_ARG_WITH([ssl-dir],
else
CPPFLAGS="-I${withval} ${CPPFLAGS}"
fi
+ openssl_bin_PATH="${PATH}${PATH_SEPARATOR}${withval}/bin${PATH_SEPARATOR}${withval}/apps"
fi
]
)
+AC_PATH_PROGS([openssl_bin], openssl, [], [$openssl_bin_PATH])
+AC_SUBST(OPENSSL_BIN, [${openssl_bin}])
AC_ARG_WITH([openssl-header-check],
[ --without-openssl-header-check Disable OpenSSL version consistency check],
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 3e3b20e..44cf725 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -102,7 +102,8 @@ CONCH=conch
# Tools used by multiple tests
NC=$OBJ/netcat
-OPENSSL_BIN="${OPENSSL_BIN:-openssl}"
+# Always use the one configure tells us to, even if that's empty.
+#OPENSSL_BIN="${OPENSSL_BIN:-openssl}"
if [ "x$TEST_SSH_SSH" != "x" ]; then
SSH="${TEST_SSH_SSH}"
--
2.33.0

36
openssh.spec
View File

@ -6,7 +6,7 @@
%{?no_gtk2:%global gtk2 0}
%global sshd_uid 74
%global openssh_release 30
%global openssh_release 34
Name: openssh
Version: 8.8p1
@ -131,6 +131,10 @@ Patch101: backport-upstream-In-channel_request_remote_forwarding-the-pa.pa
Patch102: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
Patch103: backport-CVE-2023-48795.patch
Patch104: fix-memory-leak-in-kex-exchange.patch
Patch105: backport-fix-CVE-2024-6387.patch
Patch106: backport-fix-CVE-2024-6409.patch
Patch107: backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch
Patch108: backport-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-during-KEX.patch
Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -312,6 +316,10 @@ popd
%patch102 -p1
%patch103 -p1
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p1
%patch108 -p1
autoreconf
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -386,7 +394,7 @@ popd
if [ -e /sys/fs/selinux/enforce ]; then
# Store the SElinux state
cat /sys/fs/selinux/enforce > selinux.tmp
setenfore 0
setenforce 0
fi
make tests
if [ -e /sys/fs/selinux/enforce ]; then
@ -518,6 +526,30 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog
* Tue Feb 18 2025 bitianyuan<bitianyuan@huawei.com> - 8.8p1-34
- Type:CVE
- CVE:CVE-2025-26465
- SUG:NA
- DESC:Fix CVE-2025-26465
* Thu Dec 5 2024 bitianyuan<bitianyuan@huawei.com> - 8.8p1-33
- Type:bugfix
- CVE:
- SUG:NA
- DESC:Set OPENSSL_BIN from OpenSSL directory
* Wed Jul 10 2024 songjuntao<songjuntao@kylinos.cn> - 8.8p1-32
- Type:CVE
- CVE:CVE-2024-6409
- SUG:NA
- DESC:Fix CVE-2024-6409
* Tue Jul 2 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-31
- Type:CVE
- CVE:CVE-2024-6387
- SUG:NA
- DESC:Fix CVE-2024-6387
* Mon Apr 29 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-30
- Type:bugfix
- CVE:

100
skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch
View File

@ -1,100 +0,0 @@
From a0772385f1b4086aacdc6d84a3daea4b2ef26f30 Mon Sep 17 00:00:00 2001
From: chengyechun <chengyechun1@huawei.com>
Date: Thu, 5 Jan 2023 23:43:22 +0800
Subject: [PATCH] skip tests for '%C' if there is no openssl on local path
---
regress/percent.sh | 24 +++++++++++----
...t-if-there-is-no-openssl-on-local-pa.patch | 30 +++++++++++++++++++
2 files changed, 48 insertions(+), 6 deletions(-)
create mode 100644 skip-percent-test-if-there-is-no-openssl-on-local-pa.patch
diff --git a/regress/percent.sh b/regress/percent.sh
index 7ed4184..9c112eb 100644
--- a/regress/percent.sh
+++ b/regress/percent.sh
@@ -13,6 +13,10 @@ USERID=`id -u`
HOST=`hostname | cut -f1 -d.`
HOSTNAME=`hostname`
+# Check if there is openssl in local PATH
+NOOPENSSL=0
+for i in $PATH;do [ -x "$i/openssl" ] && NOOPENSSL=1; done
+
# Localcommand is evaluated after connection because %T is not available
# until then. Because of this we use a different method of exercising it,
# and we can't override the remote user otherwise authentication will fail.
@@ -77,11 +81,14 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
if [ "$i" = "$localcommand" ]; then
trial $i '%T' NONE
fi
- # Matches implementation in readconf.c:ssh_connection_hash()
- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" |
- $OPENSSL_BIN sha1 | cut -f2 -d' '`
+ # skip tests for '%C' since no openssl in local PATH
+ if [ $NOOPENSSL -eq 1 ]; then
+ # Matches implementation in readconf.c:ssh_connection_hash()
+ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" |
+ $OPENSSL_BIN sha1 | cut -f2 -d' '`
+ fi
trial $i '%%' '%'
- trial $i '%C' $HASH
+ if [ $NOOPENSSL -eq 1 ]; then trial $i '%C' $HASH; fi
trial $i '%i' $USERID
trial $i '%h' 127.0.0.1
trial $i '%L' $HOST
@@ -95,8 +102,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
# containing %d for UserKnownHostsFile
if [ "$i" != "userknownhostsfile" ]; then
trial $i '%d' $HOME
- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ if [ $NOOPENSSL -eq 0 ]; then
+ trial $i '%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
+ "%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ else
+ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
+ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ fi
fi
done
diff --git a/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch
new file mode 100644
index 0000000..c7af5d9
--- /dev/null
+++ b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch
@@ -0,0 +1,30 @@
+From 1da9e48b41ab6eca157d4fa3b74490510d9006ae Mon Sep 17 00:00:00 2001
+From: chengyechun <chengyechun1@huawei.com>
+Date: Thu, 5 Jan 2023 23:43:22 +0800
+Subject: [PATCH] skip percent test if there is no openssl on local path as
+ scp3 did
+
+---
+ regress/percent.sh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/regress/percent.sh b/regress/percent.sh
+index 7ed4184..08afbc8 100644
+--- a/regress/percent.sh
++++ b/regress/percent.sh
+@@ -8,6 +8,12 @@ if [ -x "/usr/xpg4/bin/id" ]; then
+ export PATH
+ fi
+
++NOOPENSSL=0
++for i in $PATH;do [ -x "$i/openssl" ] && $OPENSSL=1; done
++if [ $? -eq 0 ]; then
++ skip "No openssl on local path."
++fi
++
+ USER=`id -u -n`
+ USERID=`id -u`
+ HOST=`hostname | cut -f1 -d.`
+--
+2.23.0
+
--
2.23.0