Re: [OE-core] [poky][dunfell][PATCH] openssh: Added security fix for CVE-2020-14145

From: "saloni" <saloni.jain@kpit.com>
To: Steve Sakoman <steve@sakoman.com>
Cc: Patches and discussions about the oe-core layer
	<openembedded-core@lists.openembedded.org>,
	Khem Raj <raj.khem@gmail.com>,
	Nisha Parrakat <Nisha.Parrakat@kpit.com>,
	Anuj Chougule <Anuj.Chougule@kpit.com>
Subject: Re: [OE-core] [poky][dunfell][PATCH] openssh: Added security fix for CVE-2020-14145
Date: Thu, 21 Jan 2021 07:29:20 +0000	[thread overview]
Message-ID: <BM1PR01MB4019169CEE8F3C4AFE2D56C587A10@BM1PR01MB4019.INDPRD01.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <CAOSpxdY=R1pRpVySuWo_ekr4Pb_7yumuxhHjbggVD4OJ7EDvRA@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 9174 bytes --]

Hello Steve,

Thankyou for the feedback, I have fixed the comments and sent a v2 for the patch. Please review again.

Regards,
Saloni Jain
________________________________
From: Steve Sakoman <steve@sakoman.com>
Sent: Wednesday, January 20, 2021, 9:56 PM
To: Saloni Jain
Cc: Patches and discussions about the oe-core layer; Khem Raj; Nisha Parrakat; Anuj Chougule
Subject: Re: [OE-core] [poky][dunfell][PATCH] openssh: Added security fix for CVE-2020-14145

Thanks for helping with CVE's!

On Wed, Jan 20, 2021 at 6:14 AM saloni <saloni.jain@kpit.com> wrote:
>
> Added security fix for below CVE:
>
> CVE-2020-14145
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2020-14145&amp;data=04%7C01%7Csaloni.jain%40kpit.com%7Cf83bbfc7c77f4ad8d8f208d8bd60288e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637467567996984807%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=ZXW2tuDBsIINaE761xKo4Nmn5jDjMNn8JvTMTw29dmc%3D&amp;reserved=0
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanongit.mindrot.org%2Fopenssh.git%2Fcommit%2F%3Fid%3Db3855ff053f5078ec3d3c653cdaedefaa5fc362d&amp;data=04%7C01%7Csaloni.jain%40kpit.com%7Cf83bbfc7c77f4ad8d8f208d8bd60288e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637467567996984807%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=V%2F8wQlaBwMgj2jUEcgsYDtyDgO%2B2eQmQ4fRCbCSpYEo%3D&amp;reserved=0
>
> Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
> ---
>  .../openssh/openssh/CVE-2020-14145.patch           | 87 ++++++++++++++++++++++
>  meta/recipes-connectivity/openssh/openssh_8.4p1.bb |  3 +-
>  2 files changed, 89 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> new file mode 100644
> index 0000000..50bf74d
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
> @@ -0,0 +1,87 @@
> +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
> +From: "djm@openbsd.org" <djm@openbsd.org>
> +Date: Fri, 18 Sep 2020 05:23:03 +0000
> +Subject: upstream: tweak the client hostkey preference ordering algorithm to
> +
> +prefer the default ordering if the user has a key that matches the
> +best-preference default algorithm.
> +
> +feedback and ok markus@
> +
> +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
> +CVE: CVE-2020-14145
> +Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2020-14145&amp;data=04%7C01%7Csaloni.jain%40kpit.com%7Cf83bbfc7c77f4ad8d8f208d8bd60288e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637467567996984807%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=ZXW2tuDBsIINaE761xKo4Nmn5jDjMNn8JvTMTw29dmc%3D&amp;reserved=0]
> +Comment: 1 hunk with comment changes removed.

Needs your Signed-off-by here.  See "Patch name convention and commit
message" section at:

https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.yoctoproject.org%2Fwiki%2FSecurity&amp;data=04%7C01%7Csaloni.jain%40kpit.com%7Cf83bbfc7c77f4ad8d8f208d8bd60288e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637467567996984807%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=YpC3QCRXeKyiwKE9jIUC4BiBjuKNk%2BabN80Fg3AN%2BKo%3D&amp;reserved=0

> +---
> + sshconnect2.c | 39 +++++++++++++++++++++++++++++++++++++--
> + 1 file changed, 37 insertions(+), 2 deletions(-)
> +
> +diff --git a/sshconnect2.c b/sshconnect2.c
> +index 347e348c..f64aae66 100644
> +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
> +       return 0;
> + }
> +
> ++/* Returns the first item from a comma-separated algorithm list */
> ++static char *
> ++first_alg(const char *algs)
> ++{
> ++      char *ret, *cp;
> ++
> ++      ret = xstrdup(algs);
> ++      if ((cp = strchr(ret, ',')) != NULL)
> ++              *cp = '\0';
> ++      return ret;
> ++}
> ++
> + static char *
> + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> + {
> +-      char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
> ++      char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
> ++      char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
> +       size_t maxlen;
> +-      struct hostkeys *hostkeys;
> ++      struct hostkeys *hostkeys = NULL;
> +       int ktype;
> +       u_int i;
> +
> +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> +       for (i = 0; i < options.num_system_hostfiles; i++)
> +               load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
> +
> ++      /*
> ++       * If a plain public key exists that matches the type of the best
> ++       * preference HostkeyAlgorithms, then use the whole list as is.
> ++       * Note that we ignore whether the best preference algorithm is a
> ++       * certificate type, as sshconnect.c will downgrade certs to
> ++       * plain keys if necessary.
> ++       */
> ++      best = first_alg(options.hostkeyalgorithms);
> ++      if (lookup_key_in_hostkeys_by_type(hostkeys,
> ++          sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
> ++              debug3("%s: have matching best-preference key type %s, "
> ++                  "using HostkeyAlgorithms verbatim", __func__, best);
> ++              ret = xstrdup(options.hostkeyalgorithms);
> ++              goto out;
> ++      }
> ++
> ++      /*
> ++       * Otherwise, prefer the host key algorithms that match known keys
> ++       * while keeping the ordering of HostkeyAlgorithms as much as possible.
> ++       */
> +       oavail = avail = xstrdup(options.hostkeyalgorithms);
> +       maxlen = strlen(avail) + 1;
> +       first = xmalloc(maxlen);
> +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> +       if (*first != '\0')
> +               debug3("%s: prefer hostkeyalgs: %s", __func__, first);
> +
> ++ out:
> ++      free(best);
> +       free(first);
> +       free(last);
> +       free(hostname);
> +--
> +cgit v1.2.3
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb b/meta/recipes-connectivity/openssh/openssh_8.4p1.bb
> index 688fc8a..b71e156 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.4p1.bb
> @@ -24,12 +24,13 @@ SRC_URI = "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fftp.openbsd.org%2Fpub%2FOpenBSD%2FOpenSSH%2Fportable%2Fopenssh-%24&amp;data=04%7C01%7Csaloni.jain%40kpit.com%7Cf83bbfc7c77f4ad8d8f208d8bd60288e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637467567996984807%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=p8z%2B6W%2Fbfbz9n0b8gZiLtTuCc8LjfdRq4gsyYQkVvTA%3D&amp;reserved=0{PV}.tar
>             file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
>             file://sshd_check_keys \
>             file://add-test-support-for-busybox.patch \
> +           file://CVE-2020-14145.patch \
>             "
>  SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24"
>
>  # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
>  # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
> -CVE_CHECK_WHITELIST += "CVE-2014-9278"
> +CVE_CHECK_WHITELIST += "CVE-2014-9278 CVE-2020-15778"

Why are you modifying the whitelist here?

Steve

>  PAM_SRC_URI = "file://sshd"
>
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 15775 bytes --]