openssh: add fix for CVE-2024-6387

2024-07-02 10:04:04 +06:00 · 2024-07-02 10:04:04 +06:00 · a7be2e668d
commit a7be2e668d
parent 331a17ac6a
2 changed files with 57 additions and 1 deletions
--- a/openssh/CVE-2024-6387.patch
+++ b/openssh/CVE-2024-6387.patch
@ -0,0 +1,54 @@
+https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
+https://www.opennet.ru/opennews/art.shtml?num=61470
+
+Regarding the race condition fixed in OpenSSH 9.8. A mitigation to
+prevent exploitation of this bug is to disable the login grace timer
+by setting LoginGraceTime=0 in sshd_config. This will however make
+it much easier for an attacker to deny service to sshd.
+
+Similarly, the much more minor keystroke timing bug can be avoided
+by disabling the feature using ObscureKeystrokeTiming=0.
+
+Some users will understandably prefer to patch their OpenSSH rather
+than upgrade to the newest version, so here are minimal patches for
+both problems.
+
+1) Critical race condition in sshd
+
+diff --git a/log.c b/log.c
+index 9fc1a2e2e..191ff4a5a 100644
+--- a/log.c
+++ b/log.c
+@@ -451,12 +451,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
+#ifdef SYSLOG_R_SAFE_IN_SIGHAND
+ 	va_list args;
+ 
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
+#endif
+ 	_exit(1);
+ }
+ 
+2) Minor logic error in ObscureKeystrokeTiming
+
+diff --git a/clientloop.c b/clientloop.c
+index 8ec36af94..6dcd6c853 100644
+--- a/clientloop.c
+++ b/clientloop.c
+@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
+ 		if (timespeccmp(&now, &chaff_until, >=)) {
+ 			/* Stop if there have been no keystrokes for a while */
+ 			stop_reason = "chaff time expired";
+-		} else if (timespeccmp(&now, &next_interval, >=)) {
+-			/* Otherwise if we were due to send, then send chaff */
+		} else if (timespeccmp(&now, &next_interval, >=) &&
+		    !ssh_packet_have_data_to_write(ssh)) {
+			/* If due to send but have no data, then send chaff */
+ 			if (send_chaff(ssh))
+ 				nchaff++;
+ 		}
--- a/openssh/openssh.spec
+++ b/openssh/openssh.spec
@ -57,7 +57,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 9.7p1
-%global openssh_rel 1
+%global openssh_rel 2
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 13

@ -252,6 +252,8 @@ Patch1012: openssh-9.0p1-evp-fips-dh.patch
 Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
 Patch1014: openssh-9.7p1-nohostsha1proof.patch

+Patch1020: CVE-2024-6387.patch
+
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin