diff --git a/openssh/CVE-2024-6387.patch b/openssh/CVE-2024-6387.patch new file mode 100644 index 0000000..c709a17 --- /dev/null +++ b/openssh/CVE-2024-6387.patch @@ -0,0 +1,54 @@ +https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html +https://www.opennet.ru/opennews/art.shtml?num=61470 + +Regarding the race condition fixed in OpenSSH 9.8. A mitigation to +prevent exploitation of this bug is to disable the login grace timer +by setting LoginGraceTime=0 in sshd_config. This will however make +it much easier for an attacker to deny service to sshd. + +Similarly, the much more minor keystroke timing bug can be avoided +by disabling the feature using ObscureKeystrokeTiming=0. + +Some users will understandably prefer to patch their OpenSSH rather +than upgrade to the newest version, so here are minimal patches for +both problems. + +1) Critical race condition in sshd + +diff --git a/log.c b/log.c +index 9fc1a2e2e..191ff4a5a 100644 +--- a/log.c ++++ b/log.c +@@ -451,12 +451,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#ifdef SYSLOG_R_SAFE_IN_SIGHAND + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + +2) Minor logic error in ObscureKeystrokeTiming + +diff --git a/clientloop.c b/clientloop.c +index 8ec36af94..6dcd6c853 100644 +--- a/clientloop.c ++++ b/clientloop.c +@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout, + if (timespeccmp(&now, &chaff_until, >=)) { + /* Stop if there have been no keystrokes for a while */ + stop_reason = "chaff time expired"; +- } else if (timespeccmp(&now, &next_interval, >=)) { +- /* Otherwise if we were due to send, then send chaff */ ++ } else if (timespeccmp(&now, &next_interval, >=) && ++ !ssh_packet_have_data_to_write(ssh)) { ++ /* If due to send but have no data, then send chaff */ + if (send_chaff(ssh)) + nchaff++; + } diff --git a/openssh/openssh.spec b/openssh/openssh.spec index b87cc08..0f66b6a 100644 --- a/openssh/openssh.spec +++ b/openssh/openssh.spec @@ -57,7 +57,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 9.7p1 -%global openssh_rel 1 +%global openssh_rel 2 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 13 @@ -252,6 +252,8 @@ Patch1012: openssh-9.0p1-evp-fips-dh.patch Patch1013: openssh-9.0p1-evp-fips-ecdh.patch Patch1014: openssh-9.7p1-nohostsha1proof.patch +Patch1020: CVE-2024-6387.patch + License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -272,14 +274,16 @@ BuildRequires: openssl3-devel >= 0.9.8j %if 0%{?fedora} || 0%{?rhel} >= 7 BuildRequires: perl-podlators BuildRequires: systemd-devel +%if 0%{?rhel} >= 8 BuildRequires: systemd-rpm-macros +%endif %else BuildRequires: perl %endif %if 0%{?fedora} || 0%{?rhel} != 7 BuildRequires: gcc %else -BuildRequires: devtoolset-12-gcc devtoolset-12-build +BuildRequires: devtoolset-11-gcc devtoolset-11-build %if 0%{?rhel} < 7 BuildRequires: autoconf2.69 automake1.16 m4 %endif @@ -477,6 +481,7 @@ popd %patch1013 -p1 -b .evp-fips-ecdh %patch1014 -p1 -b .nosha1hostproof +%patch1020 -p1 -b .CVE-2024-6387 %patch100 -p1 -b .coverity @@ -488,7 +493,7 @@ popd %build %if 0%{?rhel} == 7 -%enable_devtoolset12 +%enable_devtoolset11 %endif %set_build_flags