openssh: add fix for CVE-2024-6387

openssh/CVE-2024-6387.patch

@@ -0,0 +1,54 @@
+https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
+https://www.opennet.ru/opennews/art.shtml?num=61470
+
+Regarding the race condition fixed in OpenSSH 9.8. A mitigation to
+prevent exploitation of this bug is to disable the login grace timer
+by setting LoginGraceTime=0 in sshd_config. This will however make
+it much easier for an attacker to deny service to sshd.
+
+Similarly, the much more minor keystroke timing bug can be avoided
+by disabling the feature using ObscureKeystrokeTiming=0.
+
+Some users will understandably prefer to patch their OpenSSH rather
+than upgrade to the newest version, so here are minimal patches for
+both problems.
+
+1) Critical race condition in sshd
+
+diff --git a/log.c b/log.c
+index 9fc1a2e2e..191ff4a5a 100644
+--- a/log.c
++++ b/log.c
+@@ -451,12 +451,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#ifdef SYSLOG_R_SAFE_IN_SIGHAND
+ 	va_list args;
+ 
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
++#endif
+ 	_exit(1);
+ }
+ 
+2) Minor logic error in ObscureKeystrokeTiming
+
+diff --git a/clientloop.c b/clientloop.c
+index 8ec36af94..6dcd6c853 100644
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
+ 		if (timespeccmp(&now, &chaff_until, >=)) {
+ 			/* Stop if there have been no keystrokes for a while */
+ 			stop_reason = "chaff time expired";
+-		} else if (timespeccmp(&now, &next_interval, >=)) {
+-			/* Otherwise if we were due to send, then send chaff */
++		} else if (timespeccmp(&now, &next_interval, >=) &&
++		    !ssh_packet_have_data_to_write(ssh)) {
++			/* If due to send but have no data, then send chaff */
+ 			if (send_chaff(ssh))
+ 				nchaff++;
+ 		}

openssh/openssh.spec

@@ -57,7 +57,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 9.7p1
-%global openssh_rel 1
+%global openssh_rel 2
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 13
 
@@ -252,6 +252,8 @@ Patch1012: openssh-9.0p1-evp-fips-dh.patch
 Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
 Patch1014: openssh-9.7p1-nohostsha1proof.patch
 
+Patch1020: CVE-2024-6387.patch
+
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
 
@@ -272,14 +274,16 @@ BuildRequires: openssl3-devel >= 0.9.8j
 %if 0%{?fedora} || 0%{?rhel} >= 7
 BuildRequires: perl-podlators
 BuildRequires: systemd-devel
+%if 0%{?rhel} >= 8
 BuildRequires: systemd-rpm-macros
+%endif
 %else
 BuildRequires: perl
 %endif
 %if 0%{?fedora} || 0%{?rhel} != 7
 BuildRequires: gcc
 %else
-BuildRequires: devtoolset-12-gcc devtoolset-12-build
+BuildRequires: devtoolset-11-gcc devtoolset-11-build
 %if 0%{?rhel} < 7
 BuildRequires: autoconf2.69 automake1.16 m4
 %endif
@@ -477,6 +481,7 @@ popd
 %patch1013 -p1 -b .evp-fips-ecdh
 %patch1014 -p1 -b .nosha1hostproof
 
+%patch1020 -p1 -b .CVE-2024-6387
 
 %patch100 -p1 -b .coverity
 
@@ -488,7 +493,7 @@ popd
 
 %build
 %if 0%{?rhel} == 7
-%enable_devtoolset12
+%enable_devtoolset11
 %endif
 
 %set_build_flags