mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 04:43:53 +00:00
ssh: Update to OpenSSH 9.3p2
From the release notes: Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. CVE: CVE-2023-38408 Sponsored by: The FreeBSD Foundation
This commit is contained in:
commit
66fd12cf48
File diff suppressed because it is too large
Load diff
|
@ -1,4 +1,4 @@
|
|||
See https://www.openssh.com/releasenotes.html#9.3p1 for the release
|
||||
See https://www.openssh.com/releasenotes.html#9.3p2 for the release
|
||||
notes.
|
||||
|
||||
Please read https://www.openssh.com/report.html for bug reporting
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
%global ver 9.3p1
|
||||
%global ver 9.3p2
|
||||
%global rel 1%{?dist}
|
||||
|
||||
# OpenSSH privilege separation requires a user & group ID
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
|
||||
Name: openssh
|
||||
Version: 9.3p1
|
||||
Version: 9.3p2
|
||||
URL: https://www.openssh.com/
|
||||
Release: 1
|
||||
Source0: openssh-%{version}.tar.gz
|
||||
|
|
|
@ -107,9 +107,27 @@ environment variable).
|
|||
.It Fl O Ar option
|
||||
Specify an option when starting
|
||||
.Nm .
|
||||
Currently only one option is supported:
|
||||
Currently two options are supported:
|
||||
.Cm allow-remote-pkcs11
|
||||
and
|
||||
.Cm no-restrict-websafe .
|
||||
This instructs
|
||||
.Pp
|
||||
The
|
||||
.Cm allow-remote-pkcs11
|
||||
option allows clients of a forwarded
|
||||
.Nm
|
||||
to load PKCS#11 or FIDO provider libraries.
|
||||
By default only local clients may perform this operation.
|
||||
Note that signalling that a
|
||||
.Nm
|
||||
client remote is performed by
|
||||
.Xr ssh 1 ,
|
||||
and use of other tools to forward access to the agent socket may circumvent
|
||||
this restriction.
|
||||
.Pp
|
||||
The
|
||||
.Cm no-restrict-websafe ,
|
||||
instructs
|
||||
.Nm
|
||||
to permit signatures using FIDO keys that might be web authentication
|
||||
requests.
|
||||
|
|
|
@ -169,6 +169,12 @@ char socket_dir[PATH_MAX];
|
|||
/* Pattern-list of allowed PKCS#11/Security key paths */
|
||||
static char *allowed_providers;
|
||||
|
||||
/*
|
||||
* Allows PKCS11 providers or SK keys that use non-internal providers to
|
||||
* be added over a remote connection (identified by session-bind@openssh.com).
|
||||
*/
|
||||
static int remote_add_provider;
|
||||
|
||||
/* locking */
|
||||
#define LOCK_SIZE 32
|
||||
#define LOCK_SALT_SIZE 16
|
||||
|
@ -1246,6 +1252,12 @@ process_add_identity(SocketEntry *e)
|
|||
if (strcasecmp(sk_provider, "internal") == 0) {
|
||||
debug_f("internal provider");
|
||||
} else {
|
||||
if (e->nsession_ids != 0 && !remote_add_provider) {
|
||||
verbose("failed add of SK provider \"%.100s\": "
|
||||
"remote addition of providers is disabled",
|
||||
sk_provider);
|
||||
goto out;
|
||||
}
|
||||
if (realpath(sk_provider, canonical_provider) == NULL) {
|
||||
verbose("failed provider \"%.100s\": "
|
||||
"realpath: %s", sk_provider,
|
||||
|
@ -1409,6 +1421,11 @@ process_add_smartcard_key(SocketEntry *e)
|
|||
error_f("failed to parse constraints");
|
||||
goto send;
|
||||
}
|
||||
if (e->nsession_ids != 0 && !remote_add_provider) {
|
||||
verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
|
||||
"providers is disabled", provider);
|
||||
goto send;
|
||||
}
|
||||
if (realpath(provider, canonical_provider) == NULL) {
|
||||
verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
|
||||
provider, strerror(errno));
|
||||
|
@ -2073,7 +2090,9 @@ main(int ac, char **av)
|
|||
break;
|
||||
case 'O':
|
||||
if (strcmp(optarg, "no-restrict-websafe") == 0)
|
||||
restrict_websafe = 0;
|
||||
restrict_websafe = 0;
|
||||
else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
|
||||
remote_add_provider = 1;
|
||||
else
|
||||
fatal("Unknown -O option");
|
||||
break;
|
||||
|
|
|
@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
|
|||
error("dlopen %s failed: %s", provider_id, dlerror());
|
||||
goto fail;
|
||||
}
|
||||
if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
|
||||
error("dlsym(C_GetFunctionList) failed: %s", dlerror());
|
||||
goto fail;
|
||||
}
|
||||
if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
|
||||
fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
|
||||
p = xcalloc(1, sizeof(*p));
|
||||
p->name = xstrdup(provider_id);
|
||||
p->handle = handle;
|
||||
|
|
|
@ -105,7 +105,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#UseBlacklist no
|
||||
#VersionAddendum FreeBSD-20230316
|
||||
#VersionAddendum FreeBSD-20230719
|
||||
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
|
|
@ -1927,7 +1927,7 @@ The default is
|
|||
Optionally specifies additional text to append to the SSH protocol banner
|
||||
sent by the server upon connection.
|
||||
The default is
|
||||
.Qq FreeBSD-20230316 .
|
||||
.Qq FreeBSD-20230719 .
|
||||
The value
|
||||
.Cm none
|
||||
may be used to disable this.
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
#define SSH_VERSION "OpenSSH_9.3"
|
||||
|
||||
#define SSH_PORTABLE "p1"
|
||||
#define SSH_PORTABLE "p2"
|
||||
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
||||
|
||||
#define SSH_VERSION_FREEBSD "FreeBSD-20230316"
|
||||
#define SSH_VERSION_FREEBSD "FreeBSD-20230719"
|
||||
|
|
Loading…
Reference in a new issue