rpms / openssh

Clone
Source Code
GIT

#29 Avoid NULL deref in ssh-keygen -Y find-principals
Closed 2 years ago by dbelyavs. Opened 2 years ago by tmz.
rpms/ tmz/openssh rawhide  into  rawhide

file added
+70 
@@ -0,0 +1,70 @@ 
 

+ From ca0e455b9331213ff9505a21b94c38e34faa2bba Mon Sep 17 00:00:00 2001
 

+ From: "djm@openbsd.org" <djm@openbsd.org>
 

+ Date: Tue, 7 Sep 2021 06:03:51 +0000
 

+ Subject: [PATCH 1/2] upstream: avoid NULL deref in -Y find-principals. Report
 

+  and fix
 

+ MIME-Version: 1.0
 

+ Content-Type: text/plain; charset=UTF-8
 

+ Content-Transfer-Encoding: 8bit
 

+ 

+ from Carlo Marcelo Arenas Belón
 

+ MIME-Version: 1.0
 

+ Content-Type: text/plain; charset=UTF-8
 

+ Content-Transfer-Encoding: 8bit
 

+ 

+ OpenBSD-Commit-ID: 6238486f8ecc888d6ccafcd9ad99e621bb41f1e0
 

+ ---
 

+  ssh-keygen.c | 5 +++--
 

+  1 file changed, 3 insertions(+), 2 deletions(-)
 

+ 

+ diff --git a/ssh-keygen.c b/ssh-keygen.c
 

+ index 18e9f1d1..cf5d95af 100644
 

+ --- a/ssh-keygen.c
 

+ +++ b/ssh-keygen.c
 

+ @@ -1,4 +1,4 @@
 

+ -/* $OpenBSD: ssh-keygen.c,v 1.435 2021/08/11 08:54:17 djm Exp $ */
 

+ +/* $OpenBSD: ssh-keygen.c,v 1.436 2021/09/07 06:03:51 djm Exp $ */
 

+  /*
 

+   * Author: Tatu Ylonen <ylo@cs.hut.fi>
 

+   * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 

+ @@ -2680,7 +2680,8 @@ sig_process_opts(char * const *opts, size_t nopts, uint64_t *verify_timep,
 

+  	time_t now;
 

+  

+  	*verify_timep = 0;
 

+ -	*print_pubkey = 0;
 

+ +	if (print_pubkey == NULL)
 

+ +		*print_pubkey = 0;
 

+  	for (i = 0; i < nopts; i++) {
 

+  		if (strncasecmp(opts[i], "verify-time=", 12) == 0) {
 

+  			if (parse_absolute_time(opts[i] + 12,
 

+ 

+ From 4afe431da98ec1cf6a2933fe5658f4fd68dee9e2 Mon Sep 17 00:00:00 2001
 

+ From: "djm@openbsd.org" <djm@openbsd.org>
 

+ Date: Wed, 8 Sep 2021 03:23:44 +0000
 

+ Subject: [PATCH 2/2] upstream: correct my mistake in previous fix; spotted by
 

+  halex
 

+ 

+ OpenBSD-Commit-ID: 3cc62d92e3f70006bf02468fc146bfc36fffa183
 

+ ---
 

+  ssh-keygen.c | 4 ++--
 

+  1 file changed, 2 insertions(+), 2 deletions(-)
 

+ 

+ diff --git a/ssh-keygen.c b/ssh-keygen.c
 

+ index cf5d95af..4b40768d 100644
 

+ --- a/ssh-keygen.c
 

+ +++ b/ssh-keygen.c
 

+ @@ -1,4 +1,4 @@
 

+ -/* $OpenBSD: ssh-keygen.c,v 1.436 2021/09/07 06:03:51 djm Exp $ */
 

+ +/* $OpenBSD: ssh-keygen.c,v 1.437 2021/09/08 03:23:44 djm Exp $ */
 

+  /*
 

+   * Author: Tatu Ylonen <ylo@cs.hut.fi>
 

+   * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 

+ @@ -2680,7 +2680,7 @@ sig_process_opts(char * const *opts, size_t nopts, uint64_t *verify_timep,
 

+  	time_t now;
 

+  

+  	*verify_timep = 0;
 

+ -	if (print_pubkey == NULL)
 

+ +	if (print_pubkey != NULL)
 

+  		*print_pubkey = 0;
 

+  	for (i = 0; i < nopts; i++) {
 

+  		if (strncasecmp(opts[i], "verify-time=", 12) == 0) {

file modified
+10 -1 
@@ -51,7 +51,7 @@ 
 

  

  # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 

  %global openssh_ver 8.7p1
 

- %global openssh_rel 3
 

+ %global openssh_rel 4
 

  %global pam_ssh_agent_ver 0.10.4
 

  %global pam_ssh_agent_rel 4
 

  
@@ -199,6 +199,11 @@ 
 

  Patch977: openssh-8.7p1-scp-kill-switch.patch
 

  # CVE-2021-41617
 

  Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
 

+ # Avoid NULL deref in ssh-keygen -Y find-principals (fixed in 8.8)
 

+ # This is the concatenation of the following patches:
 

+ # https://github.com/openssh/openssh-portable/commit/ca0e455b9
 

+ # https://github.com/openssh/openssh-portable/commit/4afe431da
 

+ Patch979: openssh-8.7p1-avoid-ssh-keygen-NULL-deref.patch
 

  

  License: BSD
 

  Requires: /sbin/nologin
 
@@ -378,6 +383,7 @@ 
 

  %patch976 -p1 -b .sftp-by-default
 

  %patch977 -p1 -b .kill-scp
 

  %patch978 -p1 -b .cve-2021-41617
 

+ %patch979 -p1 -b .keygen-null-deref
 

  

  %patch200 -p1 -b .audit
 

  %patch201 -p1 -b .audit-race
 
@@ -663,6 +669,9 @@ 
 

  %endif
 

  

  %changelog
 

+ * Thu Nov 11 2021 Todd Zullinger <tmz@pobox.com> - 8.7p1-4
 

+ - Avoid NULL deref in ssh-keygen -Y find-principals
 

+ 

  * Wed Sep 29 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-3
 

  - CVE-2021-41617 fix (#2008292)

In openssh-8.7, the ssh-keygen command crashes when the -Y
find-principals option is used. This is fixed in openssh-8.8, as
mentioned in the Bugfixes section of the release notes¹:

* ssh-keygen(1): avoid crash when using the -Y find-principals
  command.

Apply the trivial upstream patch(es)².

¹ https://www.openssh.com/txt/release-8.8
² https://github.com/openssh/openssh-portable/commit/ca0e455b9
https://github.com/openssh/openssh-portable/commit/4afe431da and/or
https://www.mail-archive.com/source-changes@openbsd.org/msg127496.html
(and follow-ups regarding the '==' versus '!=' typo)

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

This is something I noticed when building the git-2.34.0 release candidates. Upstream also noticed it and patched the git test suite to avoid using the failing ssh-keygen.

It's pretty straight-forward crash fix, so hopefully it's reasonable to apply to rawhide and f35 -- unless they're going to be updated to openssh >= 8.8p1 in the near term.

Sorry, fixed today for both Rawhide and F35.

Thanks!

Pull-Request has been closed by dbelyavs
2 years ago

No sorry needed, thanks for picking this up! :)
Metadata
None
No Tags
Changes Summary 2
+70
file added
openssh-8.7p1-avoid-ssh-keygen-NULL-deref.patch
+10 -1
file changed
openssh.spec
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.