[OE-core] [PATCH] openssh: Security Advisory - openssh - CVE-2016-10010

Li Zhou li.zhou at windriver.com
Wed Jan 25 05:19:01 UTC 2017 

sshd in OpenSSH before 7.4, when privilege separation is not used,
creates forwarded Unix-domain sockets as root, which might allow
local users to gain privileges via unspecified vectors, related to
serverloop.c.

Porting patch from <https://github.com/openbsd/src/commit/
c76fac666ea038753294f2ac94d310f8adece9ce> to solve CVE-2016-10010.
Adapted the patch to solve context issues.

Signed-off-by: Li Zhou <li.zhou at windriver.com>
---
 .../openssh/openssh/openssh-CVE-2016-10010.patch   | 38 ++++++++++++++++++++++
 meta/recipes-connectivity/openssh/openssh_7.3p1.bb |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch
new file mode 100644
index 0000000..239912f
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch
@@ -0,0 +1,38 @@
+From e86492668e4005eb3b20ba827a7e8474f2888e7e Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou at windriver.com>
+Date: Wed, 25 Jan 2017 11:01:10 +0800
+Subject: [PATCH] openssh: disable Unix-domain socket forwarding when privsep
+ is disabled
+
+Upstream-Status: Backport
+
+Signed-off-by: Li Zhou <li.zhou at windriver.com>
+---
+ serverloop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/serverloop.c b/serverloop.c
+index 3563e5d..233de42 100644
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -999,7 +999,7 @@ server_request_direct_streamlocal(void)
+ 
+ 	/* XXX fine grained permissions */
+ 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+-	    !no_port_forwarding_flag) {
++	    !no_port_forwarding_flag && use_privsep) {
+ 		c = channel_connect_to_path(target,
+ 		    "direct-streamlocal at openssh.com", "direct-streamlocal");
+ 	} else {
+@@ -1280,7 +1280,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+ 
+ 		/* check permissions */
+ 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+-		    || no_port_forwarding_flag) {
++		    || no_port_forwarding_flag || !use_privsep) {
+ 			success = 0;
+ 			packet_send_debug("Server has disabled port forwarding.");
+ 		} else {
+-- 
+1.9.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
index 94eb0ed..522bda6 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://fix-CVE-2016-8858.patch \
+           file://openssh-CVE-2016-10010.patch \
            "
 
 PAM_SRC_URI = "file://sshd"
-- 
1.9.1

More information about the Openembedded-core mailing list