[OE-core] [PATCH] openssh: Security Advisory - openssh - CVE-2016-10010
Li Zhou
li.zhou at windriver.com
Wed Jan 25 05:19:01 UTC 2017
sshd in OpenSSH before 7.4, when privilege separation is not used,
creates forwarded Unix-domain sockets as root, which might allow
local users to gain privileges via unspecified vectors, related to
serverloop.c.
Porting patch from <https://github.com/openbsd/src/commit/
c76fac666ea038753294f2ac94d310f8adece9ce> to solve CVE-2016-10010.
Adapted the patch to solve context issues.
Signed-off-by: Li Zhou <li.zhou at windriver.com>
---
.../openssh/openssh/openssh-CVE-2016-10010.patch | 38 ++++++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_7.3p1.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch
new file mode 100644
index 0000000..239912f
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2016-10010.patch
@@ -0,0 +1,38 @@
+From e86492668e4005eb3b20ba827a7e8474f2888e7e Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou at windriver.com>
+Date: Wed, 25 Jan 2017 11:01:10 +0800
+Subject: [PATCH] openssh: disable Unix-domain socket forwarding when privsep
+ is disabled
+
+Upstream-Status: Backport
+
+Signed-off-by: Li Zhou <li.zhou at windriver.com>
+---
+ serverloop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/serverloop.c b/serverloop.c
+index 3563e5d..233de42 100644
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -999,7 +999,7 @@ server_request_direct_streamlocal(void)
+
+ /* XXX fine grained permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+- !no_port_forwarding_flag) {
++ !no_port_forwarding_flag && use_privsep) {
+ c = channel_connect_to_path(target,
+ "direct-streamlocal at openssh.com", "direct-streamlocal");
+ } else {
+@@ -1280,7 +1280,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+
+ /* check permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+- || no_port_forwarding_flag) {
++ || no_port_forwarding_flag || !use_privsep) {
+ success = 0;
+ packet_send_debug("Server has disabled port forwarding.");
+ } else {
+--
+1.9.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
index 94eb0ed..522bda6 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
file://fix-CVE-2016-8858.patch \
+ file://openssh-CVE-2016-10010.patch \
"
PAM_SRC_URI = "file://sshd"
--
1.9.1
More information about the Openembedded-core
mailing list