packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-38408

Browse Source 
(cherry picked from commit bb9ae5684f2460817da393a4114f26a84a09eebe)
This commit is contained in:
renmingshuai 2023-07-27 20:07:53 +08:00 committed by openeuler-sync-bot
parent 4ea61ace2a
commit d06655221d
2 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
backport-fix-CVE-2023-38408-upstream-terminate-process.patch Normal file
View File

@ -0,0 +1,43 @@
From 892506b13654301f69f9545f48213fc210e5c5cc Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 19 Jul 2023 13:55:53 +0000
Subject: [PATCH] upstream: terminate process if requested to load a
PKCS#11
provider
that isn't a PKCS#11 provider; from / ok markus@
OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
Reference:https://anongit.mindrot.org/openssh.git/patch/?id=892506b1365
Conflict:pkcs11_initialize_provider
---
ssh-pkcs11.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 995841f..b96021f 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.54 2021/08/11 05:20:17 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.57 2023/07/19 13:55:53 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
* Copyright (c) 2014 Pedro Martelletto. All rights reserved.
@@ -1743,10 +1743,8 @@ pkcs11_initialize_provider(struct pkcs11_uri *uri, struct pkcs11_provider **prov
error("dlopen %s failed: %s", provider_module, dlerror());
goto fail;
}
- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
- goto fail;
- }
+ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
+ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
p->module->handle = handle;
/* setup the pkcs11 callbacks */
--
2.23.0

10
openssh.spec
View File

@ -6,7 +6,7 @@
%{?no_gtk2:%global gtk2 0} %{?no_gtk2:%global gtk2 0}
%global sshd_uid 74 %global sshd_uid 74
%global openssh_release 20 %global openssh_release 21
Name: openssh Name: openssh
Version: 8.8p1 Version: 8.8p1
@ -110,6 +110,7 @@ Patch77: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
Patch78: skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch Patch78: skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch
Patch79: set-ssh-config.patch Patch79: set-ssh-config.patch
Patch80: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch Patch80: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
Patch81: backport-fix-CVE-2023-38408-upstream-terminate-process.patch
Requires: /sbin/nologin Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -269,6 +270,7 @@ popd
%patch78 -p1 %patch78 -p1
%patch79 -p1 %patch79 -p1
%patch80 -p1 %patch80 -p1
%patch81 -p1
autoreconf autoreconf
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -465,6 +467,12 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog %changelog
* Thu Jul 27 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-21
- Type:CVE
- CVE:CVE-2023-38408
- SUG:NA
- DESC:fix CVE-2023-38408
* Tue Jun 13 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-20 * Tue Jun 13 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-20
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA