git: 7b31ce1eeeb4 - main - security/openssh-portable: Bring in patches for recent CVES
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 02 Jul 2024 16:11:32 UTC
The branch main has been updated by bdrewery:
URL: https://cgit.FreeBSD.org/ports/commit/?id=7b31ce1eeeb40098b213a153e10530a196b52322
commit 7b31ce1eeeb40098b213a153e10530a196b52322
Author: Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2024-07-02 16:08:13 +0000
Commit: Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2024-07-02 16:08:13 +0000
security/openssh-portable: Bring in patches for recent CVES
Source: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
PR: 280068
---
security/openssh-portable/Makefile | 2 +-
security/openssh-portable/files/patch-9.8-cves | 56 ++++++++++++++++++++++++++
2 files changed, 57 insertions(+), 1 deletion(-)
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 5cf4aa38d3e3..9b1d44580f94 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
PORTNAME= openssh
DISTVERSION= 9.7p1
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= security
MASTER_SITES= OPENBSD/OpenSSH/portable
diff --git a/security/openssh-portable/files/patch-9.8-cves b/security/openssh-portable/files/patch-9.8-cves
new file mode 100644
index 000000000000..2e47d586edcd
--- /dev/null
+++ b/security/openssh-portable/files/patch-9.8-cves
@@ -0,0 +1,56 @@
+https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
+
+Damien Miller djm at mindrot.org
+Mon Jul 1 18:21:11 AEST 2024
+Previous message (by thread): Announce: OpenSSH 9.8 released
+Next message (by thread): Announce: OpenSSH 9.8 released
+Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
+Hi,
+
+Regarding the race condition fixed in OpenSSH 9.8. A mitigation to
+prevent exploitation of this bug is to disable the login grace timer
+by setting LoginGraceTime=0 in sshd_config. This will however make
+it much easier for an attacker to deny service to sshd.
+
+Similarly, the much more minor keystroke timing bug can be avoided
+by disabling the feature using ObscureKeystrokeTiming=0.
+
+Some users will understandably prefer to patch their OpenSSH rather
+than upgrade to the newest version, so here are minimal patches for
+both problems.
+
+1) Critical race condition in sshd
+
+2) Minor logic error in ObscureKeystrokeTiming
+
+--- log.c.orig 2024-07-02 09:05:35.023051000 -0700
++++ log.c 2024-07-02 09:05:54.881067000 -0700
+@@ -451,12 +451,14 @@ sshsigdie(const char *file, const char *func, int line
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+ LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#ifdef SYSLOG_R_SAFE_IN_SIGHAND
+ va_list args;
+
+ va_start(args, fmt);
+ sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ suffix, fmt, args);
+ va_end(args);
++#endif
+ _exit(1);
+ }
+
+--- clientloop.c.orig 2024-07-02 09:06:09.736347000 -0700
++++ clientloop.c 2024-07-02 09:06:41.414979000 -0700
+@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct tim
+ if (timespeccmp(&now, &chaff_until, >=)) {
+ /* Stop if there have been no keystrokes for a while */
+ stop_reason = "chaff time expired";
+- } else if (timespeccmp(&now, &next_interval, >=)) {
+- /* Otherwise if we were due to send, then send chaff */
++ } else if (timespeccmp(&now, &next_interval, >=) &&
++ !ssh_packet_have_data_to_write(ssh)) {
++ /* If due to send but have no data, then send chaff */
+ if (send_chaff(ssh))
+ nchaff++;
+ }