git: 7b31ce1eeeb4 - main - security/openssh-portable: Bring in patches for recent CVES

From: Bryan Drewery <bdrewery_at_FreeBSD.org>
Date: Tue, 02 Jul 2024 16:11:32 UTC
The branch main has been updated by bdrewery:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7b31ce1eeeb40098b213a153e10530a196b52322

commit 7b31ce1eeeb40098b213a153e10530a196b52322
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2024-07-02 16:08:13 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2024-07-02 16:08:13 +0000

    security/openssh-portable: Bring in patches for recent CVES
    
    Source: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
    PR:     280068
---
 security/openssh-portable/Makefile             |  2 +-
 security/openssh-portable/files/patch-9.8-cves | 56 ++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 5cf4aa38d3e3..9b1d44580f94 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	openssh
 DISTVERSION=	9.7p1
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
diff --git a/security/openssh-portable/files/patch-9.8-cves b/security/openssh-portable/files/patch-9.8-cves
new file mode 100644
index 000000000000..2e47d586edcd
--- /dev/null
+++ b/security/openssh-portable/files/patch-9.8-cves
@@ -0,0 +1,56 @@
+https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
+
+Damien Miller djm at mindrot.org
+Mon Jul 1 18:21:11 AEST 2024
+Previous message (by thread): Announce: OpenSSH 9.8 released
+Next message (by thread): Announce: OpenSSH 9.8 released
+Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
+Hi,
+
+Regarding the race condition fixed in OpenSSH 9.8. A mitigation to
+prevent exploitation of this bug is to disable the login grace timer
+by setting LoginGraceTime=0 in sshd_config. This will however make
+it much easier for an attacker to deny service to sshd.
+
+Similarly, the much more minor keystroke timing bug can be avoided
+by disabling the feature using ObscureKeystrokeTiming=0.
+
+Some users will understandably prefer to patch their OpenSSH rather
+than upgrade to the newest version, so here are minimal patches for
+both problems.
+
+1) Critical race condition in sshd
+
+2) Minor logic error in ObscureKeystrokeTiming
+
+--- log.c.orig	2024-07-02 09:05:35.023051000 -0700
++++ log.c	2024-07-02 09:05:54.881067000 -0700
+@@ -451,12 +451,14 @@ sshsigdie(const char *file, const char *func, int line
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#ifdef SYSLOG_R_SAFE_IN_SIGHAND
+ 	va_list args;
+ 
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
++#endif
+ 	_exit(1);
+ }
+ 
+--- clientloop.c.orig	2024-07-02 09:06:09.736347000 -0700
++++ clientloop.c	2024-07-02 09:06:41.414979000 -0700
+@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct tim
+ 		if (timespeccmp(&now, &chaff_until, >=)) {
+ 			/* Stop if there have been no keystrokes for a while */
+ 			stop_reason = "chaff time expired";
+-		} else if (timespeccmp(&now, &next_interval, >=)) {
+-			/* Otherwise if we were due to send, then send chaff */
++		} else if (timespeccmp(&now, &next_interval, >=) &&
++		    !ssh_packet_have_data_to_write(ssh)) {
++			/* If due to send but have no data, then send chaff */
+ 			if (send_chaff(ssh))
+ 				nchaff++;
+ 		}