diff options
author | Chen Qi <Qi.Chen@windriver.com> | 2014-05-13 15:46:27 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-05-13 19:26:34 +0100 |
commit | 7b2fff61b3d1c0566429793ee348fa8978ef0cba (patch) | |
tree | 248c4e2993e9d36a51c4b6b476011d7eec034659 | |
parent | a8d3b8979c27a8dc87971b66a1d9d9282f660596 (diff) | |
download | openembedded-core-7b2fff61b3d1c0566429793ee348fa8978ef0cba.tar.gz openembedded-core-7b2fff61b3d1c0566429793ee348fa8978ef0cba.tar.bz2 openembedded-core-7b2fff61b3d1c0566429793ee348fa8978ef0cba.zip |
openssh: fix for CVE-2014-2653
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and
earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking
by presenting an unacceptable HostCertificate.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch | 114 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh_6.5p1.bb | 3 |
2 files changed, 116 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch new file mode 100644 index 0000000000..674d186044 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2653.patch @@ -0,0 +1,114 @@ +Upstream-Status: Backport + +This CVE could be removed if openssh is upgrade to 6.6 or higher. +Below are some details. + +Attempt SSHFP lookup even if server presents a certificate + +Reference: +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 + +If an ssh server presents a certificate to the client, then the client +does not check the DNS for SSHFP records. This means that a malicious +server can essentially disable DNS-host-key-checking, which means the +client will fall back to asking the user (who will just say "yes" to +the fingerprint, sadly). + +This patch means that the ssh client will, if necessary, extract the +server key from the proffered certificate, and attempt to verify it +against the DNS. The patch was written by Mark Wooding +<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed +it, and tested it. + +Signed-off-by: Matthew Vernon <matthew@debian.org> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -1210,36 +1210,63 @@ fail: + return -1; + } + ++static int ++check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key) ++{ ++ int rc = -1; ++ int flags = 0; ++ Key *raw_key = NULL; ++ ++ if (!options.verify_host_key_dns) ++ goto done; ++ ++ /* XXX certs are not yet supported for DNS; try looking the raw key ++ * up in the DNS anyway. ++ */ ++ if (key_is_cert(host_key)) { ++ debug2("Extracting key from cert for SSHFP lookup"); ++ raw_key = key_from_private(host_key); ++ if (key_drop_cert(raw_key)) ++ fatal("Couldn't drop certificate"); ++ host_key = raw_key; ++ } ++ ++ if (verify_host_key_dns(host, hostaddr, host_key, &flags)) ++ goto done; ++ ++ if (flags & DNS_VERIFY_FOUND) { ++ ++ if (options.verify_host_key_dns == 1 && ++ flags & DNS_VERIFY_MATCH && ++ flags & DNS_VERIFY_SECURE) { ++ rc = 0; ++ } else if (flags & DNS_VERIFY_MATCH) { ++ matching_host_key_dns = 1; ++ } else { ++ warn_changed_key(host_key); ++ error("Update the SSHFP RR in DNS with the new " ++ "host key to get rid of this message."); ++ } ++ } ++ ++done: ++ if (raw_key) ++ key_free(raw_key); ++ return rc; ++} ++ + /* returns 0 if key verifies or -1 if key does NOT verify */ + int + verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) + { +- int flags = 0; + char *fp; + + fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); + debug("Server host key: %s %s", key_type(host_key), fp); + free(fp); + +- /* XXX certs are not yet supported for DNS */ +- if (!key_is_cert(host_key) && options.verify_host_key_dns && +- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { +- if (flags & DNS_VERIFY_FOUND) { +- +- if (options.verify_host_key_dns == 1 && +- flags & DNS_VERIFY_MATCH && +- flags & DNS_VERIFY_SECURE) +- return 0; +- +- if (flags & DNS_VERIFY_MATCH) { +- matching_host_key_dns = 1; +- } else { +- warn_changed_key(host_key); +- error("Update the SSHFP RR in DNS with the new " +- "host key to get rid of this message."); +- } +- } +- } ++ if (check_host_key_sshfp(host, hostaddr, host_key) == 0) ++ return 0; + + return check_host_key(host, hostaddr, options.port, host_key, RDRW, + options.user_hostfiles, options.num_user_hostfiles, +-- +1.7.9.5 + diff --git a/meta/recipes-connectivity/openssh/openssh_6.5p1.bb b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb index 230f38ab31..795e085202 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.5p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb @@ -30,7 +30,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. file://volatiles.99_sshd \ file://add-test-support-for-busybox.patch \ file://run-ptest \ - file://openssh-CVE-2014-2532.patch" + file://openssh-CVE-2014-2532.patch \ + file://openssh-CVE-2014-2653.patch" PAM_SRC_URI = "file://sshd" |