This bump is not marked as security bump. The 8.1 release fixes a XMSS
key parsing code vulnerability. This code can not be enabled without
explicit definition of the WITH_XMSS macro.
Update LICENCE hash; converted to UTF-8.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2019-6109: Due to missing character encoding in the progress
display, a malicious server (or Man-in-The-Middle attacker) can employ
crafted object names to manipulate the client output, e.g., by using
ANSI control codes to hide additional files being transferred. This
affects refresh_progress_meter() in progressmeter.c.
CVE-2019-6111: Due to the scp implementation being derived from 1983
rcp, the server chooses which files/directories are sent to the client.
However, the scp client only performs cursory validation of the object
name returned (only directory traversal attacks are prevented). A
malicious scp server (or Man-in-The-Middle attacker) can overwrite
arbitrary files in the scp client target directory. If recursive
operation (-r) is performed, the server can manipulate subdirectories as
well (for example, to overwrite the .ssh/authorized_keys file).
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Whether using the new sysusers.d snippet, or adding an entry to
/etc/password, set the service's home directory to /var/empty.
See README.privsep included as part of the openssh distribution.
Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The openssh privilege separation feature, enabled by default,
requires that the path /var/empty exists and has certain permissions
(not writable by the sshd user). Note that nothing ever gets writting
in this directory, so it works fine on a readonly rootfs.
See README.privsep included as part of the openssh distribution.
Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes CVE-2018-20685: The scp client allows server to modify permissions
of the target directory by using empty ("D0777 0 \n") or dot ("D0777 0
.\n") directory name.
The bug reporter lists a number of related vulnerabilities that are not
fixed yet:
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We use the configuration option $(BR2_SYSTEM_DEFAULT_PATH) to set the
default PATH in OpenSSH sessions.
$(BR2_SYSTEM_DEFAULT_PATH) is a Kconfig string. So it is already
quoted, which is exactly what we want.
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop patch #1. uClibc no longer includes pthreads.h indirectly.
Drop patch #2. The sys/param.h header is included indirectly through the
local includes.h header since version 6.8p1.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-15473: user enumeration vulnerability due to not delaying
bailout for an invalid authenticating user until after the packet
containing the request has been fully parsed.
Some OpenSSH developers don't consider this a security issue:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-August/037138.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop upstream patches, renumber the rest.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This script is useful to copy SSH keys between client and server [1] and
installed on most distributions (for example on debian: [2]).
[1] https://www.ssh.com/ssh/copy-id
[2] https://packages.debian.org/fr/jessie/armhf/openssh-client/filelist
Signed-off-by: Julien BOIBESSOT <julien.boibessot@armadeus.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
[Thomas: use full destination path.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit fixes the warnings reported by check-package on the help
text of all package Config.in files, related to the formatting of the
help text: should start with a tab, then 2 spaces, then at most 62
characters.
The vast majority of warnings fixed were caused by too long lines. A
few warnings were related to spaces being used instead of a tab to
indent the help text.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2017-15906 - The process_open function in sftp-server.c in OpenSSH
before 7.6 does not properly prevent write operations in readonly mode,
which allows attackers to create zero-length files.
For more details, see the release notes:
https://www.openssh.com/txt/release-7.6
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patches downloaded from Github are not stable, so bring them in the
tree.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch backports two patches that have been sent upstream as a pull
request in order to fix sshd for MIPS64 n32.
The first patch adds support for detecting the MIPS ABI during the
configure phase.
The second patch sets the right value to seccomp_audit_arch taking into
account the MIPS64 ABI.
Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 or
AUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is built
for MIPS64. However, that's only valid for n64 ABI. The right macros for
n32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 and
AUDIT_ARCH_MIPSEL64N32, for big and little endian respectively.
Because of that an sshd built for MIPS64 n32 rejects connection attempts
and the output of strace reveals that the problem is related to seccomp
audit:
[pid 194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57,
filter=0x555d5da0}) = 0
[pid 194] write(7, "\0\0\0]\0\0\0\5\0\0\0Ulist_hostkey_types: "..., 97) = ?
[pid 193] <... poll resumed> ) = 2 ([{fd=5, revents=POLLIN|POLLHUP},
{fd=6, revents=POLLHUP}])
[pid 194] +++ killed by SIGSYS +++
Pull request: https://github.com/openssh/openssh-portable/pull/71
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Enable support for OpenSSH to use a hardware SSL engine if
cryptodev-linux is included. Without this, OpenSSH uses only
OpenSSL software crypto implementation.
Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
CC: Baruch Siach <baruch@tkos.co.il>
CC: Arnout Vandecappelle <arnout@mind.be>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-2c is BSD-2-Clause.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-2c/BSD-2-Clause/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-3c is BSD-3-Clause.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-3c/BSD-3-Clause/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
From the release notes (https://www.openssh.com/txt/release-7.5):
Security
--------
* ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
Note that the OpenSSH client disables CBC ciphers by default, sshd
offers them as lowest-preference options and will remove them by
default entriely in the next release. Reported by Jean Paul
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
Royal Holloway, University of London.
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
a recursive file transfer could be maniuplated by a hostile server to
perform a path-traversal attack. creating or modifying files outside
of the intended target directory. Reported by Jann Horn of Google
Project Zero.
[Peter: mention security fixes]
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since there's not much point in generating missing host keys when the
init script is called with "stop", the call to ssh-keygen should not
be done inconditionally, but in the start function instead.
Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Make license type lists more uniform:
* put content license applies to in parenthesis; ex: "GPLv2+ (programs)"
* use commas to separate types listed without conjuction; ex: "GPLv2, LGPLv2"
No attempt was made to validate the claimed licenses. This is just a tweak
to increase uniformity of the _LICENSE variables.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Thomas: replace semi-colons by commas in LIBURCU_LICENSE.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2016-10009 - ssh-agent(1): Will now refuse to load PKCS#11 modules
from paths outside a trusted whitelist
CVE-2016-10010 - sshd(8): When privilege separation is disabled,
forwarded Unix-domain sockets would be created by sshd(8) with the
privileges of 'root'
CVE-2016-10011 - sshd(8): Avoid theoretical leak of host private key
material to privilege-separated child processes via realloc()
CVE-2016-10012 - sshd(8): The shared memory manager used by
pre-authentication compression support had a bounds checks that could be
elided by some optimising compilers
http://seclists.org/oss-sec/2016/q4/708
Drop upstream patch.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2016-8858: Memory exhaustion, up to 128MB, of unauthenticated peer.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
uClibc-ng does not support PIE for some architectures as
arc and m68k. It isn't implemented in the static linking case, too.
With musl toolchains you might have static PIE support with little
patching of gcc. Static linking for GNU libc isn't enabled in
buildroot. Fixup any package using special treatment of PIE.
(grep -ir pie package/*/*.mk)
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
[Thomas: use positive logic.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2016-0777 - Client Information leak from use of roaming connection
feature.
CVE-2016-0778 - A buffer overflow flaw was found in the way the OpenSSH
client roaming feature was implemented. A malicious server could
potentially use this flaw to execute arbitrary code on a successfully
authenticated OpenSSH client if that client used certain non-default
configuration options.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: James Knight <james.knight@rockwellcollins.com>
Tested-by: James Knight <james.knight@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
'echo -n' is not a POSIX construct (no flag support), we shoud use
'printf', especially in init script.
This patch was generated by the following command line:
git grep -l 'echo -n' -- `git ls-files | grep -v 'patch'` | xargs sed -i 's/echo -n/printf/'
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2015-6563 - Fixed a privilege separation weakness related to PAM
support.
CVE-2015-6564 - Fixed a use-after-free bug related to PAM support that
was reachable by attackers who could compromise the pre-authentication
process for remote code exectuion.
CVE-2015-6565 - incorrectly set TTYs to be world-writable.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Thomas: in the sed expression, use % as a delimiter instead of /,
since the line contains several / that all had to be escaped.]
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Autogenerated from rename-patch.py (http://patchwork.ozlabs.org/patch/403345)
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix indent for LIBFOO_USERS and LIBFOO_PERMISSIONS as per the manual example.
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The sshd privilege drop user doesn't belong in the skeleton, it's
exclusively used by OpenSSH.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
pkg-autotools.mk fix --sysconfdir to "/etc". This patch restore
--sysconfdir to its default value (/etc/ssh)
Signed-off-by: Jérôme Pouiller <jezz@sysmic.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The configure script finds the "howmany" macro, but some of the sources
using it do not include the required <sys/param.h> header.
Signed-off-by: Maarten ter Huurne <maarten@treewalker.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since openssh-6.0, the ssh-keygen app has supported a -A option,
which creates any missing keys. This frees us of having to add
new ssh-keygen invocations as new key types are introduced. This
also frees us of having to know the default key names and locations.
So this patch replaces all the the init.d script invocations with
a single "ssh-keygen -A" call.
Note: the systemd service script *already* uses this option.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes build failure reported here:
http://autobuild.buildroot.net/results/262/26218e028f3d2c77c5192b45154627f08384b688/
uClibc toolchain for ARC doesn't support PIE
Attempt to build anything with "-pie" option lead to linker failure:
arc-buildroot-linux-uclibc-gcc -pie test.c
ld: ../4.8-r3/bin/../arc-buildroot-linux-uclibc/sysroot/usr/lib/crt1.o: warning: unresolvable relocation against symbol `__uClibc_main' from .text section
ld: ../4.8-r3/bin/../lib/gcc/arc-buildroot-linux-uclibc/4.8.0/crtbegin.o: warning: unresolvable relocation against symbol `__deregister_frame_info@@GCC_3.0' from .text section
ld: ../4.8-r3/bin/../lib/gcc/arc-buildroot-linux-uclibc/4.8.0/crtbegin.o: warning: unresolvable relocation against symbol `__deregister_frame_info@@GCC_3.0' from .text section
ld: ../4.8-r3/bin/../lib/gcc/arc-buildroot-linux-uclibc/4.8.0/crtbegin.o: warning: unresolvable relocation against symbol `__register_frame_info@@GCC_3.0' from .text section
ld: ../4.8-r3/bin/../lib/gcc/arc-buildroot-linux-uclibc/4.8.0/crtbegin.o: warning: unresolvable relocation against symbol `__register_frame_info@@GCC_3.0' from .text section
In its turn this behavior confuses configure script of openssh so some options
get set improperly. In particular "strnvis" gets determined as existing which
causes failure during compilation:
log.c:67:25: error: 'VIS_SAFE' undeclared (first use in this function)
#define LOG_STDERR_VIS (VIS_SAFE|VIS_OCTAL)
With disabled PIE ("--without-pie") openssh gets built without issues.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Anton Kolesov <akolesov@synopsys.com>
Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Baruch Siach