diff options
| author | Vladimír Čunát <v@cunat.cz> | 2024-07-05 08:27:47 +0200 |
|---|---|---|
| committer | Vladimír Čunát <v@cunat.cz> | 2024-07-05 08:27:47 +0200 |
| commit | 72f84695f83e0cd56a270890cd1eb06bfe6f2f5b (patch) | |
| tree | 914931b17da02877a482e45e3310d767bc2c2433 /pkgs/tools | |
| parent | f6ee1e79691a5c7ee284830c2ca3daf9b7e50e06 (diff) | |
| parent | 7144d6241f02d171d25fba3edeaf15e0f2592105 (diff) | |
Merge branch 'release-23.11' into staging-next-23.11 staging-next-23.11
Diffstat (limited to 'pkgs/tools')
3 files changed, 44 insertions, 1 deletions
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 436bd799e4ad0..5ae0d1d4aaa2c 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -12,7 +12,11 @@ in hash = "sha256-kQIRwHJVqMWtZUORtA7lmABxDdgRndU2LeCThap6d3w="; }; - extraPatches = [ ./ssh-keysign-8.5.patch ]; + extraPatches = [ + ./ssh-keysign-8.5.patch + ./openssh-9.6_p1-CVE-2024-6387.patch + ./openssh-9.6_p1-chaff-logic.patch + ]; extraMeta.maintainers = with lib.maintainers; [ das_j ]; }; @@ -29,6 +33,8 @@ in extraPatches = let url = "https://raw.githubusercontent.com/freebsd/freebsd-ports/b3f86656fc67aa397f60747c85f7f7b967c3279d/security/openssh-portable/files/extra-patch-hpn"; in [ ./ssh-keysign-8.5.patch + ./openssh-9.6_p1-CVE-2024-6387.patch + ./openssh-9.6_p1-chaff-logic.patch # HPN Patch from FreeBSD ports (fetchpatch { @@ -68,6 +74,8 @@ in extraPatches = [ ./ssh-keysign-8.5.patch + ./openssh-9.6_p1-CVE-2024-6387.patch + ./openssh-9.6_p1-chaff-logic.patch (fetchpatch { name = "openssh-gssapi.patch"; diff --git a/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch b/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch new file mode 100644 index 0000000000000..7b7fb70380d9f --- /dev/null +++ b/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch @@ -0,0 +1,19 @@ +https://bugs.gentoo.org/935271 +Backport proposed by upstream at https://marc.info/?l=oss-security&m=171982317624594&w=2. +--- a/log.c ++++ b/log.c +@@ -451,12 +451,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#ifdef SYSLOG_R_SAFE_IN_SIGHAND + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + diff --git a/pkgs/tools/networking/openssh/openssh-9.6_p1-chaff-logic.patch b/pkgs/tools/networking/openssh/openssh-9.6_p1-chaff-logic.patch new file mode 100644 index 0000000000000..90544d1a457ed --- /dev/null +++ b/pkgs/tools/networking/openssh/openssh-9.6_p1-chaff-logic.patch @@ -0,0 +1,16 @@ +"Minor logic error in ObscureKeystrokeTiming" +https://marc.info/?l=oss-security&m=171982317624594&w=2 +--- a/clientloop.c ++++ b/clientloop.c +@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout, + if (timespeccmp(&now, &chaff_until, >=)) { + /* Stop if there have been no keystrokes for a while */ + stop_reason = "chaff time expired"; +- } else if (timespeccmp(&now, &next_interval, >=)) { +- /* Otherwise if we were due to send, then send chaff */ ++ } else if (timespeccmp(&now, &next_interval, >=) && ++ !ssh_packet_have_data_to_write(ssh)) { ++ /* If due to send but have no data, then send chaff */ + if (send_chaff(ssh)) + nchaff++; + } |