Add patches to cover security issues CVE-2016-10009 and CVE-2016-10010.

Security: 2c948527-d823-11e6-9171-14dae9d210b8 Submitted by: Tim Zingelman <zingelman@gmail.com> MFH: 2017Q1
svn path=/head/; revision=431438
2025-07-18 17:59:20 -04:00 · 2017-01-13 23:23:35 +00:00 · 2017-01-13 23:23:35 +00:00 · 4e5701f44f · 2021-03-31 03:12:20 +00:00
commit 4e5701f44f
parent 358c4690a3
3 changed files with 150 additions and 18 deletions
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@ -3,7 +3,7 @@

 PORTNAME=	openssh
 DISTVERSION=	7.3p1
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
--- a/security/openssh-portable/files/patch-ssh-agent.1
+++ b/security/openssh-portable/files/patch-ssh-agent.1
@ -4,9 +4,12 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.

--- ssh-agent.1.orig	2015-05-29 03:27:21.000000000 -0500
-+++ ssh-agent.1	2015-06-02 09:45:37.025390000 -0500
-@@ -43,7 +43,7 @@
+Add a -P option to specify PKCS11_WHITELIST
+
+
+--- ssh-agent.1.orig	2016-07-27 17:54:27.000000000 -0500
+++ ssh-agent.1	2017-01-11 19:05:12.513900000 -0600
+@@ -43,10 +43,11 @@
 .Sh SYNOPSIS
 .Nm ssh-agent
 .Op Fl c | s
@ -15,7 +18,30 @@ disconnected.
 .Op Fl a Ar bind_address
 .Op Fl E Ar fingerprint_hash
 .Op Fl t Ar life
-@@ -128,6 +128,8 @@
+.Op Fl P Ar pkcs11_whitelist
+ .Op Ar command Op Ar arg ...
+ .Nm ssh-agent
+ .Op Fl c | s
+@@ -121,6 +122,18 @@
+ Kill the current agent (given by the
+ .Ev SSH_AGENT_PID
+ environment variable).
+.It Fl P
+Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
+that may be added using the
+.Fl s
+option to
+.Xr ssh-add 1 .
+The default is to allow loading PKCS#11 libraries from
+.Dq /usr/lib/*,/usr/local/lib/* .
+PKCS#11 libraries that do not match the whitelist will be refused.
+See PATTERNS in
+.Xr ssh_config 5
+for a description of pattern-list syntax.
+ .It Fl s
+ Generate Bourne shell commands on
+ .Dv stdout .
+@@ -135,6 +148,8 @@
 .Xr ssh-add 1
 overrides this value.
 Without this option the default maximum lifetime is forever.
@ -23,4 +49,4 @@ disconnected.
 +Exit after the last client has disconnected.
 .El
 .Pp
- If a commandline is given, this is executed as a subprocess of the agent.
+ If a command line is given, this is executed as a subprocess of the agent.
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@ -8,9 +8,39 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.

--- ssh-agent.c.orig	2015-05-29 03:27:21.000000000 -0500
-+++ ssh-agent.c	2015-06-02 09:46:54.719580000 -0500
-@@ -157,15 +157,34 @@ static long lifetime = 0;
+Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009)
+
+
+--- ssh-agent.c.orig	2016-07-27 17:54:27.000000000 -0500
+++ ssh-agent.c	2017-01-11 19:02:59.600125000 -0600
+@@ -83,11 +83,16 @@
+ #include "misc.h"
+ #include "digest.h"
+ #include "ssherr.h"
+#include "match.h"
+ 
+ #ifdef ENABLE_PKCS11
+ #include "ssh-pkcs11.h"
+ #endif
+ 
+#ifndef DEFAULT_PKCS11_WHITELIST
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
+#endif
+
+ typedef enum {
+ 	AUTH_UNUSED,
+ 	AUTH_SOCKET,
+@@ -135,6 +140,9 @@
+ char socket_name[PATH_MAX];
+ char socket_dir[PATH_MAX];
+ 
+/* PKCS#11 path whitelist */
+static char *pkcs11_whitelist;
+
+ /* locking */
+ #define LOCK_SIZE	32
+ #define LOCK_SALT_SIZE	16
+@@ -150,15 +158,34 @@
 
 static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
 
@ -45,7 +75,50 @@ disconnected.
 }
 
 static void
-@@ -939,6 +958,10 @@ new_socket(sock_type type, int fd)
+@@ -738,7 +765,7 @@
+ static void
+ process_add_smartcard_key(SocketEntry *e)
+ {
+-	char *provider = NULL, *pin;
+	char *provider = NULL, *pin, canonical_provider[PATH_MAX];
+ 	int r, i, version, count = 0, success = 0, confirm = 0;
+ 	u_int seconds;
+ 	time_t death = 0;
+@@ -770,10 +797,21 @@
+ 			goto send;
+ 		}
+ 	}
+	if (realpath(provider, canonical_provider) == NULL) {
+		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+		    provider, strerror(errno));
+		goto send;
+	}
+	if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
+		verbose("refusing PKCS#11 add of \"%.100s\": "
+		    "provider not whitelisted", canonical_provider);
+		goto send;
+	}
+	debug("%s: add %.100s", __func__, canonical_provider);
+ 	if (lifetime && !death)
+ 		death = monotime() + lifetime;
+ 
+-	count = pkcs11_add_provider(provider, pin, &keys);
+	count = pkcs11_add_provider(canonical_provider, pin, &keys);
+ 	for (i = 0; i < count; i++) {
+ 		k = keys[i];
+ 		version = k->type == KEY_RSA1 ? 1 : 2;
+@@ -781,8 +819,8 @@
+ 		if (lookup_identity(k, version) == NULL) {
+ 			id = xcalloc(1, sizeof(Identity));
+ 			id->key = k;
+-			id->provider = xstrdup(provider);
+-			id->comment = xstrdup(provider); /* XXX */
+			id->provider = xstrdup(canonical_provider);
+			id->comment = xstrdup(canonical_provider); /* XXX */
+ 			id->death = death;
+ 			id->confirm = confirm;
+ 			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
+@@ -945,6 +983,10 @@
 {
 	u_int i, old_alloc, new_alloc;
 
@ -56,33 +129,47 @@ disconnected.
 	set_nonblock(fd);
 
 	if (fd > max_fd)
-@@ -1166,7 +1189,7 @@ static void
+@@ -1172,8 +1214,8 @@
 usage(void)
 {
 	fprintf(stderr,
 -	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+-	    "                 [-t life] [command [arg ...]]\n"
 +	    "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
- 	    "                 [-t life] [command [arg ...]]\n"
+	    "                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
 	    "       ssh-agent [-c | -s] -k\n");
 	exit(1);
-@@ -1197,6 +1220,7 @@ main(int ac, char **av)
+ }
+@@ -1204,6 +1246,7 @@
 	/* drop */
 	setegid(getgid());
 	setgid(getgid());
 +	setuid(geteuid());
 
- #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
- 	/* Disable ptrace on Linux without sgid bit */
-@@ -1210,7 +1234,7 @@ main(int ac, char **av)
+ 	platform_disable_tracing(0);	/* strict=no */
+ 
+@@ -1214,7 +1257,7 @@
 	__progname = ssh_get_progname(av[0]);
 	seed_rng();
 
 -	while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
-+	while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) {
+	while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) {
 		switch (ch) {
 		case 'E':
 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1249,6 +1273,9 @@ main(int ac, char **av)
+@@ -1229,6 +1272,11 @@
+ 		case 'k':
+ 			k_flag++;
+ 			break;
+		case 'P':
+			if (pkcs11_whitelist != NULL)
+				fatal("-P option already specified");
+			pkcs11_whitelist = xstrdup(optarg);
+			break;
+ 		case 's':
+ 			if (c_flag)
+ 				usage();
+@@ -1253,6 +1301,9 @@
 				usage();
 			}
 			break;
@ -92,3 +179,22 @@ disconnected.
 		default:
 			usage();
 		}
+@@ -1263,6 +1314,9 @@
+ 	if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
+ 		usage();
+ 
+	if (pkcs11_whitelist == NULL)
+		pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
+
+ 	if (ac == 0 && !c_flag && !s_flag) {
+ 		shell = getenv("SHELL");
+ 		if (shell != NULL && (len = strlen(shell)) > 2 &&
+@@ -1410,7 +1464,7 @@
+ 	signal(SIGTERM, cleanup_handler);
+ 	nalloc = 0;
+ 
+-	if (pledge("stdio cpath unix id proc exec", NULL) == -1)
+	if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
+ 		fatal("%s: pledge: %s", __progname, strerror(errno));
+ 	platform_pledge_agent();
+