From 450c3cc9a477a675bcbb0d3f473b8dd02c2c6819 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 3 Jul 2024 10:41:01 -0700 Subject: [PATCH] [AUTO-CHERRYPICK] openssh: fix "regresshion" CVE, CVE-2024-6387, with patch from debian. - branch main (#9565) Co-authored-by: SeanDougherty --- SPECS/openssh/CVE-2024-6387.patch | 32 +++++++++++++++++++++++++++++++ SPECS/openssh/openssh.spec | 8 +++++++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 SPECS/openssh/CVE-2024-6387.patch diff --git a/SPECS/openssh/CVE-2024-6387.patch b/SPECS/openssh/CVE-2024-6387.patch new file mode 100644 index 00000000000..015a6f616ef --- /dev/null +++ b/SPECS/openssh/CVE-2024-6387.patch @@ -0,0 +1,32 @@ +From 46bbf63bfa678cfb48ba8f2c0012101db5b3c691 Mon Sep 17 00:00:00 2001 +From: Sean Dougherty +Date: Tue, 2 Jul 2024 18:20:49 +0000 +Subject: [PATCH] Description: fix signal handler race condition for + Regresshion CVE. https://nvd.nist.gov/vuln/detail/CVE-2024-6387 + +--- + log.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/log.c b/log.c +index 99bf046..2d231ca 100644 +--- a/log.c ++++ b/log.c +@@ -451,12 +451,13 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#if 0 + va_list args; +- + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + +-- +2.39.4 + diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec index 2fa6c97bded..139a5e51f4a 100644 --- a/SPECS/openssh/openssh.spec +++ b/SPECS/openssh/openssh.spec @@ -3,7 +3,7 @@ Summary: Free version of the SSH connectivity tools Name: openssh Version: %{openssh_ver} -Release: 5%{?dist} +Release: 6%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -46,6 +46,8 @@ Patch318: CVE-2023-48795-0008-upstream-Limit-number-of-entries-in-SSH2_MSG Patch319: CVE-2023-48795-0009-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch # Patch for CVE-2023-28531 can be removed if openssh is upgraded to version 9.3p1 or greater Patch350: CVE-2023-28531.patch +# Patch for CVE-2024-6387 can be removed if openssh is upgraded to version 9.8p1 or greater +Patch351: CVE-2024-6387.patch BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: e2fsprogs-devel @@ -131,6 +133,7 @@ popd %patch318 -p1 -b .cve-2023-48795-0008 %patch319 -p1 -b .cve-2023-48795-0009 %patch350 -p1 -b .cve-2023-28531 +%patch351 -p1 -b .cve-2024-6387 %build export CFLAGS="$CFLAGS -fpic" @@ -287,6 +290,9 @@ fi %{_mandir}/man8/ssh-sk-helper.8.gz %changelog +* Tue Jul 2 2024 Sean Dougherty - 8.9p1-6 +- Add patch for CVE-2024-6387 (a.k.a. "regresshion") using Debian's source as guidance. + * Tue Jun 25 2024 Sam Meluch - 8.9p1-5 - Add patch for CVE-2023-28531