From f7003be68cd4d4264ac669ee5ec82ff146563192 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Apr 13 2023 12:24:35 +0000 Subject: Resolve possible self-DoS with some clients Resolves: rhbz#2186473 --- diff --git a/openssh-8.7p1-CVE-2023-25136.patch b/openssh-8.7p1-CVE-2023-25136.patch new file mode 100644 index 0000000..ca661ee --- /dev/null +++ b/openssh-8.7p1-CVE-2023-25136.patch @@ -0,0 +1,38 @@ +diff --git a/compat.c b/compat.c +index 46dfe3a9c2e..478a9403eea 100644 +--- a/compat.c ++++ b/compat.c +@@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) + char * + compat_kex_proposal(struct ssh *ssh, char *p) + { +- char *cp = NULL; ++ char *cp = NULL, *cp2 = NULL; + + if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) + return xstrdup(p); + debug2_f("original KEX proposal: %s", p); + if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) +- if ((p = match_filter_denylist(p, ++ if ((cp = match_filter_denylist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_denylist failed"); + if ((ssh->compat & SSH_OLD_DHGEX) != 0) { +- cp = p; +- if ((p = match_filter_denylist(p, ++ if ((cp2 = match_filter_denylist(cp ? cp : p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_denylist failed"); + free(cp); ++ cp = cp2; + } +- debug2_f("compat KEX proposal: %s", p); +- if (*p == '\0') ++ if (cp == NULL || *cp == '\0') + fatal("No supported key exchange algorithms found"); +- return p; ++ debug2_f("compat KEX proposal: %s", cp); ++ return cp; + } + diff --git a/openssh.spec b/openssh.spec index 93f2613..a9f129b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 28 +%global openssh_rel 29 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -261,6 +261,10 @@ Patch1005: openssh-8.7p1-host-based-auth.patch Patch1006: openssh-8.7p1-negotiate-supported-algs.patch # Patch1007: openssh-8.7p1-nohostsha1proof.patch +# CVE-2023-25136 +# upstream 12da7823336434a403f25c7cc0c2c6aed0737a35 +# to fix 1005 +Patch1008: openssh-8.7p1-CVE-2023-25136.patch License: BSD Requires: /sbin/nologin @@ -470,6 +474,7 @@ popd %patch100 -p1 -b .coverity %patch1007 -p1 -b .sshrsacheck +%patch1008 -p1 -b .cve-2023-25136 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -756,6 +761,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Apr 06 2023 Dmitry Belyavskiy - 8.7p1-29 +- Resolve possible self-DoS with some clients + Resolves: rhbz#2186473 + * Thu Jan 12 2023 Dmitry Belyavskiy - 8.7p1-28 - Do not try to use SHA1 for host key ownership proof when we don't support it server-side Resolves: rhbz#2088750